🔐 Introducing: Unified AttestationAn open-source project for verifying the integrity of Android apps—as an alternative to Google's Play Integrity.
-
@circus_maximus The last thing the world needs right now is another corporate gatekeeper promising "independence".
People have been fed that lie too many times to believe it anymore.
-
@circus_maximus @downey @Torx Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
GrapheneOS Mastodon (grapheneos.social)
-
@volla looks very promising !!
@lascapi Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
GrapheneOS Mastodon (grapheneos.social)
-
@volla Interesting approach, but: How does #unifiedattestation ensure every interested other and secure alternative ROM can also pass the test?
@GrapheneOS does heavily criticize your approach. They claim it puts you (your project) in charge of controlling which ROMs pass attestation and which do not.
Is there any room for a collaboration? It sounds as if #GrapheneOS rules this out, how about you guys from @volla? Any negotiations possible? Any common ground?
I, as a user, would just like to use those banking apps without worrying they might stop functioning anytime with any updates. Those banking-app-devs are the real culprits IMHO, to rely on something like Integritycheck theater.
@volla is your secret that you will convince banking-app-devs to open up their checks?
@Torx Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
GrapheneOS Mastodon (grapheneos.social)
-
@Torx Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
GrapheneOS Mastodon (grapheneos.social)
@Torx We're completely willing to file a lawsuit against @volla over this as soon as there are apps permitting their products through their system while disallowing GrapheneOS. It's not legal for Volla and multiple other companies to get together to implement a system banning using anything other than their products. We aren't going to participate is an illegal anti-competitive cartel. It's clearly against the law and should be stopped now prior to it causing clear damages to GrapheneOS.
-
@Torx We're completely willing to file a lawsuit against @volla over this as soon as there are apps permitting their products through their system while disallowing GrapheneOS. It's not legal for Volla and multiple other companies to get together to implement a system banning using anything other than their products. We aren't going to participate is an illegal anti-competitive cartel. It's clearly against the law and should be stopped now prior to it causing clear damages to GrapheneOS.
@Torx @volla Devices and operating systems providing an alternative to Google's ecosystem based on AOSP is a distinct space from the broader Android app ecosystem. Companies trying to give themselves an advantage through banning arbitrary options other than their own products/services is clearly an illegal anti-competitive tactic within that space. This should be halted before it causes harm to GrapheneOS. We will not tolerate apps permitting their products through it and banning GrapheneOS.
-
@Torx @volla Devices and operating systems providing an alternative to Google's ecosystem based on AOSP is a distinct space from the broader Android app ecosystem. Companies trying to give themselves an advantage through banning arbitrary options other than their own products/services is clearly an illegal anti-competitive tactic within that space. This should be halted before it causes harm to GrapheneOS. We will not tolerate apps permitting their products through it and banning GrapheneOS.
@Torx @volla Volla and these other companies do not get to coerce us into participating in an illegal anti-competitive cartel where app compatibility would be harmed if we didn't participate. They do not get to coerce us into following their arbitrary demands and giving themselves veto power over GrapheneOS app compatibilities. Both Murena and iodé hostile towards GrapheneOS including spreading endless misinformation and direct involvement in spreading/supporting libel/harassment content.
-
@lascapi Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
GrapheneOS Mastodon (grapheneos.social)
Hi @GrapheneOS, you said :
> Unified Attestation is anti-competitive and it clearly isn't legal.I don't get your point with this argument.
If I understand well, Unified Attestation is a competitor of Google Play Integrity. And everyone can try to setup another competitor.
How can you say that it's not legal?
-
Hi @GrapheneOS, you said :
> Unified Attestation is anti-competitive and it clearly isn't legal.I don't get your point with this argument.
If I understand well, Unified Attestation is a competitor of Google Play Integrity. And everyone can try to setup another competitor.
How can you say that it's not legal?
@lascapi Multiple companies collaborating together to make a system which permits their products and forbids using alternatives isn't legal. The whole point of Unified Attestation is that it's a centralized system on top of Android hardware attestation putting these companies in control of which devices and operating systems are allowed. Companies making the products being certified should not be the ones deciding what's allowed. It's clearly not legal for them to be forbidding alternatives.
-
@lascapi Multiple companies collaborating together to make a system which permits their products and forbids using alternatives isn't legal. The whole point of Unified Attestation is that it's a centralized system on top of Android hardware attestation putting these companies in control of which devices and operating systems are allowed. Companies making the products being certified should not be the ones deciding what's allowed. It's clearly not legal for them to be forbidding alternatives.
@lascapi They're pushing for banking and government apps to adopt a system which they control what's allowed to be used. They're going to be permitting their own products without reasonable security standards while locking out anything not participating in it. That's an anti-competitive cartel and not legal. We're not only going to heavily advocate against it but will file a lawsuit against Volla and the other companies involved as soon as there are apps using it while not permitting GrapheneOS.
-
Hi @GrapheneOS, you said :
> Unified Attestation is anti-competitive and it clearly isn't legal.I don't get your point with this argument.
If I understand well, Unified Attestation is a competitor of Google Play Integrity. And everyone can try to setup another competitor.
How can you say that it's not legal?
Google Play Integrity is already an illegal anti-competitive practice; the difference is that Google is the only player and has sufficient resources to defend itself, this is what we call a monopoly.
Creating an alternative that does exactly the same thing is just as illegal, since this alternative is created through a collaboration between different groups because a single group would not have the resources to do it alone, in legal terms, this is called a cartel.
The GrapheneOS project account has provided many detailed answers to help clarify the situation and explain the correct approach to take.
