Google’s “Web Integrity” Android API could kill “alternative” media clients | Ars Technica - eviltoast
  • Orion (awooo)@pawb.social
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    Well not quite, you still cannot pass strong integrity, because it’s based on a hardware chain of trust.

    I’m sure there will be vulnerable hardware out there, and groups which are able to extract the keys, so nothing changes from a security perspective, you still can’t fully trust the client to not scam you out of money or something.

    But for forcing people to see ads, or discouraging the use of free software, adding vendor lock-in? You don’t even need special hardware to be annoying about it, SafetyNet in its bypassable form has already made mobile payments unreliable on non-Google Android so much that it doesn’t make sense to use them, because you could be denied service at random whenever the binary updates.

    Strong attestation in play integrity is pretty much impossible to get around from an individual user’s perspective, and in the best case scenario would be bypassable with significant effort, likely involving you having to buy leaked keys on the black market.