CutStandard8309 I just got a reply back, over a year later. No new information to add, basically another prepared statement like last time: "We're keeping an eye on alternative operating systems, and consider if they can be implemented into the MitID solution. You mention GrapheneOS as an alternative to Android and iOS. Our very high security requirements means that MitID can only be obtained from Apple App Store or Google Play Store. It is impossible for us to ensure that MitID works on all operating systems and browsers, so we only test on the most common operating systems, which is iOS and Android. However, a cellphone is not required for MitID, you can use a code reader if you prefer."
I wrote them back and informed them that:
- GrapheneOS is Android based, so stating that they support Android is pretty contradictory.
- That Google Play Integrity checking is not security, because old, unpatched devices still work without issues.
- That hardware based attestation is more secure than Google Play Integrity, and also works on the Google version of Android.
Let's see what their reply will be in another year.