This is the place where I think lawmakers needs to be involved. Bearing in mind that laws aren't engineering specs, being able to pay for things and use a bank are about as close to fundamental rights as anything is for participants in society. If you have to buy a second device to use Netflix, so be it, but we need laws that guarantee people can make digital payments without Apple or Google's permission.
There are societies today (I live in one) where some businesses are starting to accept payment only through a banking or payment app, no cash, no card, nothing else. And these apps will only function in the very narrow circumstances of "I bought a device which runs software from one of two American tech monopolies and follow all their frequently changing rules for using various software that's unrelated to the payment I need to make." This limitation is mostly in place due to the banks believing it will make things more secure. Security is important, but not important enough that you get to start denying innocent people the ability to make payments or exile them from the banking system because they had some kind of dispute with Apple or Google. Governments need to step in with access mandates here, otherwise this problem WILL come to a jurisdiction near you sooner or later.
> Security is important
The argument that this is actually a security benefit is a farce. It doesn't do anything. If the device is compromised then it's going to capture your password and send it to the attacker without attempting any attestation. So the only time the attestation is attempted is when the device isn't compromised.
Yes, if it was a measure of device security they would revoke attestation of devices that are behind on security updates. But no, a 5 year old device that never got security updates is A-OK according to Google but a completely up to date custom ROM is not.
It's clearly not about real security. It is about control. You follow the rules and get Google's blessing or no SafetyNet for you. These rules include things like ensuring that the user can't access their own data without the controlling app's permission.
> Yes, if it was a measure of device security they would revoke attestation of devices that are behind on security updates.
The new attestation system Google introduced recently (which I think also more strongly forces hardware-based attestation for phones that support it and is therefore more difficult to bypass) actually does that – the very highest attestation level requires running a security update not older than one year if I remember correctly.
What remains to be seen how much that'll get used in practice – users with rooted phones or custom ROMs are rare enough that a lot of vendors seemingly have no qualms excluding them, whereas users with outdated phones are probably a somewhat more sizeable number.
I think you are right that it is about control.
Let me offer another perspective. The OS vendor actually has significant control over your device. They could plant backdoors in different layers of the OS.
Therefore, in their defense, if the OS doesn't come from a trusted source (in the bank's or Google's point of view), your bank's credentials are essentially compromised.
You could argue that there are backdoors either way. They are just controlling which party gets to plant the backdoors, after all.
> Therefore, in their defense, if the OS doesn't come from a trusted source (in the bank's or Google's point of view), your bank's credentials are essentially compromised.
"Compromised" means that someone has them who will use them for unauthorized activity. When your device is infected with malware because it's running the same version of Android it came with that hasn't received a security update in several years, entering your credentials into that device will cause them to be compromised. When your device has a custom ROM that isn't sending your credentials to anyone it isn't supposed to, they are not compromised.
But the first device passes attestation and the second one doesn't. Moreover, that is the common case -- the version of Android that came with the device is likely to be older and have more vulnerabilities than a custom version installed later. Which means that passing attestation isn't just uncorrelated with uncompromised devices, it's actually anti-correlated with them. Requiring it is forcing users to keep and use the older OS with known vulnerabilities on that device.
> If you have to buy a second device to use Netflix, so be it, but we need laws that guarantee people can make digital payments without Apple or Google's permission.
The reality is however that if you look at active current projects being able to use digital IDs to access fundamental freedoms like communication without child safety rails in Europe is going to require Apple or Google's permission because politicians like it that way.
You can think things should happen in a way all you like, but they are not going to, because governments have vested interests in the opposite direction.
Secure boot and OEM bootloader unlock should be able to work with images so you can lock a phone after the upgrade again.
I managed to get a US refubished Pixel 2 somehow with a fuselocked bootloader here in Ireland. I bought it second hand but I've no idea how it got that way. But I'm suck on the Pixel image and I wanted to use it for ROM testing etc.
You can relock the bootloader but it still fails the SafetyNet check since it's not running an "official" OS signed with the manufacturer's keys.
yup it will, but this is where some legislation might help to get certified 3rd party ROM images that will pass. Its a tricky topic though.
This is outside of my area of expertise. I know there are i.e. banking apps that will disable themselves if you're running some unofficial 3rd party Android derivative like LineageOS. Are you saying those apps would work again if you perform some kind of secure boot locking procedure?
It does vary. TWRP/Magisk can enable apps, but its case by case.