Administered by:
@rysiek@mstdn.social"I'm afraid I can't let you browse that Dave."
#WebEnvironmentIntegrity #FuckGoogle
----
CC By SA 4.0, based on https://commons.wikimedia.org/wiki/File:HAL9000_-_Sharper_Reflections.svg
SVG version here:
https://rys.io/static/chrome9000-by-rysiek-cc-by-sa-4.0.svg
Fun fact, I made that in 2014.
@rysiek
Reminder: Google is not the only search engine out there.
@rysiek it’s like the whole tech world has decided to make bad decisions this year. And it is so depressing.
@rysiek You're going top find that rather difficult
@rysiek Actually, Google is way more evil.
Google gives the website operators the tools, and stands to the side, whistling innocently.
It's the same with Android, SafetyNet, and Apps.
Google provides the tools, requires the mobiles to have the hardware to make draconic playstation level DRM attestation possible, and then your loyalty points app for McDonalds refuses to run because you are using a Custom ROM.
It's a big like the NRA, guns and gun deaths in the USA. Us? We are innocent!
@rysiek
Notice that I once had the privledge to discuss someone on social media (I don't remember if it was already here, or still over on Dodo) who claimed Google software engineer working in mobile security.The person literally could not explain to me how attestation as it is practised (without enforcing an up-to-date Android security patch) actually improves security.
I was in the end accused of not understanding the basics of security. 
Just for pointing out, that SafetyNet detects root on a mobile and makes apps refuse running on that mobile.
But the same app/SafetyNet has no problem with an Android 4.0 mobile that was not updated for years, and that can probably be rooted on the fly via numerous severe security flaws the system has.
Now a newer Custom ROM on that mobile might not be able to remove security issues that are in the hardware-specific parts, but would almost certainly remove the security issues in the generic part of Android. App/Safetynet forces to use the less safe older original firmware.
So attestation actually makes the app's environment less secure.
So the use cases Google & SafetyNet using app developers pretend to have around “security” are a bit “thin”.
If “security” it's about “security” by inconveniencing the users into using the official solution.
And before someone points out, that this is unrealistic:
https://github.blog/2022-06-16-the-android-kernel-mitigations-obstacle-race/
Notice how the author points exactly out how that nice GPU driver bug. GPU driver bugs are popular, seems that you can expect on average 6 per year, the memory management between kernel and user space is complex and error-prone. Notice how the author explicitly mentions that you could get root on the fly till it was patched.
Hard to fix for manufacturers, as the fixes come from the 2 big ARM GPU makers.
So even with the newest flagships, if you refuse the newest patches, and read the CVEs, you can almost always get root on the fly, why SafetyNet attests the virginity of your mobile.
Very secure, the basic security framework of the phone hacked, but SafetyNet tells your banking app everything is fine, the security guarantees of Android will be enforced, ROTFL.