Does GrapheneOS plan to participate or use the "Unified Attestation" initiative

avaluedcustomer

A new initiative has been started to have a Google free way to validate the security of a phone. It is lead by Volla but Murena, Iode and Apostrophy have apparently signaled to also support (use) this.

Does GrapheneOS consider participating there? It will be released under the Apache license, so I wouldn't expect any legal problems.

More information here: https://uattest.net/

not-a-rola

avaluedcustomer It is lead by Volla but Murena, Iode and Apostrophy have apparently signaled to also support (use) this.

Does GrapheneOS consider participating there?

I don't think so, LOL.

not-a-rola

avaluedcustomer so I wouldn't expect any legal problems.

Nothing stops banks to implement the hardware attestation as well, but they keep sticking to Google for compliance. The root cause is not technical.

Johnnyloans

avaluedcustomer A new initiative has been started to have a Google free way to validate the security of a phone.

gos already has their own attestation

W1zardK1ng

avaluedcustomer This will be a alternative but no one is going to use it just like the unified push. We already have hardware attestation but no one really keep efforts to implement it until users keep requesting the devs, still very few do. They implemented this probably because their devices doesn't support the hardware attestation not sure, never dig deep on those insecure devices.

avaluedcustomer

Johnnyloans With a different goal if I understand this correctly.

Novalissoide

Here's a somewhat funny read:
https://www.galaxus.de/en/page/banking-wallet-and-nfc-payment-alternative-operating-systems-want-to-break-away-from-google-41859

TacticalCheddar

IMO this isn't a serious project. The EU is currently looking to invest in European alternatives for American tech so the gang listed there is probably trying to grift some funds by labeling themselves as ''secure alternatives''.

I really wish some serious journalists would post the criticism the dev team constantly writes about these projects. It's becoming an outright public safety issue with the amount of Europeans that are being pushed to those security nightmares.

NoahRaketic

No. They have publicly stated that they oppose this initiative.
https://grapheneos.social/@GrapheneOS/116200110686604617
https://xcancel.com/i/status/2031041385554386960
https://discord.com/channels/1176414688112820234/1176414688112820237/1480589827471839393

Viewpoint0232

Even if this project won't be used by GrapheneOS, it may still have the positive impact of banks and governments thinking "wait... I don't have to use Play Integrity!" and then eventually some might also use GrapheneOS's hardware attestation.

NoahRaketic

Viewpoint0232 You should read the posts by GrapheneOS. It won't have a positive impact and will likely further continue to encourage apps to use improper methods (like uattest) to verify apps rather than the built-in attestation API, which can measure real security features and isn't determined by a company.