←back to thread

Wanted to spy on my dog, ended up spying on TP-Link

(kennedn.com)
436 points kennedn | 1 comments | 15 Sep 25 16:28 UTC | HN request time: 0s | source
Show context
201984 ◴[15 Sep 25 18:01 UTC] No.45252931[source]
Are techniques like using Frida and mitmproxy on Android apps still going to be possible after the signing requirement goes into effect next year?
replies(3): >>45253290 #>>45254332 #>>45255348 #
bri3d ◴[15 Sep 25 18:29 UTC] No.45253290[source]
Overall: yes, but it will get much harder for apps which need attestation, which is sort of the point, for better or for worse. As far as I know you'll still be able to OEM unlock and root phones where it's always been allowed, like Pixels, but then they'll be marked as unlocked so they'll fail Google attestation. You should also be able to still take an app, unpack it, inject Frida, and sideload it using your _own_ developer account (kind of like you can do on iOS today), but it will also fail attestation and is vulnerable to anti-tampering / anti-debugging code at the application level.
replies(1): >>45254373 #
josteink ◴[15 Sep 25 20:12 UTC] No.45254373[source]
So for people with any practical needs what so ever (like banking): No.

At this point Android isn’t meaningfully an open-source platform any more and it haven’t been for years.

On the somewhat refreshing side, they are no longer being dishonest about it.

replies(4): >>45254712 #>>45254817 #>>45255119 #>>45258788 #
bri3d ◴[15 Sep 25 20:47 UTC] No.45254712[source]
I don't think any vendor should be solving for "I want to do app RE and banking on the same device at the same time;" that seems rather foolish.

These are sort of orthogonal rants. People view this as some kind of corporate power struggle but in this context, GrapheneOS, for example also doesn't let you do this kind of thing, because it focuses on preserving user security and privacy rather than using your device as a reverse-engineering tool.

There is certainly a strong argument that limiting third-party app store access and user installation of low-privilege applications is an anticompetitive move, but by and large, that's a different argument from "I want to install Frida on the phone I do banking on," which just isn't a good idea.

The existence of device attestation is certainly hostile to reverse engineering, and that's by design. But from an "I own my hardware and should use it" perspective, Google continue to allow OEM unlock on Play Store purchased Pixel phones, and the developer console will allow self-signing arbitrary APKs for development on an enrolled device, so not so much has changed with next year's Android changes.

replies(3): >>45254815 #>>45255136 #>>45255358 #
KetoManx64 ◴[15 Sep 25 20:56 UTC] No.45254815[source]
GrapheneOS strongly recommends that you do not do it, but it will not stop you if you want to. You can root and leave your bootloader unlocked or create a custom user signed image with root support included. Plenty of user written guides out there how to do so.
replies(2): >>45254861 #>>45256121 #
1. easyKL ◴[15 Sep 25 23:14 UTC] No.45256121[source]
Locking the bootloader is important as it enables full verified boot https://grapheneos.org/install/cli#locking-the-bootloader