←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 10 comments | 26 Jul 23 11:30 UTC | HN request time: 0s | source | bottom
Show context
rcxdude ◴[26 Jul 23 18:15 UTC] No.36882331[source]
This is especially rich coming from google's, who's 'safetynet' for android results in a significant reduction in security (contrary to its stated purpose): it locks out 3rd-party up-to-date and secure ROMs while allowing horrificly insecure manufacturer-provided ROMs to still pass, because to disable those would cause a massive user outcry. So it functions as a vendor lock-in but no meaningful increase in security for the average user, while preventing more advanced users from improving their security without needing to buy more hardware. This needs to be called out more to push back against the claim that this kind of attestation somehow has a legitimate benefit for the users.
replies(6): >>36882444 #>>36883913 #>>36884154 #>>36885533 #>>36885781 #>>36890534 #
lern_too_spel ◴[26 Jul 23 20:07 UTC] No.36884154[source]
You're using it wrong. SafetyNet is able to assert that the build the device asserts is what it claims. After you know that, it's up to you to decide whether you trust communications from that build or not. If it's a known-insecure build, you can say that you don't. SafetyNet cannot assert that a third party ROM is what it claims to be, so you have to decide whether you trust communications from that device or not based on not knowing at all what build is on the device.
replies(5): >>36884229 #>>36884517 #>>36884788 #>>36885296 #>>36886555 #
wmf ◴[26 Jul 23 20:12 UTC] No.36884229[source]
Does anyone use SafetyNet "right"? I assume not due to the user outcry issue.
replies(1): >>36884350 #
1. lern_too_spel ◴[26 Jul 23 20:19 UTC] No.36884350[source]
Most (all?) corporate endpoint security systems use it right in my experience. Even when using it right, you would have to block third party builds and cause outcry. You would additionally block some builds that SafetyNet (or Play Integrity) attests.
replies(2): >>36885261 #>>36890240 #
2. franga2000 ◴[26 Jul 23 21:24 UTC] No.36885261[source]
> Even when using it right, you would have to block third party builds

Unless you have an obvious and accessible way of getting secure third party builds whitelisted, this is still a very anti-user approach, which is not justifiable unless the user of the device isn't its owner (like with company-owned work phones).

replies(1): >>36885561 #
3. lern_too_spel ◴[26 Jul 23 21:47 UTC] No.36885561[source]
That's up to the service to decide on the appropriate level of security risk in whether they allow unknown builds. They already don't allow custom builds on any other mobile OS, so this is really the best you can get as a user. What is your proposed solution?
replies(2): >>36886886 #>>36888921 #
4. justinclift ◴[26 Jul 23 23:58 UTC] No.36886886{3}[source]
> They already don't allow custom builds on any other mobile OS ...

Keep in mind that Pinephones and similar are a thing. Lots of people are hoping they don't fizzle out and die off like previous "open" phone projects. :)

replies(1): >>36887021 #
5. lern_too_spel ◴[27 Jul 23 00:15 UTC] No.36887021{4}[source]
And Pinephones and similar don't have apps for these services that require attestation and never will. If some allow web access without build attestation, that works on custom Android builds as well.
6. Dylan16807 ◴[27 Jul 23 04:28 UTC] No.36888921{3}[source]
> What is your proposed solution?

Ban attestation methods that owners can't control.

replies(2): >>36892142 #>>36972537 #
7. realusername ◴[27 Jul 23 07:42 UTC] No.36890240[source]
> Most (all?) corporate endpoint security systems use it right in my experience.

I've never seen a usage of Safetynet which I would consider right, pretty much everybody thinks it creates some kind of "security" whereas it doesn't.

One very rare useful usage for it could be removing bots for game leaderboards but certainly not banking apps.

8. hoffs ◴[27 Jul 23 11:55 UTC] No.36892142{4}[source]
What does that even mean? It sounds like your proposal makes attestation pointless since owner can attest in whatever way they want.
replies(1): >>36899235 #
9. Dylan16807 ◴[27 Jul 23 19:55 UTC] No.36899235{5}[source]
It only makes it pointless for DRM purposes.

If a company wants control over devices they own, that's still fine.

10. lern_too_spel ◴[02 Aug 23 15:49 UTC] No.36972537{4}[source]
So regulation. I can get into that. Until such regulation exists, phone manufacturers have no incentive to maintain different SKUs.