top | item 46702858

(no title)

icar | 1 month ago

> I've since learned that anything heavily regulated like hospitals and banks will have security procedures catering to compliance, not actual security.

I personally came to that conclusion thanks to the GrapheneOS situation regarding device attestation. Insecure devices get full features from some apps because they are certified, although they cite security, while GrapheneOS get half featured apps because it's "insecure" (read, doesn't have the Google certification, but are actually the most secure devices you can get, worldwide)

discuss

cynicalsecurity|1 month ago

It's not about securing your device from external threats or bad actors; it's about securing the device from you.

trashb|1 month ago

I see it a little differently. I would change your statement to the following:

It's not about securing your device from external threats or bad actors; it's about securing the organization from any blame / wrongdoing.

Most organizations today are looking high and low to shove the blame to others instead of taking responsibility.

subscribed|1 month ago

Play Integrity certifies (and banks/etc approve) that Android 8.0 (oreo) unpatched for several years, full of vulnerabilities for RCE, 0-click, privilege escalation, etc, so full of holes it's trivial to get a root and then hide it (or use leaked cert), is absolutely a-ok, safe to use and secure for user.

Yes?

Is this what you're suggesting? :)

Because this is what's certified and embraced.