alt Hacker NewsIt seems to me that comments here are reading this as saying attestation is bad, when the real argument is that attestation should explicitly provide a path of inclusion for non-Apple and Google providers.
The headline seems to make the statement that Apple and Google are evil and doing this for monopoly lock-in, and GrapheneOS, a competitor, will stand for the people against that. But given their final counterpoint is that they should have been included too and they rant about being rejected from Google's Play Integrity API for unclear reasons they claim are malicious, it seems they do acknowledge there's security value here: we do critically need for full-chain-of-signature attestations for critical identity data, the only way to avoid someone using AI to create fraud identities trivially.
Replies
That is not what GrapheneOS is saying. They mention their exclusion as proof that attestation has nefarious motives, not because they would be OK with it otherwise
They have commented elsewhere that any inclusion/exclusion criteria (if at all) should be transparent and collaboratively decided rather than arbitrary, monopolised or ineffectual/deceptive. They mention several times that people should not be excluded from web services for browser/OS choice.
The position of GrapheneOS is that attestation shouldn't be used to restrict people to an allowlist of hardware and operating systems. It can be used to without forbidding them from using what they want to use. However, if it's going to be used to make an allowlist of hardware and operating systems, then it needs to permit any any at least as secure as what they're permitting to be approved. Instead, they're enforcing Google's business model for licensing Google Mobile Services while not requiring secure devices at all. There's no security value in the current Play Integrity API which permits devices with no patches for 10 years.
Even the Play Integrity API strong integrity level only enforces being no more than 1 year behind on the official Android security bulletins which are 3-4 months outdated at release so that's nearly a year and a half behind of patches. It also has the massive loophole of permitting being arbitrarily behind on patches for earlier Android versions than Android 13, so even the strong integrity level permits a device launched with Android 8 with no patches applied since then. That's not a security check, it's a business model check to lock out alternatives not licensing Google Mobile Services. The licensing terms for Google Mobile Services have been found to be illegal in multiple countries. Google enforcing agreeing to those terms with the Play Integrity API is a truly extraordinarily violation of antitrust laws. Governments are not only failing to act but adopting it themselves. It's going to be looked back on as a massive failure for technology regulation/legislation along with government tech policy beyond that.