logoalt Hacker News

realusernametoday at 7:03 AM1 replyview on HN

> "strong integrity" also takes into account if a security update has been installed recently enough.

My Galaxy S10, last update in 2023 passes strong integrity.

With the little amount of security updates most Android devices have, I'm pretty sure you can find an exploit for pretty much everything except the most expensive flagships.

What does integrity really means when nobody really knows what's in the device and with a terrible software update policy anyways.

Replies

jeroenhdtoday at 8:40 AM

The exact requirements for security updates depends on the Android version you're running and the one your device came with. From the docs:

        MEETS_STRONG_INTEGRITY
        
        The app is running on a genuine and certified Android device with a recent security update.
        
        On Android 13 and higher, the MEETS_STRONG_INTEGRITY verdict requires MEETS_DEVICE_INTEGRITY and security updates in the last year for all partitions of the device, including an Android OS partition patch and a vendor partition patch.
        On Android 12 and lower, the MEETS_STRONG_INTEGRITY verdict only requires hardware-backed proof of boot integrity and does not require the device to have a recent security update. Therefore, when using the MEETS_STRONG_INTEGRITY, it is recommended to also take into account the Android SDK version in the deviceAttributes field.
        
        A single device will return multiple device labels in the device integrity verdict if each of the label's criteria is met.
The S10 should be on Android 13, so it should not pass STRONG_INTEGRITY. If it does, perhaps it's possible Google updated the docs early in anticipation of a change? The software update requirement wasn't always there.
show 1 reply