User:Louis/Volkswagen app GrapheneOS lockout: Difference between revisions

Line 42:

A vendor-neutral alternative exists but is barely deployed. Unified Attestation, an open-source project led by Volla Systeme GmbH, presents itself as ''"a free, open-source alternative to Google Play Integrity"'' that an app can run alongside Google's own check.<ref name="uattest" /> GrapheneOS opposes that scheme as well, arguing it would replace Google's gatekeeping with a new vendor-managed allow-list rather than open access to any hardened operating system.<ref name="piunika" />

== Alternative attestation doesn't address the real problem ==

Even though other attestation implementations, such as the hardware attestation API or Unified Attestation, exist, they all share the same fundamental characteristic: they enable app developers to exclude devices and software configurations based on policy decisions rather than actual security outcomes. Whether by requiring a device to be certified by Google or by deciding which attestation roots or signing keys to trust, the service provider ultimately retains control over who is allowed to participate.

In practice, attestation is not a necessity for security and is often misused for [[Apps deliberately refusing to work on modded devices|deliberately refusing to work on modded devices]].

==See also==

@@ Line 42: / Line 42: @@
 A vendor-neutral alternative exists but is barely deployed. Unified Attestation, an open-source project led by Volla Systeme GmbH, presents itself as ''"a free, open-source alternative to Google Play Integrity"'' that an app can run alongside Google's own check.<ref name="uattest" /> GrapheneOS opposes that scheme as well, arguing it would replace Google's gatekeeping with a new vendor-managed allow-list rather than open access to any hardened operating system.<ref name="piunika" />
+== Alternative attestation doesn't address the real problem ==
+Even though other attestation implementations, such as the hardware attestation API or Unified Attestation, exist, they all share the same fundamental characteristic: they enable app developers to exclude devices and software configurations based on policy decisions rather than actual security outcomes. Whether by requiring a device to be certified by Google or by deciding which attestation roots or signing keys to trust, the service provider ultimately retains control over who is allowed to participate.
+In practice, attestation is not a necessity for security and is often misused for [[Apps deliberately refusing to work on modded devices|deliberately refusing to work on modded devices]].
 ==See also==