top | item 45744547

(no title)

ajnin | 4 months ago

Android has not been really open for a long time now.

- Many APIs have been moved to Google Play Services (which is not open source), and many apps have come to rely on them. You can emulate it partially but not fully, see second point below.

- Some features like device attestation / SafetyNet fail on non-"official" devices, for example many banking or government ID apps refuse to work on open source os like GrapheneOS

discuss

crowbahr|4 months ago

Android dev at a large company - I've been talking with the folks at Graphene about options for attestation without using Google's API and it looks like there's actually a lot I can do for attestation without them, as long as I add their cert chain to a backend service.

It's a bit of a pain because Google just does that for me normally, but we _can_ support it. It's probably only a sprint of effort give or take. But we're deeply undermanned so it's hard to get done.

fread2281|4 months ago

Why do you need attestation? It seems to always either serve no real purpose (e.g. Bank apps) or be anti-user (DRM) (except for perhaps enterprise managed devices for companies with serious infosec requirements)

AlgebraFox|4 months ago

Why do you need attesation? Why do you think Google should own that device and not the user?