attetation remote verification results

yoyoma

sample of my remote attestation app results for my pixel 7 pro.

Just want to make sure its device intgerity monitoring. and no tampering has taken place. Here are the results.

FE8C-AA8F-6A37-71F6-59EF-F997-4798-18F6-ECCC-4403-8608-B294-9BDA-92F9-798A-0B5B
delete device
Hardware verified information:
Pairing identity (hash of pinned hardware-backed key): FE8C-AA8F-6A37-71F6-59EF-F997-4798-18F6-ECCC-4403-8608-B294-9BDA-92F9-798A-0B5B
Pinned security level: High — StrongBox Hardware Security Module (HSM) with pairing specific attest key
Pinned device: Google Pixel 7 Pro
Pinned OS: GrapheneOS (unmodified official release)
Pinned OS version: 15.0.0
Pinned OS patch level: 2025-01
Pinned vendor patch level: 2025-01-05
Pinned boot patch level: 2025-01-05
Pinned verified boot key hash: BC1C0DD95664604382BB888412026422742EB333071EA0B2D19036217D49182F
Verified boot hash: 326882C5F64A08DFF5091F584D1E9432B77F6C39A92E0ABD587E979C45495B30
hide advanced information
Pinned certificate 0 (persistent Auditor key): show
Pinned certificate 1 (persistent Auditor attest key): show
Pinned certificate 2 (remotely provisioned): show
Pinned certificate 3 (intermediate): show
Pinned certificate 4 (intermediate): show
Pinned certificate 5 (root): show
Information provided by the verified OS:
Pinned Auditor app version: 87
Pinned Auditor app variant: Release build signed by GrapheneOS
User profile secure: yes
Enrolled biometrics: no
Accessibility service(s) enabled: no
Device administrator(s) enabled: no
Android Debug Bridge enabled: no
Add users from lock screen: no
OEM unlocking allowed: no
Main user account: yes
Attestation history
First verified time: Tue Feb 04 2025 09:46:56 GMT-0800 (Pacific Standard Time)
Last verified time: Tue Feb 04 2025 09:46:56 GMT-0800 (Pacific Standard Time)
show detailed history
C188-9D43-C3E6-9932-545A-3E5B-276B-FDDE-4745-8AE7-C3F0-B9CF-1592-85F9-64ED-6A5F
delete device
Hardware verified information:
Pairing identity (hash of pinned hardware-backed key): C188-9D43-C3E6-9932-545A-3E5B-276B-FDDE-4745-8AE7-C3F0-B9CF-1592-85F9-64ED-6A5F
Pinned security level: High — StrongBox Hardware Security Module (HSM) with pairing specific attest key
Pinned device: Google Pixel 7 Pro
Pinned OS: GrapheneOS (unmodified official release)
Pinned OS version: 15.0.0
Pinned OS patch level: 2025-01
Pinned vendor patch level: 2025-01-05
Pinned boot patch level: 2025-01-05
Pinned verified boot key hash: BC1C0DD95664604382BB888412026422742EB333071EA0B2D19036217D49182F
Verified boot hash: 326882C5F64A08DFF5091F584D1E9432B77F6C39A92E0ABD587E979C45495B30
show advanced information
Information provided by the verified OS:
Pinned Auditor app version: 87
Pinned Auditor app variant: Release build signed by GrapheneOS
User profile secure: yes
Enrolled biometrics: no
Accessibility service(s) enabled: no
Device administrator(s) enabled: no
Android Debug Bridge enabled: no
Add users from lock screen: no
OEM unlocking allowed: no
Main user account: yes
Attestation history
First verified time: Tue Feb 04 2025 09:47:48 GMT-0800 (Pacific Standard Time)
Last verified time: Tue Feb 04 2025 09:47:48 GMT-0800 (Pacific Standard Time)
hide detailed history
Tue Feb 04 2025 09:47:48 GMT-0800 (Pacific Standard Time)
Successfully performed basic initial verification and pairing.

Hardware verified information (constants omitted):
OS version: 15.0.0
OS patch level: 2025-01
Vendor patch level: 2025-01-05
Boot patch level: 2025-01-05
Verified boot hash: 326882C5F64A08DFF5091F584D1E9432B77F6C39A92E0ABD587E979C45495B30
Information provided by the verified OS:
Pinned Auditor app version: 87
User profile secure: yes
Enrolled biometrics: no
Accessibility service(s) enabled: no
Device administrator(s) enabled: no
Android Debug Bridge enabled: no
Add users from lock screen: no
OEM unlocking allowed: no
Main user account: yes

GrapheneOS

yoyoma It only pairs with the device and shows results if it passed the initial verification. The history shows the history of successful verifications. We don't currently have logging of failures which get attributed to a specific device since many kinds of failures will prevent using the hardware-backed key it uses to authenticate anyway, so it would need another way to authenticate to report failures and the app on the device would be clearly choosing to report a failure so an attacker wouldn't want to permit that to happen. The assumption is an attacker would block it reporting instead of letting it send that info so this wasn't a priority. That's why alerts are based on not receiving successful results. Providing actual failure reporting for the service is a work in progress and not actually very useful at least without adding another way for the app to authenticate, and even then it would be useful for debugging issues rather than actual security.

yoyoma

mods please delete or black out any information that shouldnt be shared online. PLease remove asap if i did wrong, newbie with grapheneOS, not with phones, cybersecurity for 10 years.

GrapheneOS

yoyoma None of it is sensitive information. There are no device identifiers sent to the service and they aren't currently accessible to the Auditor app anyway.

ceramics

Yeah I wish there was a simple green check mark for people less technically inclined. Or show normal expected values in parenthesis. I'm kinda just trusting I'd see clearly expressed in the notification if something goes wrong.

yoyoma

ceramics
https://www.anarsec.guide/posts/grapheneos/

yoyoma

not to mention anarsec graphenOS article is amazing, check it out for full privacy.

yoyoma

light bulb^ once you understand what is actually is. at the EOD, they still sell a prodcut through marketing money. whether its profitable or sustaibale for graphene. However i sure as fuck dont get money to type here. LMAO

SirMixAlot

GrapheneOS

Hi.

So if the app doesn't send a verification, it's alarming? My Auditor app fails to send a verification during a couple of hours on several occasions every day. It used to only happen at night, but now it also happens during the day. it misses 1-3 hours. It should verify every hour.

As an example my auditor app verified my os:
Fri Apr 11 2025 00:07:48
Fri Apr 11 2025 02:44:13
Fri Apr 11 2025 05:46:13
Fri Apr 11 2025 06:45:20
Fri Apr 11 2025 06:59:06
Fri Apr 11 2025 07:49:14
Fri Apr 11 2025 09:37:39
Fri Apr 11 2025 11:16:40
Fri Apr 11 2025 11:49:49

Should I be worried?

See my post: https://discuss.grapheneos.org/d/21281-auditor-not-working

yoyoma

okay so i guess that means my sample i pasted above is okay? I can move forward to settnig my device up? I will follow the anarcsec guidlines i posted above. But more for a daily driver. Any suggestions would be appreciated if i am using the attestation app correctly. I do not have any other phones running android so i cant do the local check. So my main question is, is this okay? I am good to go?

GrapheneOS

yoyoma It passed verification. The main thing you should do is check the verified boot key fingerprint shown at boot after the initial installation, and then you're good to go. Don't need to keep checking it, it does that itself.

yoyoma

GrapheneOS okay so check the verified boot key fingerprint shown at boot after initial installation. That is the yellow text when it says pause for alternate operating system booting?
what do i check that number against? I love graphene OS, so happy i finally found something real. SInce your part of graphene os, how do you feel about joe rogan about to start using it? he announced it on his recent podcast. Google is giving him a pixel tablet and a 9 pro xl. Hes excited it seems. I imagine his threat model is severe since he has so much "Truthful" information about the corruption in mainstream contract phones. Love my pixel, so happy im done with IOS. I do not like the fact that they are closed source. Then they just got sued for 98 million in europe i think for recording conversations and sending them to china servers. Anyone can confirm this?
I swear i should work in cybersecurity. I went down the rabbit hole 6 years ago, when the state or government went after me because of the insurance fraud corrupt rehab system.

yoyoma

GrapheneOS thankyou for everything! I fixed the issue. I had to re do the remote verification by deleting it and starting fresh.
Thanks again for everything you have done. Creating gOS has changed my life. Thank you for making an OS for peoples right to privacy. I mean it is obvious that you are doing something right considering everything i have read on here and learned with cellbrite documentation. My mom talks to me on molly/singal now :) LMAO. I just dont understand how any normal human being who has seen SNOWDEN, the movie, or studied up on anything regarding privacy, has not made it a priority to swtich to gOS. People keep drinkink the KOOLAID

DeletedUser127

yoyoma https://grapheneos.org/install/web#verified-boot-key-hash

yoyoma

thank you, should i follow anarsec security threat model with his 3 profiles?

GrapheneOS

SirMixAlot The scheduled verification job is throttled by the OS to save power. It's not a precise interval. We've considered providing a way to bypass this for apps with Unrestricted battery mode but haven't done it yet.