An open call to #Android #developers! The #EuropeanCommission needs help evaluating #GooglePlay's #security claims. I'm going to do what I can. Anyone with knowledge of how app installation, uninstallation, sandboxing, signing, etc. could really help here. If you want to contribute, please reach out!
@RandamuMaki We will, on our own.
@GrapheneOS Good to hear.
@RandamuMaki We raised the issue of the Play Integrity API at the recent meeting and plan to heavily push on that. We can debunk all of the attempts of misrepresenting checking for a Google certified OS as being a security check when it clearly isn't.
Android hardware attestation API works for alternate roots of trust and alternate operating systems. It's entirely possible for the EU to make a standard for security and require banking apps, etc. to stop forbidding devices passing that standard.
@RandamuMaki Google's standard for the 'security' check of the Play Integrity API is a device licensing Google Mobile Services, installing the app from the Play Store and the user being signed into a Google account. It's clearly primarily based around Google's business interests, not security. The hardware attestation API supports verifying the device, OS and app with higher security without any of these requirements. Play Integrity API is anti-competitive for the sake of being anti-competitive.
@eighthave two key projects where you might find experts on the subject https://opengapps.org/#aboutsection and https://microg.org/download.html
@copysent
cc @microg
and @larma @eighthave
@eighthave @kuketzblog interested?
@eighthave @GrapheneOS want to weigh in?