this post was submitted on 04 Apr 2024
1020 points (98.8% liked)

linuxmemes

21428 readers
756 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.
  •  

    Please report posts and comments that break these rules!


    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't fork-bomb your computer.

    founded 1 year ago
    MODERATORS
     
    you are viewing a single comment's thread
    view the rest of the comments
    [–] [email protected] 60 points 7 months ago* (last edited 7 months ago) (2 children)

    The reason is very simple: They rely on Google Safetynet (basically self-diagnosis). And that will immediately tell you off if it notices your device is rooted. And while you can have a lengthy discussion regarding whether this makes your phone less secure or not, this is another simple argument from Google's POV: The device has obviously been tampered with, we don't want to put any resources into covering this case. As far as we are concerned, you shouldn't use our OS like this.

    So basically laziness.

    [–] [email protected] 13 points 7 months ago

    SafetyNet is dead.

    They rely on Play Integrity API.

    That covers:

    App Binary signatures App source corroboration - Was it actually installed from the Play Store? Android device attestation - Is it a genuine device powered by Google Play Services Malware detection - Google Play Protect is enabled and has not seen known malware signatures.

    They can choose to ignore any number of those but they do not. It's part of their security reporting requirements to use attestation I expect.

    Beyond that - a device that doesn't meet Play Integrity is more likely to be a malicious actor than it is to be a tech enthusiast with a rooted phone: One of them is far more prevalent than the other in terms of device usage.

    Android apps are trivial to reverse engineer, inject code into and generally manipulate. That lets apps like ReVanced work the way they do... but that also means that blue team developers have a lot more work to do to protect app code.

    Source - Android App Developer, worked on apps with high level security audits (like banking apps).

    [–] [email protected] 11 points 7 months ago* (last edited 7 months ago) (1 children)

    The banking apps I've tried don't require SafetyNet, instead they use Android AOSP's basicIntegrity. The latter doesn't require certification by Google, but also checks whether the device is rooted and the bootloader is locked.

    This means custom ROM's on most devices won't pass basicIntegrity, as only Google Pixel, ~~OnePlus~~ and Fairphone allow for relocking the bootloader.

    [–] [email protected] 7 points 7 months ago (1 children)

    OnePlus no longer supports that as of ~ColorOS~ OxygenOS 12 unfortunately.

    [–] [email protected] 1 points 7 months ago* (last edited 7 months ago) (1 children)

    That's a bummer. Seems like Google Pixel and Fairphone are the only ones left. I don't even know why manufacturers wouldn't allow for relocking or even unlocking of their phones. I can't imagine they make much money with user data and the phone is already paid for. Warranty claims shouldn't be much of an issue either, as modifications can be easily detected and it's likely not a relevant amount of people anyway.

    [–] [email protected] 6 points 7 months ago

    As I understand it, the stated purpose is to prevent supply chain attacks and ultimately possible damage to their brand. In practice many of these same vendors ship their own spyware and do not want it removed.