• Off TopicSolved
  • [admin: misinformation about SafetyNet Attestation API deprecation]

As of today, the latest version of every app in the Google Play store is no longer allowed to use SafetyNet Attestation.

https://developer.android.com/privacy-and-security/safetynet/deprecation-timeline

The alternative is to use the Play Integrity API, for which there is no known way to satisfy the MEETS_STRONG_INTEGRITY requirement on a device that you have full control over.

From now on, app makers will gradually start enforcing MEETS_STRONG_INTEGRITY and locking out custom ROM users.

    This is bad... lets get active and make sure apps use GrapheneOS' attestation!

    Elk9877 am I missing something? Because it seems that as of now:

    New users are no longer able to sign up for the SafetyNet Attestation API after January 31, 2023. This includes new developers signing up through SDKs.

    So it's just one more step in phasing SafetyNet out, but it'll still be available for another year, or until they change it, with apps that already support it.

      other8026

      That's January 2023. In the mobile version of the websites it's hard to read; you need to switch to desktop mode if you're on the phone.

      End of January 2024 Migration deadline (timeline extended) If you have migrated to the Play Integrity API, SafetyNet Attestation will continue to work on the former versions of your app. You can still detect risky interactions with the previous versions of your app. If you have not migrated, SafetyNet Attestation will no longer work for your app (including the previous versions) and return an error. We will consider that you have migrated if your app calls the Play Integrity API in production.

      So in other words: all new app version now have to use Play Integrity instead of SafetyNet.

        Elk9877 oh my god. No, it's not the mobile site. I'm just an idiot who hasn't figured out how years work. Haha. Thanks for correcting me!

        Elk9877 From now on, app makers will gradually start enforcing MEETS_STRONG_INTEGRITY

        Its very unlikely that most app developers will do this.

        Is there anything we, the community users, can do something to help you guys to get GOS attestated?

          • [deleted]

          GrapheneOS will continue to be a research and development project that will benefit stock Android users. I don't think it's crazy for Google to lock down its system.

          Can't the MEETS_STRONG_INTEGRITY flag just be spoofed by GrapheneOS?

          Obviously if an app actually checks the attestation certificates with Google, they'll realize it's not legit, but maybe most apps won't go that far.

          Elk9877 From now on, app makers will gradually start enforcing MEETS_STRONG_INTEGRITY and locking out custom ROM users.

          That's annoying to see. Is this going to affect, in the future, the google play compatibility layer of grapheneos?

          Volen do something to help you guys to get GOS attestated?

          Unless a number of things change with their requirements its unlikely Google would ever certify GrapheneOS see https://discuss.grapheneos.org/d/10712-what-are-stoppers-of-grapheneos-becoming-a-google-certified-os/7

          Currently Play Integrity, as used by apps, does not provide useful security guarantees about the OS for the app. The OS can be very old and long out of security updates.

          Very few, if any, apps use the more strict hardware backed Integrity so it is possible for an OS to spoof Integrity, presenting itself as another OS/device that passes. Google are cracking down on spoofing by denying Integrity passes for OS/device identities that they have discovered are being used by spoofers.

          cdflasdkesalkjfkdfkjsdajfd What other apps will be blocked besides banks?

          It is only apps which feel there is some kind of security benefit to them for using Play Integrity and if the app developer looks at how Integrity works they will see that there is very limited or no benefits to them and instead disadvantages. There have been very few apps besides banking apps using Safetynet or Integrity and it is highly likely to remain that way. A number of apps that started using Safetynet dropped it and havent switched to Integrity.

          A small number of app developers are confused and mark their apps on Play Store as using Integrity but dont actually have it implemented within their app. These apps will run on a device which doesnt pass Integrity.

          I suppose that the only positive way for GrapheneOS would be an EU or californian regulation on that field ?...
          Edit : by the way, isn't that problem already covered by EU digital markets act ?

          • [deleted]

          • Edited

          The end of SafetyNet is disheartening to read and experience.

          This is especially concerning for me in Norway, as some of my proprietary apps rely on SafetyNet. With SafetyNet no longer available, these apps will gradually be enforcing the requirement for MEETS_STRONG_INTEGRITY, gradually locking out my alternative operating system GrapheneOS.

          I reached out to app developers about Attestation Support Got replies from some, left on unread by others.

          I've been lurking here a few months. I made the decision to go GrapheneOS and I'm waiting on a P8P to arrive. This recent news really sucks to read, but I don't know enough about all of this to conclude anything. Could this possibly be the end of GrapheneOS and other roms?
          Just dumped a lot of $$ to make this switch.
          I hope it doesn't end... I just got here.

            biscuit_tosser_88 same here bud. I was very impressed with Graphene when I finally made the switch...

            No worries only a tiny percentage of apps are and will be concerned...

            All this story seems a bit overevaluated to me ! Let's just see how things go. For now, GrapheneOS remains supported by the vast majority of banking apps and even many ID apps.

            Good to hear. I'm going all in anyway. We'll see what happens.