Apple and Google are gradually expanding their use of hardware-based attestation.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 18:03:56 GMT

steely_glint@chaos.social — Sun, 10 May 2026 18:03:56 GMT

@GrapheneOS I side loaded the EU's sample age verification app - which seems to work on my GrapheneOS phone. Is there a way to know if it is only working because I also have the PlayStore installed?

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 18:03:05 GMT

vonkordke@social.vivaldi.net — Sun, 10 May 2026 18:03:05 GMT

@GrapheneOS they just want you to buy their devices. They want to make their smartfones mandatory.
Governments should take that apart immediately, but they are powerless cowards.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 17:44:59 GMT

hidikem@piaille.fr — Sun, 10 May 2026 17:44:59 GMT

@GrapheneOS if it was about security this system would be more close to Https certificate (not identique of course for obvious techical reason) than what google make now (with themselve as sole capable certificate controler).

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 17:43:10 GMT

notavi10@critter.cafe — Sun, 10 May 2026 17:43:10 GMT

@GrapheneOS does this mean that we gonna have to install sandboxed google play

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 17:42:23 GMT

grapheneos@grapheneos.social — Sun, 10 May 2026 17:42:23 GMT

@7cd4a72311bad46117e0f692dddc5f31a543b47ff4265b028f8d820ac808ab3c @MAlBarram We have a partnership with Motorola Mobility (Lenovo) and are working with them towards their 2027 devices providing all of our requirements and providing official GrapheneOS support. We're actively working with them on getting the requirements implemented and GrapheneOS ported to their devices. It has nothing to do with the thread we posted though since it's not going to help with any of this.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 17:36:30 GMT

lunareclipse@snug.moe — Sun, 10 May 2026 17:36:30 GMT

@GrapheneOS the irony that it's fine to use a desktop for the same task as long as you use SMS 2FA is also scorching

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 17:35:25 GMT

grapheneos@grapheneos.social — Sun, 10 May 2026 17:35:25 GMT

Android's hardware attestation shouldn't be used to lock out users not using specific hardware or OSes. However, the fact that it permits arbitrary roots of trust and OSes at least allows services to permit more. Google could use it to permit GrapheneOS for Play Integrity if that was about security.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 17:19:36 GMT

eskealler@mastodon.social — Sun, 10 May 2026 17:19:36 GMT

@GrapheneOS yes, it is hugely problematic.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 17:16:33 GMT

grapheneos@grapheneos.social — Sun, 10 May 2026 17:16:33 GMT

Unified Attestation is another anti-competitive system being pushed by multiple European companies. It will similarly lock people out from using arbitrary hardware and software. That's not a solution and is far worse than Android's much more open hardware attestation API.

GrapheneOS (@GrapheneOS@grapheneos.social)

Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617

GrapheneOS Mastodon (grapheneos.social)

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 17:12:19 GMT

papageier@digitalcourage.social — Sun, 10 May 2026 17:12:19 GMT

@GrapheneOS Google has the entirety of its commercial success thanks to the openness and interoperability of the #WWW. To try an captcha it to build a walled garden is, frankly speaking, an act of disrespect for @timbl and the entire web community.

Microsoft has tried it. Apple has tried it as well. Both have finally had the insight that working with the community is much more rewarding and profitable than working against it.

Let's work toward Google having that same revelation as well.

(Sorry for the pun, couldn't resist)

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 17:02:34 GMT

hidikem@piaille.fr — Sun, 10 May 2026 17:02:34 GMT

@GrapheneOS i complained on many official service they ignore it, the ombudsman was called and they seem to ignore it too.

they all aswer the bullshit that you are labelled insecure by official tool, because google tool automatically mark non licensed OS as insecure regardless of their actual security.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 17:02:20 GMT

mamalake@beige.party — Sun, 10 May 2026 17:02:20 GMT

@GrapheneOS on our way to "privatized care, " information and resources distributed by government subsidized corps(e)

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 16:53:53 GMT

grapheneos@grapheneos.social — Sun, 10 May 2026 16:53:53 GMT

@garrett We provide documentation at https://grapheneos.org/articles/attestation-compatibility-guide on how apps can use the Android hardware attestation to permit GrapheneOS and other hardware / operating systems which aren't certified by Google. This API supports permitting alternate roots of trust and non-stock operating systems. We use new signing keys for each new device model so new devices won't be listed without them updating it and their list won't include alternate builds of GrapheneOS. Apps should not be doing this at all.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 16:51:47 GMT

grapheneos@grapheneos.social — Sun, 10 May 2026 16:51:47 GMT

@garrett Most banking apps still work on GrapheneOS but Play Integrity API adoption is expanding and it's nearly impossible to convince an app to stop using it once they've started. We've only successfully convinced a couple apps to stop. We've convinced a lot more apps to start permitting GrapheneOS by using the Android hardware attestation API as an alternative which can be used to permit arbitrary hardware and operating systems but that's still very problematic including for GrapheneOS.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 16:49:53 GMT

grapheneos@grapheneos.social — Sun, 10 May 2026 16:49:53 GMT

@thomas Using attestation doesn't imply allowing only a specific set of hardware and operating systems. That's not at all implied and isn't even possible for an implementation only providing pinning-based verification rather than root-based verification.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 16:49:42 GMT

garrett@mastodon.xyz — Sun, 10 May 2026 16:49:42 GMT

@GrapheneOS My bank has been this way for months already. They got rid of other 2FA methods they used to support and require a Google-approved Android OS or iOS... even to log in to their banking UI on a desktop/laptop.

It's infuriating, and it means I'm now 100% locked in to a proprietary app on a proprietary OS (controlled by 1 of 2 companies, both headquartered in California, USA) on a proprietary phone for banking and public transit (in Europe), with no alternative possible.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 16:43:06 GMT

thomas@muenchen.social — Sun, 10 May 2026 16:43:06 GMT

@GrapheneOS
So true! One little thing: This would also be bad if it weren't a bogus excuse. Because Remote Attestation in a device for the general public in itself is evil, and it will always be abused. The whole purpose of Remote Attestation is to enable a service to ban people from using arbitrary hardware and OSes. And in extension, to ban people from using arbitrary client apps for those services.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 16:33:28 GMT

georgweissenbacher@fediscience.org — Sun, 10 May 2026 16:33:28 GMT

@GrapheneOS The European Union is developing a digital identity system that incorporates FIDO2 standards for secure authentication. Some governments (like the Austrian) already support FIDO2 for authentication and identification. Banks should just do that, too.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 16:33:04 GMT

linux@masto.ai — Sun, 10 May 2026 16:33:04 GMT

@GrapheneOS

Motorola has a security contract with the USA.

They will, depending on need, release a device with GrapheneOS — or delay it — and work closely with you to identify the methods and vulnerabilities you discover, as well as how you implement features to overcome the planned “new normal,” so that, behind the scenes, they can undermine and circumvent your work in the future. The investment — which includes you — is intended to strengthen relations and acquire additional contracts.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 16:22:28 GMT

wuzzy@cyberplace.social — Sun, 10 May 2026 16:22:28 GMT

@GrapheneOS Word! I hate #reCAPTCHA with a deep passion. It’s not just annoying but also yet another proprietary software forced on us.

It was bad before Google attempted to expand it further, and will continue to be bad.

The need to kick spambots/etc. out is understandable, but depending on proprietary software to do it is a BAD idea. There are other ways.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 16:15:51 GMT

linux@masto.ai — Sun, 10 May 2026 16:15:51 GMT

@GrapheneOS

It's the goal.

For example, all those new laws for age verification are to prevent you from using an operating system or ROM that cannot be minored or controlled. Blocking reCAPTCHA on a non-approved, non-certified government and corporate sanctioned devices is just 1 piece of the big picture.

For example, the USA has made any new router not made in the USA illegal to import or sell. They can apply for an exception if they agree to include their new control chip or firmware.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 16:12:43 GMT

hipsterelectron@circumstances.run — Sun, 10 May 2026 16:12:43 GMT

@GrapheneOS @dwaynemonroe pypi disabled pgp signing (certified donald stufft and william woodruff tag team production. woodruff whined about how he couldn't surveil some keypairs and claimed this made them "useless")

anyway if you want the cryptographic checkmark from pypi they need you to give microsoft or google a few minutes alone with your code before any user can see it. not "reproducible" but reprobuilds only bullies open source code not corps. would love the evangelism strike force to fight corporate DRM and not module signing in the kernel

it is very possible to reproducibly diff a build process with module signing, diffoscope just completely sucks

[yes i'm likely gonna fork it]

thanks for listening!

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 16:09:18 GMT

grapheneos@grapheneos.social — Sun, 10 May 2026 16:09:18 GMT

Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.

Reply to Apple and Google are gradually expanding their use of hardware-based attestation. on Sun, 10 May 2026 16:04:22 GMT

hipsterelectron@circumstances.run — Sun, 10 May 2026 16:04:22 GMT

@GrapheneOS do not know almost anyone else who is making this exact point that "security" is a euphemism for "national security" and is actively opposed to privacy or auditability. certainly not user security. @dwaynemonroe has identified the extreme closeness of monopolistic and fascistic hierarchical unaccountable and potentially even illegal control