> Why can't the stock ROMs use these features and be more secure also?
Some of the features may hurt user experience in some way and people made different trade-off.
For example, GrapheneOS disables USB before unlock so that there's no chance that some driver codes in Linux kernel run in response to a device being plugged in, for attack surface reduction. Then, say, if you have a cracked screen, the touchscreen no longer works and you don't want to fix it, if not for this mitigation, you can use an USB-C OTG cable to connect a mouse / keyboard to the phone, unlock it and export all your data. With this mitigation the keyboard won't work so you are forced to fix the screen first just to get your data out.
If apps refuse to run on graphene it's not because of graphene's content it's just a question of whether the attestation is recognised. It's not signed by Google.
I guess one reason you'd want to avoid that is that makes it harder to e.g spoof your location or falsely tell the app that screenshotting is disabled.
It's mostly preventing apps to be botted .
As each device has its own certificate and can be banned exclusively, if it's google certified.
This certificate( also called keybox/keybox.xml) is stored in the secure enclave in the device.
If you want to dive deeper you can checkout droidguard/play integrity.
A good deal of banking apps will run on it just fine.
Some of these features are backported to mainline android, others may be deemed too advanced or just the incentives don't match (e.g. being able to disable networking by the user could cut into Google's earnings, e.g. limited ads in apps).
For what its worth, all of my local banking and e-government apps work flawlessly on GrapheneOS. The only unsupported feature or app I've found so far is Google Pay. (I'm from Italy)
Nope. This is eplus in Japan, and if you try go through the website it tells you you have to use the app. It's cos a lot of shows these days don't use paper tickets, but smart tickets on your phone. It is what it is.
So Graphene is actually more secure than most stock ROMs, but e.g. banking apps won't run on it "for security"?
Why can't the stock ROMs use these features and be more secure also?
> Why can't the stock ROMs use these features and be more secure also?
Some of the features may hurt user experience in some way and people made different trade-off.
For example, GrapheneOS disables USB before unlock so that there's no chance that some driver codes in Linux kernel run in response to a device being plugged in, for attack surface reduction. Then, say, if you have a cracked screen, the touchscreen no longer works and you don't want to fix it, if not for this mitigation, you can use an USB-C OTG cable to connect a mouse / keyboard to the phone, unlock it and export all your data. With this mitigation the keyboard won't work so you are forced to fix the screen first just to get your data out.
That also sounds like a nonstarter for a lot of kiosk and embedded use cases
Okay? Then switch that off? :)
If apps refuse to run on graphene it's not because of graphene's content it's just a question of whether the attestation is recognised. It's not signed by Google.
I guess one reason you'd want to avoid that is that makes it harder to e.g spoof your location or falsely tell the app that screenshotting is disabled.
It's mostly preventing apps to be botted . As each device has its own certificate and can be banned exclusively, if it's google certified. This certificate( also called keybox/keybox.xml) is stored in the secure enclave in the device.
If you want to dive deeper you can checkout droidguard/play integrity.
A good deal of banking apps will run on it just fine.
Some of these features are backported to mainline android, others may be deemed too advanced or just the incentives don't match (e.g. being able to disable networking by the user could cut into Google's earnings, e.g. limited ads in apps).
For what its worth, all of my local banking and e-government apps work flawlessly on GrapheneOS. The only unsupported feature or app I've found so far is Google Pay. (I'm from Italy)
My banking apps run on it, but my concert ticket app doesn't, so I have a separate phone just for that one app.
They do it to prevent botting . They use play integrity ( i think ex safety net ).
Can concert tickets not be bought in a web browser?
No they can’t. It’s very frustrating.
I had to get my friend to buy them for me when I was on Graphene
Nope. This is eplus in Japan, and if you try go through the website it tells you you have to use the app. It's cos a lot of shows these days don't use paper tickets, but smart tickets on your phone. It is what it is.
What about people who do not have a smartphone?
They don't get to go to concerts in Japan.
Because these apps use google play integrity which only google certified devices pass
Most American banking apps run on Graphene https://privsec.dev/posts/android/banking-applications-compa...
Wells Fargo runs on my Grapheme device.
It also runs on Lineage with Mind The Gapps.