Integrity doesn't guarantee any security to your device, just that the device is same as from the factory. That's a common misconception.
Integrity doesn't guarantee any security to your device, just that the device is same as from the factory. That's a common misconception.
"strong integrity" also takes into account if a security update has been installed recently enough. I don't believe hardware integrity spoofing has been accomplished on Android yet. Software integrity and compatibility with old hardware has been used to spoof device IDs and pretend a phone doesn't have the ability to do hardware attestation.
It's technically possible to exploit a kernel and get root access on a running device, of course, but the persistent root that is used most often will be detected by hardware integrity mechanisms. Exploit based root might be as well if it makes itself detectable enough.
> if a security update has been installed recently enough
In turn, this enables any tyrannical or anti-competitive demand which can be implemented in software, such as "user is not on the blasphemer list" or "all communications are being CC'ed to the Ministry of Truth."
> "strong integrity" also takes into account if a security update has been installed recently enough.
My Galaxy S10, last update in 2023 passes strong integrity.
With the little amount of security updates most Android devices have, I'm pretty sure you can find an exploit for pretty much everything except the most expensive flagships.
What does integrity really means when nobody really knows what's in the device and with a terrible software update policy anyways.
The exact requirements for security updates depends on the Android version you're running and the one your device came with. From the docs:
The S10 should be on Android 13, so it should not pass STRONG_INTEGRITY. If it does, perhaps it's possible Google updated the docs early in anticipation of a change? The software update requirement wasn't always there.I didn't know about this change, this is actually good news, it means no app can realistically rely on strong integrity as it will cut them from their user base.
I think you overestimate how far apps are willing to go for stupid reasons.
Also, there is still the DEVICE_INTEGRITY check that verifies the hardware side of things so if old devices have to be pushed, app developers still won't let you run their apps on LineageOS
I'm sure they are stupid but they already have some trouble to justify to their customers that they can't run the app on Android 11 so phasing out actual brand new devices that customers have is going to go a bit too far for them.
Massive gaming companies have already started using TPMs + secure boot to detect and ban players. Anyone who upgraded to Windows 11 without compatible hardware or who was/is still using Windows 10 cannot play these games. That was a few years ago when Windows 10 was still around.
It has happened and it probably will happen again. The EU is working on a wallet app that will be legally equivalent to an ID card, I imagine they'll rather have people stick to their plastic ID rather than risk accepting identity theft.
>I don't believe hardware integrity spoofing has been accomplished on Android yet.
It has, but extracted keys aren't free.