alt Hacker NewsIt's not about being secure. Google allows devices with up to 10 years without any patches to pass their integrity API. Meanwhile Graphene OS, which is very secure and up-to-date, doesn't pass.
Replies
I am talking about attestation in general. I already left a comment in the thread agreeing with you.
They allow old devices to report to Play Integrity. That doesn't mean the service provider requesting attestation has to allow such devices. These things usually give just a risk grade to the service provider and it's up to them to make the decision.
Graphene OS says they are secure, but the definition of secure they're using isn't the same one the service providers are using, so that doesn't help much.
The best route forward here is to push for a separation of certification types. Ideally it would be possible to pass the security related aspects of Google's CTS test suite and get approved by Play Integrity without triggering the other parts of Android certification.
This. Plus if I want to access my bank account on a device I trust, the bank shouldn’t say “hey we don’t trust it so buzz off”. It’s my money in that account.
I understand there’s some stupid compliance thing that makes banks do this, but it clearly isn’t a hard requirement, as there’s still plenty of banks that don’t participate in this security theatre.