security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

Play Integrity has replaced SafetyNet Attestation

Browse Source
This commit is contained in:
Daniel Micay 2023-02-16 09:02:10 -05:00
parent 2c0dd9bdc7
commit 7ad211f93b
1 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
static/articles/attestation-compatibility-guide.html
View File

@ -51,25 +51,28 @@
<main id="attestation-compatibility-guide"> <main id="attestation-compatibility-guide">
<h1><a href="#attestation-compatibility-guide">Attestation compatibility guide</a></h1> <h1><a href="#attestation-compatibility-guide">Attestation compatibility guide</a></h1>
<p>Apps using the Play Integrity API or legacy SafetyNet attestation API to check the <p>Apps using the Play Integrity API or
authenticity/integrity of the OS can support GrapheneOS by using the standard Android <a href="https://developer.android.com/training/safetynet/deprecation-timeline">obsolete</a>
hardware attestation API and permitting our official release signing keys. SafetyNet Attestation API to check the authenticity/integrity of the OS can support
Android's <a href="https://developer.android.com/training/articles/security-key-attestation">hardware GrapheneOS by using the standard Android hardware attestation API instead and
attestation API</a> provides a much stronger form of attestation than SafetyNet with permitting our official release signing keys. Android's
the ability to whitelist the keys of alternate operating systems. It also avoids an <a href="https://developer.android.com/training/articles/security-key-attestation">hardware
unnecessary dependency on Google Play services and Google's SafetyNet servers.</p> attestation API</a> provides a much stronger form of attestation than the Play
Integrity API with the ability to whitelist the keys of alternate operating systems.
It also avoids an unnecessary dependency on Google Play services and Google's
Play Integrity servers.</p>
<p>Devices have been required to ship with hardware attestation support since Android <p>Devices have been required to ship with hardware attestation support since Android
8. You can use hardware attestation on devices running Android 8 or later when the 8. You can use hardware attestation on devices running Android 8 or later when the
<code>ro.product.first_api_level</code> system property isn't set to 25 or below, <code>ro.product.first_api_level</code> system property isn't set to 25 or below,
which indicates they launched with Android 8 or later with hardware attestation which indicates they launched with Android 8 or later with hardware attestation
support as a mandatory feature. On older devices, you can continue using SafetyNet support as a mandatory feature. On older devices, you can continue using the Play
attestation. Some low quality devices shipped broken implementations of hardware Integrity API. Some low quality devices shipped broken implementations of hardware
attestation despite the requirement to have it working for CDD/CTS certification and attestation despite the requirement to have it working for CDD/CTS certification and
SafetyNet currently still passes on those devices wrongly claiming them to be CTS the Play Integrity API currently still passes on those devices wrongly claiming them
certified. If you don't want to fail on those devices, then you can start with to be CTS certified. If you don't want to fail on those devices, then you can start
hardware attestation and fall back to SafetyNet attestation or do both and accept with hardware attestation and fall back to the Play Integrity API or do both and
either passing as success.</p> accept either passing as success.</p>
<p>After verifying the signature of the attestation certificate chain and extracting <p>After verifying the signature of the attestation certificate chain and extracting
the attestation metadata, you can enforce that <code>verifiedBootState</code> is the attestation metadata, you can enforce that <code>verifiedBootState</code> is
@ -105,7 +108,7 @@
<p>The hardware attestation API also provides other useful information signed by the <p>The hardware attestation API also provides other useful information signed by the
hardware including the OS patch level, in a way that even an attacker exploiting the hardware including the OS patch level, in a way that even an attacker exploiting the
OS after boot to gain root cannot trivially bypass. It's a better feature than the OS after boot to gain root cannot trivially bypass. It's a better feature than the
SafetyNet API designed for the lowest common denominator.</p> Play Integrity API which has to be designed for the lowest common denominator.</p>
<p>GrapheneOS users are strongly encouraged to share this documentation with app <p>GrapheneOS users are strongly encouraged to share this documentation with app
developers enforcing only being able to use the stock OS. Send an email to the developers enforcing only being able to use the stock OS. Send an email to the