Play Integrity API and Future of GrapheneOS

[deleted]

matchboxbananasynergy sorry, if you think I am mumbling here, you are welcome to delete all my posts in this thread. I have a pretty good idea what I mean.

Tryptamine

matchboxbananasynergy got it. Apologize if that's what it seems like I'm doing... My intention was to stick to facts here rather than speculative reasoning, but I can see how my posts could be misconstrued. Feel free to delete as you see fit!

Bringing it back to the initial topic;

Yeah, I really hope that more apps don't use stronger Play Integrity checking, but so far that is few and far between... Hope it stays that way, or...

Would be incredible if hardware based attestation were to have a surge in popularity! However I really wonder why that hasn't been the case... It seems to me that would provide a much stronger form of attestation than using play integrity, but I've never heard a story to date that an app has switched to it. I'd love to be wrong on this point!

mmmm

Tryptamine I've confirmed that turning on the toggle "Reroute location requests to the OS" prevents your device giving location to Location History, completely! Its an opt in thing in GrapheneOS.

What's this then? Where is it and do you have a bit more info as to what it does or what it's for?

Carlos-Anso

mmmm
That is the default setting. It makes all apps which request location from Google Play instead have the request routed to the OS location provider. Google Play does not need location permission.

mmmm

Carlos-Anso thanks for the info!

Ammako

PacoBell yeahhh this is why I waited until I upgraded before playing any of this stuff. I can actually just keep the previous phone as a dedicated machine on stock OS to ensure compatibility, while the new daily driver remains separate.

evol

dln949 i imagine its proprietary, but i wonder if there could be a foss project that tries to emulate it. donw know much about that possibility heheh.

crowbahr

Hey - Staff Android developer at a large, publicly traded company here.

We're seeing increasing rates of cyber security issues related to compromised devices which is why we've adopted the Play Protection API as part of a multi-pronged effort to reduce AI based impersonation attacks on our platform.

The reason why we really need attestation is to ensure that the device isn't compromised and that the app is similarly unmodified.

From reading the documentation I'm not seeing how we could prove app integrity with the existing hardware signing certificates proposed by GrapheneOS as a solution.

I'm interested in other options, or docs on what I've missed here.

I'm considering installing Graphene on a spare device just to see what happens with the integrity checks but it'd be nice if someone could weigh in on exactly what would fail in the Play check. Is it just the deviceIntegrity field while the appIntegrity field would still pass? Would nothing happen at all? What kind of access risks would show up in the environmentDetails, if any?

Obviously it's hard to get bandwidth allocated to supporting niche distros, especially with as lean as most teams run these days. That said: if I can sneak in some tweaks and support Graphene within one weekend...

chinook

crowbahr hey, thanks for expressing the interest.

Before someone gets the gory details, I'm curious how does your organisation reconcile Google-certified phones not getting updates since several years and considering vulnerable Android 12 or 13 (eg: Pixel 4) systems as safe/trusted (because certified by Google) - knowing many of these vulnerabilities could be used to temporarily root the device and hide this fact

At the same time GOS handset that passes hw attestation is not rooted and not modified. Basically pure, safer AOSP without privileged Google services :)

Last time I checked (few months ago), my ancient Xperia Z5 could still runs most of the apps, including two of my four banking apps.

I'm really just wondering what your position is, because it likely has been discussed in your team.

exactly what would fail in the Play check

Play Integrity API checker (gr.nikolasspyr.integritycheck) says my handset passes MEETS_BASIC_INTEGRITY but fails MEETS_DEVICE_INTEGRITY and MEETS_STRONG_INTEGRITY.

    "appIntegrity": {
        "appRecognitionVerdict": "PLAY_RECOGNIZED",
[...]
    "deviceIntegrity": {
        "deviceRecognitionVerdict": [
            "MEETS_BASIC_INTEGRITY"
        ],
        "recentDeviceActivity": {
            "deviceActivityLevel": "UNEVALUATED"
        },
        "deviceAttributes": {
            "sdkVersion": 36
        }
    },
    "accountDetails": {
        "appLicensingVerdict": "LICENSED"
    },
  "environmentDetails": {
        "playProtectVerdict": "NO_ISSUES",
        "appAccessRiskVerdict": {
            "appsDetected": [
                "KNOWN_INSTALLED",
                "UNKNOWN_INSTALLED"
            ]
        }

Thanks! (And thanks a lot for the interest, it may help other devs as well)

Watermelon

(I am NOT part of the GrapheneOS project.)

crowbahr which is why we've adopted the Play Protection API

crowbahr From reading the documentation I'm not seeing how we could prove app integrity with the existing hardware signing certificates proposed by GrapheneOS as a solution.

This implies that Play Integrity does something you need that the base API for attestation doesn't do. What is it that you find lacking in it? Note that attestation isn't just about the fingerprints. They point to the source code of their Auditor app. Quote:

Our MIT / Apache 2 licensed Auditor app can be used as a reference implementation for verifying hardware-based attestations.

crowbahr I'm interested in other options, or docs on what I've missed here.

If you have a Pixel, you can try the Auditor app on it in auditee mode. It's one of the core features in GrapheneOS and preinstalled in it, but also recognizes the stock OS of Pixels, and available on Google Play Store. The Auditor app uses hardware-based attestation completely independently from Play Integrity. You can see as a user what kind of info it's capable of reporting and checking. As far as I know, everything that the Auditor app checks can also be checked by any other app equally well (note that the GrapheneOS team added GrapheneOS-specific reporting of stuff like the auto-reboot timer and USB-C port setting, and I believe they can also be checked by any other app, but it's possible that not).

lbschenkel

crowbahr I'm not seeing how we could prove app integrity with the existing hardware signing certificates proposed by GrapheneOS as a solution.

I would need to look again, but last time I checked the Android attestation API, the app signature was part of the signed data so you also verify the app integrity as part of the attestation.

Since you are going to whitelist official GOS keys in this approach, this is implicitly trusting that GOS is trusted to do the signature checks before running your app and will not lie about the signature.

So it should give the same assurances in the end: unmodified device, unmodified OS, unmodified app.

GrapheneOS

crowbahr

We're seeing increasing rates of cyber security issues related to compromised devices which is why we've adopted the Play Protection API as part of a multi-pronged effort to reduce AI based impersonation attacks on our platform.

Play Integrity API does not provide any serious protection against this and forbids users from using more secure devices.

From reading the documentation I'm not seeing how we could prove app integrity with the existing hardware signing certificates proposed by GrapheneOS as a solution.

It provides cryptographic verification of the app through the package name, version code and signing key verification which is passed to the secure element by the verified OS for inclusion in the signed attestation. Why do you think you can't verify app integrity with it? Have you looked at the hardware key attestation API? The entire purpose of the Play Integrity API strong integrity level is using the hardware key attestation API to verify the OS and app in a much more secure way than software checks.

I'm considering installing Graphene on a spare device just to see what happens with the integrity checks but it'd be nice if someone could weigh in on exactly what would fail in the Play check. Is it just the deviceIntegrity field while the appIntegrity field would still pass? Would nothing happen at all? What kind of access risks would show up in the environmentDetails, if any?

You should use the hardware attestation API and verify your app's package name, version code and signing key fingerprints. You shouldn't use the Play Integrity API for this.

Obviously it's hard to get bandwidth allocated to supporting niche distros, especially with as lean as most teams run these days. That said: if I can sneak in some tweaks and support Graphene within one weekend...

Your company is going out of the way to forbid using GrapheneOS with a security feature which doesn't provide what it claims but rather exists to enforce Google's business model. It was an explicit choice to go out of the way to forbid using much more secure devices while still permitting devices with no security patches for many years.

crowbahr

chinook

While I'm limited in the amount of details I can share I can say that we're requiring MEETS_STRONG_INTEGRITY for our sensitive actions. I appreciate the API checker output for your GOS device - that's good to see. Having a PLAY_RECOGNIZED verdict along with the build number and sha256 of the build are all part of the required checks. It looks like you'd only be failed for the MEETS_STRONG_INTEGRITY check - which is what I'd expect.

For the MEETS_STRONG_INTEGRITY portion obviously there are issues on Android SDK <= 32 where the Strong verdict is returned purely based on hardware boot integrity with no recent security patch requirements. We're monitoring how this goes to see if we still have issues with camera spoofing on those devices, in which case we'll lock all SDK <= 32 out of the sensitive actions in app.

Again I'm trying not to dox myself here but we're a luxury product and we deal with PII so we have to take customer data very, very seriously. The security review on these kind of changes might take over a month on its own. So it's a not inconsiderable headache to support this when the Google Play API covers 99.999% of our customers, most of whom are nowhere near tech savvy enough to install a custom rom, and Security signs off on that for free since it's as simple as having the device perform the check then sending the token off to Google on our backend and getting a verdict. No chains to look into, it uses the existing GCM project etc etc.

THAT SAID - It sounds like I could add the attestation key certificate chain into the attestation step up and just have the server check that in the case that the device fails STRONG_INTEGRITY, allowing only the GrapheneOS boot key fingerprints. Where do you post revocation status btw? Is it in the Google maintained list?

crowbahr

Watermelon The Auditor app looks cool but it doesn't seem to work. Running it on a Pixel 9 Fold, Build BP41.250822.010 (Beta track Android 16) as the Auditee and a bone stock Samsung S23 Ultra for the Auditor. Always fails connection.

GrapheneOS

crowbahr

While I'm limited in the amount of details I can share I can say that we're requiring MEETS_STRONG_INTEGRITY for our sensitive actions. I appreciate the API checker output for your GOS device - that's good to see. Having a PLAY_RECOGNIZED verdict along with the build number and sha256 of the build are all part of the required checks. It looks like you'd only be failed for the MEETS_STRONG_INTEGRITY check - which is what I'd expect.

The entire purpose of the strong integrity level is that it uses the hardware key attestation API in a very weak way not using or enforcing most of what's provided such as a reasonable patch level.

The hardware key attestation API provides a signed result including the app's package name, version code and signing key fingerprints. That's how you're meant to chain trust to the app with it, and it's done by our Auditor app provided as an example.

For the MEETS_STRONG_INTEGRITY portion obviously there are issues on Android SDK <= 32 where the Strong verdict is returned purely based on hardware boot integrity with no recent security patch requirements. We're monitoring how this goes to see if we still have issues with camera spoofing on those devices, in which case we'll lock all SDK <= 32 out of the sensitive actions in app.

It allows being out-of-date by up to a whole year for recent devices and indefinitely for older devices. The key attestation API provides the patch levels signed by the hardware for you to enforce what you want. You can use the hardware key attestation API to verify any stock OS including patch levels too through the green boot state. It doesn't mean that this is a useful thing to do, but it's more useful than the Play Integrity API strong integrity level.

Again I'm trying not to dox myself here but we're a luxury product and we deal with PII so we have to take customer data very, very seriously. The security review on these kind of changes might take over a month on its own. So it's a not inconsiderable headache to support this when the Google Play API covers 99.999% of our customers, most of whom are nowhere near tech savvy enough to install a custom rom, and Security signs off on that for free since it's as simple as having the device perform the check then sending the token off to Google on our backend and getting a verdict. No chains to look into, it uses the existing GCM project etc etc.

GrapheneOS is not a custom ROM. That's an inaccurate term and shouldn't be used to refer to it.

The hardware key attestation API is the official Android API for this and it's not that hard to use it.

Play Integrity API is rate limited and doesn't always work so it adds reliability issues to an app. The hardware key attestation API has no rate limits.

Play Integrity API device integrity level is easily bypassed and the strong integrity level is simply supplementing that with the key attestation API and very incomplete, lax checks for patch level.

THAT SAID - It sounds like I could add the attestation key certificate chain into the attestation step up and just have the server check that in the case that the device fails STRONG_INTEGRITY, allowing only the GrapheneOS boot key fingerprints. Where do you post revocation status btw? Is it in the Google maintained list?

They're Google certified devices with the Google key attestation root keys and therefore the Google maintained revocations are the relevant ones. With our own hardware, we could have our own key attestation root, our own remote key provisioning and our own revocation list but that's not relevant right now.

You can use key attestation to verify the stock OS and your app on any device launched with Android 8 or later including checking patch levels. You can check your app's integrity via the key attestation metadata for the package name, version code and signing key fingerprints. The attestation is for a hardware backed key which can then be used to sign messages including gathering more data in your app and sending it in a signed message to prove it came from the app since the OS doesn't allow anything else to use the key.

You're meant to tie login sessions to hardware keystore keys with attestation enabled. You can also generate attest purpose keys for signing attestations of other keys.

GrapheneOS

crowbahr Auditor works very well and doesn't involve any connection between the devices being used to verify each other. Only the scheduled remote attestation feature involves a connection being made by the app. The attestation keys for the chain up to the root do get provisioned via the network on modern devices and are per-app but then they get used for a couple weeks. Our Auditor apps generates an attest purpose key for each pairing and uses that to sign the attestations, but it enables attestation for the attest key so it chains to the root itself. It would work without involving the attestation roots at all though but bootstrapping from the root makes the initial verification less useless. It's based on a much more meaningful model of using per-pairing attest keys generated in the hardware keystore and we use the secure element keystore rather than TrustZone. The chain to the attestation root is only relevant for the initial pairing.

crowbahr

GrapheneOS

Thanks for the in depth responses. Based on what I've gathered here I think I have a solid argument to take to Security and Compliance.

Your company is going out of the way to forbid using GrapheneOS with a security feature which doesn't provide what it claims but rather exists to enforce Google's business model. It was an explicit choice to go out of the way to forbid using much more secure devices while still permitting devices with no security patches for many years.

I understand how it might seem that way to you and your understanding of security and attestation but when dealing with some of the other businesses we work with and our customers it is a lot easier to say we work with officially sanctioned Google APIs for this exact purpose rather than explaining the intricacies of X.509 cert chain validation.

Framing it as an explicit choice made by the business to exclude you is both conspiratorial and counterproductive: Like most businesses we have insufficient staff and significant amounts of pressure to deliver on time and under budget. That means not digging deeper than the officially sanctioned, especially when that's the path of least resistance for our business partners to sign off on it.

Again: Trying hard not to dox myself here but I want to make it clear that we have stake holders who are technically illiterate and I am one of 4 total android developers at a company with more than 1bn dollars in revenue. We're a very lean engineering org, but I care enough about privacy and alternative projects to come check things out here, specifically because I don't want the company to end up being exclusionary on accident.

We've already implemented STRONG checks, it took about a day. I did both the front and backend work. It's incredibly simple to do with the APIs provided by Google and ticked all compliance boxes.

I'll go back to the Sec & Com team to make the argument for manual cert chain validation using the Kotlin library linked before specifically as a special carve-out for failing cases, and I think with the info you've provided here I'll have good ammunition to that effect.

Thanks for all the feedback, docs and help on this topic.

crowbahr

GrapheneOS Re: Auditor app -

I expect it does work very well but I can't get it to work when attempting to have an S23 Ultra as the Auditor. I always get a red background saying something about connection issues. I don't have my test device (S23) handy or else I'd run through it. It takes a long time for it to scan the high density QR code and it seems to pretty consistently fail.

GrapheneOS

crowbahr Android key attestation is an officially sanctioned Android API supported by Google. They provided a Java sample key attestation library and then made a newer Kotlin one. It's a fully official Android and Google supported feature.

de0u

crowbahr I understand how it might seem that way to you and your understanding of security and attestation but when dealing with some of the other businesses we work with and our customers it is a lot easier to say we work with officially sanctioned Google APIs for this exact purpose rather than explaining the intricacies of X.509 cert chain validation.

That may be an easy explanation to provide, but is it "ok" that Play Integrity approves devices that are very out of date and have lots of known vulnerabilities?

I get that it may be difficult to explain that Play Integrity is wrong in both directions (it passes devices running vulnerable software, and it rejects devices running fully-patched GrapheneOS), but shouldn't the decision-makers at a large luxury-product company with lots of PII want to know what's actually happening? I get that it would be nice to be able to tell them that there is a simple answer that is accurate, but what if the simple answer is not accurate? Is simplicity more important, or accuracy?

« Previous Page Next Page »