Okay, I get what Google is trying to do - Android is a mature OS, and thanks to its embedded nature, is considered a secure runtime, so banks etc. have released apps that have lowered security compared to a browser - such as, long lived logins (aside from the usual biometric/code unlock, how often do you really have to go through the full login sequence?), lowered security for secure actions (often you can confirm transactions and other potentially dangerous things with just your biometrics, because it’s a trusted device, on desktop etc. you’d need access to an OTP provider for every action), and so on. And that’s just banking…
problem is, Android is far from perfect and exploits that allow the exploiting process root access or even worse, well, those happen.
(what’s even worse? well… Android most recently runs essentially in a virtual machine, managed by a SoC-level hypervisor, which in turn is managed by the platform TEE. Basically, userspace is EL0, root on the OS is EL1, Hypervisor access is EL2, TEE is EL3. The higher the number the more access the exploit has. For example, an EL0-EL1 exploit can be detected by usual root detection - but an EL0 to EL2 exploit can’t be because the exploit happens to be outside what the OS can see, which is where the trusted boot chain attestation comes in)
So anyway, Google has been trying to curtail such exploits by various attestation approaches for Play Integrity. And now they’re trying to catch this from the other end by blocking app installs from unknown sources.
The main issue with this? A lot of the apps that contain malware or exploits, come from the Play Store. Basically Google is trying to play cop while allowing a select group of thieves to continue operating without any attempt to shut them down…
It definitely is. And if we take the bank apps as mentioned, they got lazyvand rely on the google mafia to manage their security for themselves. And now those bank apps are trying to police how the fuck I use my own device. Thank goodness there’s still geto and sjizuku I can still hide Dev options and accessibility being turned on.
For the bank apps, I just straight up reviewed them saying they are hostile to disabled persons because they disallow accessing their apps with accessibility features turned on. It’s not much but it helps getting my anger out
Okay, I get what Google is trying to do - Android is a mature OS, and thanks to its embedded nature, is considered a secure runtime, so banks etc. have released apps that have lowered security compared to a browser - such as, long lived logins (aside from the usual biometric/code unlock, how often do you really have to go through the full login sequence?), lowered security for secure actions (often you can confirm transactions and other potentially dangerous things with just your biometrics, because it’s a trusted device, on desktop etc. you’d need access to an OTP provider for every action), and so on. And that’s just banking…
problem is, Android is far from perfect and exploits that allow the exploiting process root access or even worse, well, those happen.
(what’s even worse? well… Android most recently runs essentially in a virtual machine, managed by a SoC-level hypervisor, which in turn is managed by the platform TEE. Basically, userspace is EL0, root on the OS is EL1, Hypervisor access is EL2, TEE is EL3. The higher the number the more access the exploit has. For example, an EL0-EL1 exploit can be detected by usual root detection - but an EL0 to EL2 exploit can’t be because the exploit happens to be outside what the OS can see, which is where the trusted boot chain attestation comes in)
So anyway, Google has been trying to curtail such exploits by various attestation approaches for Play Integrity. And now they’re trying to catch this from the other end by blocking app installs from unknown sources.
The main issue with this? A lot of the apps that contain malware or exploits, come from the Play Store. Basically Google is trying to play cop while allowing a select group of thieves to continue operating without any attempt to shut them down…
It’s just about control not security
It definitely is. And if we take the bank apps as mentioned, they got lazyvand rely on the google mafia to manage their security for themselves. And now those bank apps are trying to police how the fuck I use my own device. Thank goodness there’s still geto and sjizuku I can still hide Dev options and accessibility being turned on.
For the bank apps, I just straight up reviewed them saying they are hostile to disabled persons because they disallow accessing their apps with accessibility features turned on. It’s not much but it helps getting my anger out