I’m not a security guy, what is the problem that this is supposed to be fixing? Like I guess you wouldn’t be able to use a virtuallised os to visit your banking website? Like I understand if you work for a bank you should only be able to access some things from specific computers, but normal people?
So what’s your plan? Using your fully-googled device instead of using a slightly-googled phone with Play Services?
phew, feels like I jumped the ship just in time. Installed PostmarketOS on my Fairphone a couple of months ago, and I’m not looking back.
Is there a specific reason you chose PostmarketOS? I’m currently also thinking about ditching Google android.
How is it working for you so far? Thought about doing that as well.
I should be good with sandboxed Google play.
But wtf we’ll need a phone to solve captchas now? What happens if you don’t have one?
Then you are a robot
We seriously need to ask Valve to make SteamOS phones.
Not only will they be good for gaming but imagine being able to put other OS’es on it like PC’s. Bazzite, PostmarketOS, etc. Plus Valve will still get revenue from people using the upcoming Steam ARM Game Store, and the current Bannerhub/Gamenative community android apps that enable playing PC games they own from Steam/GOG on Phones
Its such a huge opportunity that we all should be encouraging then to pursue now and after they release their current 3 big projects: Steam Controllers, Steam Machines, Steam Frames
Let’s give the billionaire more capitalism. Yea that’s it. He needs more.
deleted by creator
i have one myself, and I can tell you that grapheneos won’t be affected by this. the real damage is to people using things like dumb phones or BSD, even windows computers are effectively locked out of the internet.
Sounds like GrapheneOS isn’t affected only for now?
As in sandboxed google play may stop working for this at any point.
;(
Apple and Google are gradually expanding their use of hardware-based attestation. They’re convincing a growing number of services to adopt it. Google’s Play Integrity API and Apple’s App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
Google’s Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition.
The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it.
Apple’s Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web.
Google’s reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems:
er/16609652
Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple’s privacy pass, Google’s ‘cancelled’ Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web.
Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They’re bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more.
Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It’s enormously anti-competitive.
Google’s Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn’t somehow specific to an AOSP-based OS. You can’t avoid this by using a mobile OS based on FreeBSD instead. You’ll just be more locked out.
Google’s Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it.
It doesn’t provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source.
Governments are increasingly mandating using Apple’s App Attest and Google’s Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they’re directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that.
This isn’t about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don’t license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere.
Services shouldn’t ban people from using arbitrary hardware and operating systems in the first place. Google’s security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It’s for enforcing their monopolies via GMS licensing, that’s all.
I run e/OS/. Block me. I’m good. There is plenty out there that doesn’t require Google.
Eventually privacy minded people like us will have to start creating and visiting sites on the dark web.
Sheesh, using alternative sites instead of Facebook and Reddit isn’t using the dark web.
No fuck that we must continue to grow the movement and get more people on board. We don’t give in to those rats and their garbage they try to put on us. Together we all can do together. Fuck them. Many of us already are doing and the more the better
They should be fined so hard for this shit.
A fine is brushed off in a quarter. They should be forced to split into seperate companies.
What you said and my comment response to the person we both responded to
And forced to open-source their OS’es. And have to make their communities owned by the people instead of corpos. We are all beyond pissed and done with their shit. Everyone get more people on board into the movement daily to be focused on getting things done together!! Keep each other in the fight with online and in-person communities
Every company that uses these captcha service should also be fined so hard. This isnt just google here.
And every company that is relying on gsm or the apple pendant to verify anything.
When my current iPhone dies, I’m never having a smartphone ever again.
What do you plan to do? Dumbphone? No phone? Break glass in case of emergency phone in a faraday pouch?
I’m considering a break-glass dumbphone in a faraday pouch. I REALLY fucking hate location tracking. I’d keep it seperate from my IRL ID. Prob is, it’s hard. Screw up once, big data pounces. One call tied to your name in any way. One friend puts it in their contacts. One time to forget the pouch and there’s a location ping at your residence. Not to mention the difficulty of even buying it and setting up a plan. Ugh :(
I’m a teams app for dumb phones away from getting off smart phones. I’m fiddy and have to use my readers to even see my phone, so I’ve slowly stopped using it for much outside of random apps for appliances. I can get an ipad for that, though. I’m also a privacy advocate, but I’ve made peace with the fact that ship has pretty much sailed
I’m using Firefox on GrapheneOS and recaptcha still works normally for me.
If google requires me to permit other companies to leech all my personal data to be able to use anything on the Internet at all, I say we label Google, Microsoft, Apple as criminal organizations
I’m sorry, bit there have to be limits.
I. DO. NOT. WANT. TO. USE. ANYTHING. GOOGLE.
OR APPLE. OR MICROSOFT.
FUCK ALL THESE OLIGARCH COMPANIES INTO THE GROUND
I do not want my private data leeches and sold every day, I don’t even get paid for it
That and fine them to oblivion. Piece their companies into parts. Make it all open source for the OS’es. Give ownership of companies to all the people. Etc. Lots and lots that can be done
I almost came reading this rant. Thanks for bringing this so much more eloquently to the point.
Not noticed it and fuck those websites. Happy to boycott.
Using graphene on pixel 7 pro. Haven’t noticed.
Pixel 6 pro with GOS, also haven’t noticed. Starting to think this post is not true.
I use a Pixel 8 with Graphene. I haven’t been locked out of anything yet.
