Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't think GrapheneOS supports it, but back in the day I dual-booted my Oneplus One at some point. That solution worked on Windows with DRM and anti-cheat, so it may be a partial solution on Android too. I imagine at some point a ROM might use pKVM to boot a copy of Android that passes Play Integrity checks through the necessary spoofs without altering the host OS.

The Play Integrity API is working. Banking apps rejecting GrapheneOS' hashes has nothing to do with Google Android vs AOSP and everything to do with what the banks decide is an acceptable risk.

GrapheneOS implements everything the Play Integrity API needs and is completely honest about doing so. That's unlike many custom ROMs that lie to Google and spoof a device that doesn't support hardware attestation, which makes many banking apps work.



> I don't think GrapheneOS supports it, but back in the day I dual-booted my Oneplus One at some point. That solution worked on Windows with DRM and anti-cheat, so it may be a partial solution on Android too.

It's not compatible with the hardware-based security features and atomic A/B update system.

> I imagine at some point a ROM might use pKVM to boot a copy of Android that passes Play Integrity checks through the necessary spoofs without altering the host OS.

Spoofing is not going to pass the Play Integrity API strong integrity level and the device integrity level will keep moving closer to enforcing hardware attestation too.

> The Play Integrity API is working. Banking apps rejecting GrapheneOS' hashes has nothing to do with Google Android vs AOSP and everything to do with what the banks decide is an acceptable risk.

Play Integrity API does not allow anything other than Google Mobile Services devices with the stock OS to pass the device or strong integrity levels. Passing any of basic, device or strong requires being logged into a Google account now too. GrapheneOS provides full support for hardware-based attestation which apps can use to permit both any stock OS and also GrapheneOS or other alternate operating systems. Most apps choose to simply do what Google recommends of not allowing anything not licensing Google Mobile Services with no check for minimum patch level, etc. It's not really a security feature.

> GrapheneOS implements everything the Play Integrity API needs and is completely honest about doing so.

We do, but Google chooses not to allow GrapheneOS. They may be forced to change that soon due to EU regulation. Several apps in the EU have chosen to permit GrapheneOS via using the hardware attestation API themselves but what's really needed is Google being forced to do it.

> That's unlike many custom ROMs that lie to Google and spoof a device that doesn't support hardware attestation, which makes many banking apps work.

That only passes the device integrity level and many banking apps are moving to the strong integrity level. It's also getting harder to do it and Google has detection for it which is being used for an extremely slow moving crackdown on it. They're likely doing it so slowly to avoid making too many people angry at once leading to serious pushback against it. They're mostly fine with people passing it for now, which they can detect is happening via their fingerprinting system. They're choosing to allow it when it's not for wide scale abuse. They would prevent it if an OS like GrapheneOS with 350k+ users deployed it with perhaps around half of the users were using it due to using sandboxed Google Play. If we made it a toggle, it would still likely be too large scale to get away with it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: