This is the Google model then. Base everything on open source, even allow unofficial builds of your operating system (LineageOS, Graphene), but slowly introduce more and more device attestation and DRM so it becomes de facto impossible to actually use anything but the closed builds because everything from banking apps and electronic identification apps to streaming apps will refuse to run on your "unsafe" operating system.
Currently the only thing which won't run on a non-google blessed android build is google wallet, although a lot of applications rely on google's proprietary services exposed through google play.
I've not ran into any banking applications which won't run on a non-google build of android (as then they would only run on a pixel). That being said, I refuse to seriously bank with any bank which doesn't offer a functioning website. My main bank offers an app but you have to wholesale switch to it.
This is false. List of apps which refuse to run on my old OnePlus 6 which I revived with LineageOS:
- Danish national identity app (MitID). I had to get a hardware token that generates one-time passwords.
- My banking app (still works in the browser though).
- The de facto payment app used for peer-to-peer payments and as a credit card alternative all over Denmark (MobilePay).
- The app for controlling the heating system in my car.
- Revolut.
- The app for showing a digital version of my government issued health insurance card. It's literally just a barcode and a number, so I can get by using a photo of the card instead. This underlines the ridiculousness of requiring Play Integrity attestion.
- The app for showing a digital version of my driver's license. As a bonus this app also doesn't work if you have set your default browser to Firefox instead of Chrome, even on a non-rooted phone.
On top of this, one app for scanning goods in the supermarket stopped working, but without explicitly saying why. I suppose it just silently depends on some Google service, but I have not way of knowing that.
I also cannot get Chromecast to work, but that is perhaps to be expected when replacing the Google services with microg, and not strictly a result of DRM. It is a major inconvenience though.
Denmark is one of the most digitized countries, and in many ways that is good. However, it also means that you are increasingly coerced into the whole Google/Apple ecosystem and that it is very hard to get out. Luckily there are alternatives to all of the above apps, but it is a major inconvenience to have to use them.
I don't know much about LineageOS but GrapheneOS supports attestation (albeit with its own keys) and it works for all the banking apps I have had the displeasure of using here in the UK including revolut.
If LineageOS did support those APIs (which it can support if it wanted to, without any blessing from Google) then presumably most if not all of those should also work.
Try GOS and see if it's broken there. If it works on GOS then you can shout at google for ever exposing the attestation APIs but the apps you're complaining about aren't actually abusing attestation in the way you claim, LineageOS is simply choosing not to implement the features they rely on.
Pretty sure this also requires the banks to then accept those attestation keys. Graphene pushes for them to do this, so you can't simply run whatever open OS you want on your device (like on desktop where you can also do online banking), you need to specifically use some third party service that then tells the banking software it's really okay to run on your device. I do find this to be a bit crappy, but at the same time it's quite amazing that Graphene has enough traction to convince many app vendors they should support an open/secure OS!
They don't have the traction. In my experience almost nothing (except for google pay) uses a whitelist for the keys. They just request attestation. This is presumably because there are too many android phone vendors using too many versions of different keys to reliably check for this.
Do you have the sandboxed Play Services installed? It works fine for me on Graphene (just checked).
That said, the recommendation I always give, and personally follow: keep a spare phone in a drawer somewhere, with official Android installed, a Google account, and use it exclusively for business purposes - banking, government services, and the email account you use for those (separate from the one you use for everything else). Nothing else, no messaging, socials, browsing, or games.
Then you're free to keep your personal phone FOSS and as private as you like, without fear of getting locked out of important stuff due to a crappy Google® SafetyNet® upgrade.
> That said, the recommendation I always give, and personally follow: keep a spare phone in a drawer somewhere, with official Android installed, a Google account, and use it exclusively for business purposes - banking, government services, and the email account you use for those (separate from the one you use for everything else). Nothing else, no messaging, socials, browsing, or games.
Anything which doesn't support an alternative method (not involving a proprietary blessed google phone) of management should be illegal if it's government related and should be boycotted if it's not.
I certainly agree with the sentiment (I would trust-bust tech giants, and severely restrict advertising as a whole for being a negative-sum game).
Nevertheless, for living in this world while preserving your privacy, my advice stands. Separate the devices that you control, which you will use for personal and private purposes, from the devices that global corporations and institutions control, which you will use to access the services those institutions provide - services which, by definition, you would not control anyway.
It is far, far simpler than having to get proprietary, frequently-updated software to play nice inside a secure sandbox. If they do, great, but separate devices ensures it isn't a capital-P Problem for you if they stop.
(FWIW, I lived in three different European countries over the past decade and so far the governments all offered TOTP-based web alternatives to their apps. When it comes to private banking, only one (Lunar) was available only via app, but it was also the only one that ran without Play Services.)
> It is far, far simpler than having to get proprietary, frequently-updated software to play nice inside a secure sandbox. If they do, great, but separate devices ensures it isn't a capital-P Problem for you if they stop.
What I am saying (and what I do) is that it's far simpler still to just not rely on anything where this might be the case.
If my bank turned around tomorrow and said I can't use their website to manage my account, I would not attempt to get their app working on my phone, I would switch bank.
Anything that depends on the SafetyNet API will not run if your android build does not pass the checks, the list is much much bigger than "just google wallet". Whether a rom passes safetynet or not very much depends on what google considers blessed today, and what they will consider blessed in the future.
None of the unofficial Android builds allows me to access to the secure element in my SIM card to use my e-signature, which works with SIM menu prompts triggered OTA by the application I'm currently using, mostly governmental services.
If I'm on a custom ROM, the notification never pops up.
You have to have evidence that this is because of attestation, though - lots of open source software is missing lots of features because they are just missing features.
It's not an attestation problem, but a trusted pipeline problem. Yes, the required files are missing, but carrying them from official builds doesn't work either, because all pipeline from modem to kernel has to be signed, and the chain breaks somewhere, and you can't build it without the private keys Google/OEM has.
It's like Trusted HDCP pipeline. Every part has to be signed properly, and no open distribution of Android can do that, period.
SIM services is an integral part of the GSM stack, and all custom ROMs I used had SIM services menu, and I was able to see and utilize the functions in the menu, sans the ones requiring accessing the secure element.
There was one missing file (which I don't remember its name now, it's long gone), but I always carried over that one from the official ROM (same Android version, mind you), but while everything still worked, this was not enabling me to use the secure element based SIM services (namely e-signature).
The problem was not "not being able to access secure element", it was visible, but making it do (secure/verifiable) things, which require an "operator message" to trigger the right process on the phone. Even if the system which I'm trying to login said that the process should start, the phone just didn't respond/started the e-signature process. In my country, if your SIM is blocked for any reason from using these services (e.g. when you change your SIM and not-activate e-sig again), you SHALL and WILL (in RFC sense) get a message detailing what went wrong.
Again, the moment I flashed the original image, secure element based SIM services started working, I didn't need to do anything on the other side. Different ROM, it's working. Flash the custom one, reboot, it's gone. Add the required files back, no luck. That simple.
BTW, I was not mad that it was not working. It's a legally binding wet signature equivalent. I don't want that pipeline to be peek/poke enabled.
