diff --git a/static/articles/attestation-compatibility-guide.html b/static/articles/attestation-compatibility-guide.html index 1562e390..3284ae0f 100644 --- a/static/articles/attestation-compatibility-guide.html +++ b/static/articles/attestation-compatibility-guide.html @@ -51,25 +51,28 @@

Attestation compatibility guide

-

Apps using the Play Integrity API or legacy SafetyNet attestation API to check the - authenticity/integrity of the OS can support GrapheneOS by using the standard Android - hardware attestation API and permitting our official release signing keys. - Android's hardware - attestation API provides a much stronger form of attestation than SafetyNet with - the ability to whitelist the keys of alternate operating systems. It also avoids an - unnecessary dependency on Google Play services and Google's SafetyNet servers.

+

Apps using the Play Integrity API or + obsolete + SafetyNet Attestation API to check the authenticity/integrity of the OS can support + GrapheneOS by using the standard Android hardware attestation API instead and + permitting our official release signing keys. Android's + hardware + attestation API provides a much stronger form of attestation than the Play + Integrity API with the ability to whitelist the keys of alternate operating systems. + It also avoids an unnecessary dependency on Google Play services and Google's + Play Integrity servers.

Devices have been required to ship with hardware attestation support since Android 8. You can use hardware attestation on devices running Android 8 or later when the ro.product.first_api_level system property isn't set to 25 or below, which indicates they launched with Android 8 or later with hardware attestation - support as a mandatory feature. On older devices, you can continue using SafetyNet - attestation. Some low quality devices shipped broken implementations of hardware + support as a mandatory feature. On older devices, you can continue using the Play + Integrity API. Some low quality devices shipped broken implementations of hardware attestation despite the requirement to have it working for CDD/CTS certification and - SafetyNet currently still passes on those devices wrongly claiming them to be CTS - certified. If you don't want to fail on those devices, then you can start with - hardware attestation and fall back to SafetyNet attestation or do both and accept - either passing as success.

+ the Play Integrity API currently still passes on those devices wrongly claiming them + to be CTS certified. If you don't want to fail on those devices, then you can start + with hardware attestation and fall back to the Play Integrity API or do both and + accept either passing as success.

After verifying the signature of the attestation certificate chain and extracting the attestation metadata, you can enforce that verifiedBootState is @@ -105,7 +108,7 @@

The hardware attestation API also provides other useful information signed by the hardware including the OS patch level, in a way that even an attacker exploiting the OS after boot to gain root cannot trivially bypass. It's a better feature than the - SafetyNet API designed for the lowest common denominator.

+ Play Integrity API which has to be designed for the lowest common denominator.

GrapheneOS users are strongly encouraged to share this documentation with app developers enforcing only being able to use the stock OS. Send an email to the