Possibility of running an OS inside of another OS on Android?

natoal

I'd like to call your attention to VirtualBox, which, if I'm not wrong, allows one to run another instance of Linux or Windows inside of the host OS. Of course, this is computationally intensive, but I was wondering if it was actually possible to do this on Android to circumvent the mechanisms used by certain apps that detect whether a non-stock OS is installed. Then, I guess it must be frozen immediately after usage to reduce battery drain.

de0u

natoal Pixel hardware from the 6 series on supports virtualization, and there has been recent work on that in Android in general and GrapheneOS in particular, see: https://discuss.grapheneos.org/d/20647-user-facing-hardware-virtualization-support-in-our-next-os-release

VirtualBox as such is not an Android solution. In addition, while virtualizing Android will have various security and privacy benefits, it won't work around hardware-based attestation which some apps use to detect which OS version they are running under.

teezeh

natoal but I was wondering if it was actually possible to do this on Android to circumvent the mechanisms used by certain apps that detect whether a non-stock OS is installed

Forget it.

GrapheneOS

natoal

but I was wondering if it was actually possible to do this on Android to circumvent the mechanisms used by certain apps that detect whether a non-stock OS is installed

It will do the direct opposite of helping with this. Apps specifically try to detect virtualization and it's one of the main purposes of the Play Integrity API and hardware attestation API to detect it. It would be much harder to pretend an app in a virtual machine is running on bare metal on Google certified device with the stock OS. This is not something virtualization will help with at all.

natoal

de0u I looked through this and found

The only practical way to bypass hardware attestation is through exploiting the hardware keystore to obtain attestation signing keys, which is protected against by the ability to revoke keys that are being misused.

In that case wouldn't it be easy to spoof the key if its only use is to use an app and nothing else? It would likely be improbable that the key get flagged for misuse. I'm not sure how one would go about exploiting the hardware keystore though.

natoal

teezeh

Forget it.

What's wrong?

teezeh

natoal I just strongly recommend against wasting your time with such PoC stuff.

natoal

GrapheneOS

Oh, in that case, do you know if this can be done instead?

"In that case wouldn't it be easy to spoof the key if its only use is to use an app and nothing else? It would likely be improbable that the key get flagged for misuse. I'm not sure how one would go about exploiting the hardware keystore though."

The GrapheneOS site said it's possible to obtain the keys... if an app like Netguard was used that blocked google domains, that might prevent them from updating the blacklist of keys. Of course, a key only used to download one or two apps might not even be flagged. Could a new key be generated after one is flagged?

de0u

natoal The GrapheneOS site said it's possible to obtain the keys...

For sure it is possible. At least several nation-state actors could do it. That doesn't mean it's easy, and it has been designed to be hard.

natoal If an app like Netguard was used that blocked google domains, that might prevent them from updating the blacklist of keys.

Possibly, but that wouldn't stop the server side of the app from noticing that the chain included a revoked certificate.

natoal Of course, a key only used to download one or two apps might not even be flagged. Could a new key be generated after one is flagged?

I suspect a good model for this is that extracting a device private key costs somewhere between $10,000 and $10,000,000. Clearly Google hopes it's expensive and has worked hard on that. I think it will be a surprise if key extraction is something like $10. So using an extracted key to download a small number of apps may not be efficient, and spreading the cost across many users seems likely to result in discovery and key rotation.

natoal

de0u

By certificate do you mean the key? Sorry, I'm not tech savvy. Netguard filters specific domains and I don't think apps will run the request through duplicate lists on multiple domains, so blocking tracking domains alone may be enough. When I used it last there were a lot with gstatic and google or firebase iirc. Gov domains may not have it (if it's a government app). So in this case blocking all domains except gov was what I had envisioned

And damn it's expensive, all that just for blocking access to apps? I can't imagine why'd they need such huge protections

de0u

natoal Some information about hardware-based attestation:

natoal And damn it's expensive, all that just for blocking access to apps?

It is used for many things, such as Widevine.

To be clear, the per-device cost of the system is low; what's (probably) expensive is breaking it.

raccoondad

You really can't get over the Integrity API, you should more so just find alternatives to the apps you cannot use