If Windows wasn't so far behind Apple and the rest of the industry in regards to integrity APIs this wouldn't be necessary. It's embarrassing for Microsoft that someone needs to use a separate, more secure device since their security is so bad.
If Windows wasn't so far behind Apple and the rest of the industry in regards to integrity APIs this wouldn't be necessary. It's embarrassing for Microsoft that someone needs to use a separate, more secure device since their security is so bad.
It's embarrassing for Hacker News that people here are commenting to support attestation systems that prevent you from owning the device you bought.
Attestation isn't against being able to do whatever you want with your own device. It just means that if you want other people to trust your custom device you need to get them to trust your signing key.
Pray tell, how might you get them to trust your signing key? Do you just email Mr. Pichai and ask nicely, is that enough?
I would try reaching out to the Recaptcha team so you can create a legal contract around what guarantees and compensation are needed to get your key trusted.
But that would only be possible for large companies. If I'm just tinkering with my own Linux distribution for fun, Google won't even bother responding to my request.
The intention behind it doesn't matter at all. In the end, it just means that only a few major operating systems are allowed, and the market is divided up among the established manufacturers. Anyone new to the market faces a major problem right off the bat, and trying to build something yourself doesn't work either.
Not sure if you’re being deliberately obtuse, but a signing key means nothing by itself. What exactly do you think is being attested TO?
Thats right: that the user can’t do what they want with their own device. Obviously your key wouldn’t be trusted if they could.
There is no other conceivable purpose that attestation could serve.
> Not sure if you’re being deliberately obtuse
Yes, they are. If there's a thread on HN about user-hostile features, you can be pretty confident that they've written a comment defending it.
There are many changes that are possible which do not harm the integrity of applications.
>the user can’t do what they want with their own device
In the same way the user can't make their device have the Microsoft Word app send them $1 million from Microsoft's bank account. Once other people are in the picture you can't always have your way.
Windows Hello offers an attestation API according to the releases I found, though because Microsoft has called at least four products "hello" now, I can't easily find the details. I don't think there's a technical reason why Google couldn't have released an app with a URL handler that uses that API except maybe for the Windows TPMs being less secure than mobile ones in general.
That attestation is for attesting you are using a TPM for user authentication. Which is different than attestation of integrity.
They do have some kind of attestation mechanism to actually attest the device state: https://learn.microsoft.com/en-us/azure/attestation/tpm-atte...
It seems like the documentation for the feature is aimed entirely at MDM setups, though.
The basic API requirements are all there, and Windows 11 requires TPM 2.0, so I believe it should be possible for Google to build a Play Integrity equivalent around that.
It's a lot of work and outside of the scope of the Recaptcha team at Google to roll their own compared to a simple API like macOS has.
https://developer.apple.com/documentation/devicecheck/dcappa...
Integrity doesn't guarantee any security to your device, just that the device is same as from the factory. That's a common misconception.
"strong integrity" also takes into account if a security update has been installed recently enough. I don't believe hardware integrity spoofing has been accomplished on Android yet. Software integrity and compatibility with old hardware has been used to spoof device IDs and pretend a phone doesn't have the ability to do hardware attestation.
It's technically possible to exploit a kernel and get root access on a running device, of course, but the persistent root that is used most often will be detected by hardware integrity mechanisms. Exploit based root might be as well if it makes itself detectable enough.
> if a security update has been installed recently enough
In turn, this enables any tyrannical or anti-competitive demand which can be implemented in software, such as "user is not on the blasphemer list" or "all communications are being CC'ed to the Ministry of Truth."
> "strong integrity" also takes into account if a security update has been installed recently enough.
My Galaxy S10, last update in 2023 passes strong integrity.
With the little amount of security updates most Android devices have, I'm pretty sure you can find an exploit for pretty much everything except the most expensive flagships.
What does integrity really means when nobody really knows what's in the device and with a terrible software update policy anyways.
The exact requirements for security updates depends on the Android version you're running and the one your device came with. From the docs:
The S10 should be on Android 13, so it should not pass STRONG_INTEGRITY. If it does, perhaps it's possible Google updated the docs early in anticipation of a change? The software update requirement wasn't always there.I didn't know about this change, this is actually good news, it means no app can realistically rely on strong integrity as it will cut them from their user base.
I think you overestimate how far apps are willing to go for stupid reasons.
Also, there is still the DEVICE_INTEGRITY check that verifies the hardware side of things so if old devices have to be pushed, app developers still won't let you run their apps on LineageOS
I'm sure they are stupid but they already have some trouble to justify to their customers that they can't run the app on Android 11 so phasing out actual brand new devices that customers have is going to go a bit too far for them.
Massive gaming companies have already started using TPMs + secure boot to detect and ban players. Anyone who upgraded to Windows 11 without compatible hardware or who was/is still using Windows 10 cannot play these games. That was a few years ago when Windows 10 was still around.
It has happened and it probably will happen again. The EU is working on a wallet app that will be legally equivalent to an ID card, I imagine they'll rather have people stick to their plastic ID rather than risk accepting identity theft.
>I don't believe hardware integrity spoofing has been accomplished on Android yet.
It has, but extracted keys aren't free.