Android devices launched with Android 8 or later provide support for hardware-based attestation as part of the hardware keystore API. Secure devices like Pixels provide both the traditional Trusted Execution Environment (TrustZone) keystore and StrongBox keystore based on a secure element, each providing attestation support. The hardware-based attestation feature is a standard part of the Android Open Source Project and are used to implement our Auditor app among other things.
Initially, attestation signing keys were required to be batch keys provisioned to at least 100k devices to avoid them being used as unique identifiers. Unique attestation signing keys are an optional feature only available to privileged system components. Recent devices have replaced the batch and unique key system with remotely provisioned signing keys. The device obtains encrypted keys from a service to be decrypted by batch or unique keys inside the TEE and optional secure element. The new system improves privacy and security by using separate attestation signing keys for each app instead of needing to balance privacy and security by sharing the same attestation signing keys across a large batch of devices.
GrapheneOS uses https://remoteprovisioning.grapheneos.org/ by default which is a private reverse proxy to the https://remoteprovisioning.googleapis.com/ service. The service splits up the implementation of provisioning to preserve privacy, and our reverse proxy adds to that since it's unable to decrypt the provisioned keys
https://grapheneos.org/faq#default-connections
- Is it talking about the "googleplay Integrity API" ? (If someone needs a refresh : watch?v=wEsNemtwHyc / youtube title "Improve your game's security with the Play Integrity API" )
2.
The hardware-based attestation feature is a standard part of the Android Open Source Project
The standard part is TEE or the strongbox ? Both are considered hardware-based ? What's the point of google as a manufacturer for having added strongbox chip please? So TEE = identifiers based on hardware components (sensor models) whereas strongbox is some blackbox chip containing a key ?
3.
Initially
meaning android8 ?
Recent devices
meaning shipped with what android version?
Unique attestation signing keys are an optional feature only available to privileged system components
Can examples be given or it would serve bad people? Let's say privileged components of stock android
to be decrypted by batch or unique keys inside the TEE and optional secure element.
I understand that the device receives provisioned keys for each individual app that will work online or require a purchase/license. I don't understand the cited part though, could someone explain please?
The new system improves privacy and security by using separate attestation signing keys for each app instead of needing to balance privacy and security by sharing the same attestation signing keys across a large batch of devices.
For a given app, if some bad people figures out my account credentials, then they could emit requests to that app servers on my behalf, from any device that has been provisioned the same key other than my device. So I understand that 100k same key provisioning is unsecure in this regard. But if a key is unique per-app-per-device, then it's less privacy-friendly than if it was unique per-app-per-100k-devices, isn't it?
4.
our reverse proxy
I totally agree that this will be useful for all of us in the future when devices will be stock shipped with gOS, but for now I have issues understanding the benefits... First of all is it working like so :
- Device has a unique pair of private+public device-keys,
- From an IP address, device asks google API to be provisioned some per-app-per-device key, along with its device public key
- g2o server generates some unique app key and sends it back to the device, along with g2o public key signature inside the packet, encrypted with individual device public device-key
- only the individual device can decrypt the per-app-per-device key with is unique private device-key ?
So using the gOS proxy hides my initial IP address to g2o and tells them "more and more requests are performed using gOS project's proxy", but tells my ISP/guovernment that I'm using gOS no matter if I use a DNS server other than my ISP's one ?
5.
I noticed that these settings were only available through the main undeletable admin profile, not the other childprofiles. I don't have yet the experience to even tell if it would be useful, but naively, would it be feasible to change these connectivity settings to per-profile settings instead of per-device settings ?