zlacker

[parent] [thread] 14 comments
1. brooks+(OP)[view] [source] 2025-08-26 12:36:36
If play integrity went away, all mainstream Android users would suddenly experience a huge increase in captchas and other security measures.

It’s funny to see the volume of comments on HN from folks who are outraged at how AI companies ferociously scrape websites, and the comments disliking device attestation, and few comments recognizing those are two sides of the same coin.

Play integrity (and Apple’s PAT) are what allow mobile users to have less headaches than desktops. Not saying it’s a morally good thing (tech is rarely moral one way or the rather) just that it’s a capability with both upsides and downsides for both typical and power users.

replies(2): >>j4hduf+pn >>Zak+q51
2. j4hduf+pn[view] [source] 2025-08-26 14:35:10
>>brooks+(OP)
It is not so simple!

Play Integrity's highest level of attestation features requires devices to be running a security update which is within a sliding window of 1 year.

LOTS of Android devices have not released a security update in many many years. This forces users to unnecessarily upgrade to higher end OEMs.

Google is effectively pushing out Xiaomi, Huawei, and many others that offer excellent budget options. Google is not just offering you the comfort of not having to fill out CAPTCHAs on your phone, most importantly they are playing monopoly.

replies(1): >>fnimic+lq
◧◩
3. fnimic+lq[view] [source] [discussion] 2025-08-26 14:47:06
>>j4hduf+pn
Why can't "low end OEMs" release security updates?
replies(2): >>devmor+xy >>donkey+oH2
◧◩◪
4. devmor+xy[view] [source] [discussion] 2025-08-26 15:18:55
>>fnimic+lq
They can, it would likely just increase the cost of cheap devices to end users, as the manufacturer now has to provide additional software support and does not want to lose money.
replies(2): >>dabock+5L >>donkey+yH2
◧◩◪◨
5. dabock+5L[view] [source] [discussion] 2025-08-26 16:15:53
>>devmor+xy
One could argue that those “cheap” devices are ewaste from the beginning, and customers needing lower cost mobile devices should be buying more expensive ones used or refurbished.
6. Zak+q51[view] [source] 2025-08-26 17:44:36
>>brooks+(OP)
There is no logical inconsistency in disliking abusive scraping, remote attestation, malware, and CAPTCHAs at the same time. Of these, I merely dislike CAPTCHA while I make moral judgments about the other three.

I see creating a mechanism for remote attestation of consumer devices as morally bad because it's a massive transfer of power away from end users to corporations and governments. A scheme where only computers blessed by a handful of megacorporations can be used to interact with the wider world will be used for evil even if current applications are fairly benign.

replies(1): >>jofla_+Jj1
◧◩
7. jofla_+Jj1[view] [source] [discussion] 2025-08-26 19:00:10
>>Zak+q51
Yeah, its like the world has been turned into one giant corporation, and the only computers you can use on it are corporate, botted, Active Directory joined, crap. All machines are belong to them.
◧◩◪
8. donkey+oH2[view] [source] [discussion] 2025-08-27 06:24:17
>>fnimic+lq
Because they fucking suck. I never heard desktops or laptops being tied to Dell or Asus or what not for run of the mill kernel or os upgrades. If phone makers want to be fucking ass by locking down bootloaders, jealously preventing reversing etc preventing kernel devs etc from doing their own thing then they should accept the just label of being fucking ass or take on the responsibility of supporting it forever.
◧◩◪◨
9. donkey+yH2[view] [source] [discussion] 2025-08-27 06:26:15
>>devmor+xy
Why does the manufacturer of the phone have to write os upgrades?

I never had to wait on Dell to type apt update and apt upgrade.

replies(1): >>devmor+QF3
◧◩◪◨⬒
10. devmor+QF3[view] [source] [discussion] 2025-08-27 13:58:42
>>donkey+yH2
Because when you buy most smartphones, you're buying a vendor locked device and choosing to stay within their ecosystem. That's how Google has designed their monopoly. Apple is the same way, but non-fragmented.

You've never had to wait for Dell to type apt update and apt upgrade, but MacOS users have to wait for Apple to update their computer.

replies(1): >>donkey+JP3
◧◩◪◨⬒⬓
11. donkey+JP3[view] [source] [discussion] 2025-08-27 14:43:16
>>devmor+QF3
That was my point, this is a self created problem by the manufacturer.
replies(2): >>devmor+T34 >>j4hduf+o54
◧◩◪◨⬒⬓⬔
12. devmor+T34[view] [source] [discussion] 2025-08-27 15:49:18
>>donkey+JP3
No, it's a prerequisite to doing business.

The OEM phones are cheap because the manufacturer sells them at a loss, recouping money by locking them down and pre-installing certain software.

The alternative is that Google is properly regulated, or cheap smartphones phones don't exist.

replies(1): >>donkey+HE4
◧◩◪◨⬒⬓⬔
13. j4hduf+o54[view] [source] [discussion] 2025-08-27 15:56:05
>>donkey+JP3
These manufacturers gladly took in AOSP back in 2011 when it was still truly a great open source project - exactly as the name should require it to be - and also when security requirements were much much lower. Of course to keep up with device security it turns out you need complete control over the whole stack and regular updates anyway, so now these manufacturers are in a pickle of a situation.
◧◩◪◨⬒⬓⬔⧯
14. donkey+HE4[view] [source] [discussion] 2025-08-27 18:58:34
>>devmor+T34
Its possible the forced apps are a cost recouping mechanism. But how does a phone bootloader being locked down become Google's fault? Does it mandate that for some kind of Android certification?
replies(1): >>j4hduf+e35
◧◩◪◨⬒⬓⬔⧯▣
15. j4hduf+e35[view] [source] [discussion] 2025-08-27 20:52:29
>>donkey+HE4
Yes Google mandates a locked bootloader in order to meet Google Play Integrity's remote attestation. More generally it mandates a perfectly clean and valid secure boot chain. Among a variety of other requirements.
[go to top]