zlacker

[parent] [thread] 9 comments
1. lern_t+(OP)[view] [source] 2023-07-26 20:19:41
Most (all?) corporate endpoint security systems use it right in my experience. Even when using it right, you would have to block third party builds and cause outcry. You would additionally block some builds that SafetyNet (or Play Integrity) attests.
replies(2): >>franga+He >>realus+0x1
2. franga+He[view] [source] 2023-07-26 21:24:21
>>lern_t+(OP)
> Even when using it right, you would have to block third party builds

Unless you have an obvious and accessible way of getting secure third party builds whitelisted, this is still a very anti-user approach, which is not justifiable unless the user of the device isn't its owner (like with company-owned work phones).

replies(1): >>lern_t+xj
◧◩
3. lern_t+xj[view] [source] [discussion] 2023-07-26 21:47:02
>>franga+He
That's up to the service to decide on the appropriate level of security risk in whether they allow unknown builds. They already don't allow custom builds on any other mobile OS, so this is really the best you can get as a user. What is your proposed solution?
replies(2): >>justin+UE >>Dylan1+Jb1
◧◩◪
4. justin+UE[view] [source] [discussion] 2023-07-26 23:58:44
>>lern_t+xj
> They already don't allow custom builds on any other mobile OS ...

Keep in mind that Pinephones and similar are a thing. Lots of people are hoping they don't fizzle out and die off like previous "open" phone projects. :)

replies(1): >>lern_t+5H
◧◩◪◨
5. lern_t+5H[view] [source] [discussion] 2023-07-27 00:15:06
>>justin+UE
And Pinephones and similar don't have apps for these services that require attestation and never will. If some allow web access without build attestation, that works on custom Android builds as well.
◧◩◪
6. Dylan1+Jb1[view] [source] [discussion] 2023-07-27 04:28:38
>>lern_t+xj
> What is your proposed solution?

Ban attestation methods that owners can't control.

replies(2): >>hoffs+G12 >>lern_t+nWm
7. realus+0x1[view] [source] 2023-07-27 07:42:14
>>lern_t+(OP)
> Most (all?) corporate endpoint security systems use it right in my experience.

I've never seen a usage of Safetynet which I would consider right, pretty much everybody thinks it creates some kind of "security" whereas it doesn't.

One very rare useful usage for it could be removing bots for game leaderboards but certainly not banking apps.

◧◩◪◨
8. hoffs+G12[view] [source] [discussion] 2023-07-27 11:55:23
>>Dylan1+Jb1
What does that even mean? It sounds like your proposal makes attestation pointless since owner can attest in whatever way they want.
replies(1): >>Dylan1+5S3
◧◩◪◨⬒
9. Dylan1+5S3[view] [source] [discussion] 2023-07-27 19:55:20
>>hoffs+G12
It only makes it pointless for DRM purposes.

If a company wants control over devices they own, that's still fine.

◧◩◪◨
10. lern_t+nWm[view] [source] [discussion] 2023-08-02 15:49:40
>>Dylan1+Jb1
So regulation. I can get into that. Until such regulation exists, phone manufacturers have no incentive to maintain different SKUs.
[go to top]