this post was submitted on 25 Mar 2026
110 points (95.1% liked)

Fediverse

41225 readers
578 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, Mbin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 2 years ago
MODERATORS
ruud@lemmy.world
Xylinna@lemmy.world
MrCenny@lemmy.world
TragicNotCute@lemmy.world
automodbeta@lemmy.world
woelkchen@lemmy.world
110
UnifiedAttestation: European, open source Google Play Integrity alternative on the horizon, could impact banking & government apps. (www.heise.de)
submitted 2 days ago by Teknevra@lemmy.world to c/fediverse@lemmy.world
16 comments fedilink hide all child comments
 

cross-posted from: https://lemmy.world/post/44736295

A consortium consisting of multiple interested parties including Murena, i.e. /e/ OS, iodéOS, and Volla, is working on an open source alternative to the Google Play Integrity API, which is to be offered on smartphones that are not running a Google-certified Stock ROM.

For those who do not know, the Google Play Integrity API is Google's official security and anti-abuse framework that lets Android apps verify that they are running on a genuine, i.e. unmodified device, installed from Google Play, and not being tampered with.

Sadly, this framework tends to discriminate against Custom ROMs, i.e. operating systems that are not running Google's apps and services, no matter their actual device security state.

Full Google Play Integrity is tied to the ROM being certified by Google, and running Google apps and services - many banking and government apps make use of it right now.

The consortium around UnifedAttestation wants the new framework to rest on three foundations:

it will be part of the operating system, apps can add support for it with a few lines of code

operation of the validation service will be decentral

an open test suite for checking and certifying operating systems on specific devices

The whole thing will be open source, developed under the Apache 2.0 license.

Developers of Scandinavian government apps have already indicated interest, considering the project a first mover for Europe.

Personal comment: I think it's good that there is now validation service for government & banking apps that is not tied to Google's infrastructure, and more crucially does not require Google's apps and the Play Services to be installed.

top 16 comments
sorted by: hot top controversial new old
[–] Zak@lemmy.world 54 points 2 days ago (1 children)

I don't like it. Remote attestation is a violation of the user's right to control over their own devices. We should be pushing to eliminate it, not expand its use.

[–] JubilantJaguar@lemmy.world 1 points 2 days ago (1 children)

The danger of retaining one's purity is that you risk forfeiting influence over what may (very well) happen anyway.

[–] Zak@lemmy.world 7 points 2 days ago

You're not wrong, and an open option might be an improvement over the current situation. On the other hand, it might encourage broader use of remote attestation.

I'm mostly disappointed that there's no meaningful organized opposition. When Microsoft first proposed adding remote attestation to Windows, the New York Times called it out as oppressive. Now it seems like only hardcore open source nerds care, and I think the tech community should be doing better.

[–] raicon@lemmy.world 30 points 2 days ago (1 children)

I hate these apps that don't work if you have developer mode enabled. How brain dead stupid is that?

Security by obscurity is a joke

[–] Sinuousity@lemmy.world 9 points 2 days ago

Correct. Anyone with intention or experience will not be deterred by obscuration. With modern tools and techniques, they will hardly be delayed. Obscuration is not security

[–] defaultusername@lemmy.dbzer0.com 16 points 2 days ago* (last edited 2 days ago)

How about let me attest that my own device is safe to use? I don't need third party DRM to do it for me, open source or not.

[–] albert_inkman@lemmy.world 10 points 2 days ago

This is the core issue. Remote attestation fundamentally breaks user agency. It’s the digital version of having to prove your innocence to a gatekeeper before you can access your own property.

The consortium model is progress over the Google-only status quo. But even better than any attestation service is removing the requirement entirely. Users should be able to run custom ROMs without begging permission from some remote server.

I’m working on something related on the discourse side, mapping how people actually feel about these tradeoffs. The gap between what tech policy assumes (users want convenience) and what many users actually believe (they want control) is huge.

Open source alternatives matter. They matter even more if they actually work.

[–] peacefulpixel@lemmy.world 7 points 2 days ago (1 children)

there isn't nearly enough of a strong reaction against this, and i can't say i don't understand why. techbros thrive on influencers justifying enshittification to it's users so why wouldn't that trickle down to open source communities built specifically to spite those same tech bros? i guess i just expected these kinds of people to have more integrity, and be able to tell when a fox is in sheeps clothing. but tech is pretty much nothing if not jumping into the arms of fascism first.

[–] peacefulpixel@lemmy.world 6 points 2 days ago

ppl in tech jump into the arms of fascism and then, only afterwards do they go "that was a bad idea??? i got harmed personally???" followed up immediately with "surely the next steve jobs won't steer me wrong tho"

[–] Shimitar@downonthestreet.eu 9 points 2 days ago (1 children)

This is highly needed. An open alternative to play integrity is the only way forward. Something so critical cannot be left in the hands of US company.

[–] Lets_Disco@retrolemmy.com 18 points 2 days ago* (last edited 2 days ago)

This is absolutely not 'the only way forward'. Hardware attestion is much more secure and doesn't rely on third parties to give you permission on how you use your own device.

Lets hope enough developers boycott this awful initiative. Graphene are asking devs to boycott this and hopefully they can get enough momentum behind getting this blocked -

https://piunikaweb.com/2026/03/10/grapheneos-calls-on-privacy-focused-app-developers-to-boycott-european-unified-attestation/

[–] DieserTypMatthias@lemmy.ml 3 points 2 days ago (1 children)

Isn't checking the bootloader enough?

[–] LedgeDrop@lemmy.zip 2 points 2 days ago

Not really. If I'm running as root or with a custom firmware, I can easily fake that my phones bootloader is locked, when in fact it isn't.

Attestation creates a "chain of trust", starting at the hardware level. So, an external website can verify that the hardware -> operating system -> application software are all "intact".

"intact" is a very subjective term (which is why many technical people are against it), but that definition of "intact" will be defined by Google, Apple, Microsoft, or (possibly) whatever this EU Governing Body is.

However, it will not be defined by you the device owner.

[–] atro_city@fedia.io 1 points 2 days ago

Watch how the anti-opensource crowd comes out of the woodwork.

[–] luthis@lemmy.nz -4 points 2 days ago (1 children)

Shockingly good news!

[–] Onomatopoeia@lemmy.cafe 23 points 2 days ago

No, shockingly bad news to continue to require third party attestation of my device.

This is to just get people used to the idea, to normalize it outside Google and Apple, and to then push it into PC OS's.