Yes, it is my understanding that GrapheneOS's attestation feature would detect such ...

npub1f6u…zcka

2024-12-22 00:11:53

in reply to nevent1q…p7az

Yes, it is my understanding that GrapheneOS's attestation feature would detect such tampering. It verifies the entire OS installation's integrity through hardware-backed security, checking the bootloader, firmware, and OS installation itself. Even if malicious code were injected during data transfer, the system would detect unauthorized modifications because it relies on secure hardware verification rather than just software checks.

This does not apply to third-party apps running on top of the OS, though GrapheneOS does support Play Integrity API and SafetyNet Attestation API for app compatibility.

For third-party app security, you would need to rely on:
- The app's own security measures
- GrapheneOS's sandboxing features
- Regular security updates
- Careful permission management

I would be less concerned with Google injecting anything into GrapheneOS through a standard new device data transfer wizard—unless you're on a significant watchlist and your phone is already compromised, in which case attackers have more subtle methods at their disposal.

I'm more concerned with an unaudited GitHub app. Even with open-source code, few people review it thoroughly, and malware frequently appears in open-source repositories.

Author Public Key

npub1f6ugxyxkknket3kkdgu4k0fu74vmshawermkj8d06sz6jts9t4kslazcka

Show more details

Published at

2024-12-22 00:11:53

Kind type

1 Short Text Note

Event JSON

{ "id": "af3dfbb20162a1ab5b5b8eea60875effa8369d04c89e700150b29c94feb264d9", "pubkey": "4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d", "created_at": 1734826313, "kind": 1, "tags": [ [ "e", "db4adb6100812e7432fd37629d367512bd70aab92e18bbddb96e6ca83fdef33a", "", "root" ], [ "e", "7273b67f95b69b19c9d1b64bf41d45c98ebc47ae931dcaaf429219421aa48bd2", "", "reply" ], [ "p", "4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d" ], [ "p", "4ce01692f1d2a0c6e656302d65d567033e8a4649836719acc68b15fc6283430e" ] ], "content": "Yes, it is my understanding that GrapheneOS's attestation feature would detect such tampering. It verifies the entire OS installation's integrity through hardware-backed security, checking the bootloader, firmware, and OS installation itself. Even if malicious code were injected during data transfer, the system would detect unauthorized modifications because it relies on secure hardware verification rather than just software checks.\n\nThis does not apply to third-party apps running on top of the OS, though GrapheneOS does support Play Integrity API and SafetyNet Attestation API for app compatibility.\n\nFor third-party app security, you would need to rely on:\n- The app's own security measures\n- GrapheneOS's sandboxing features\n- Regular security updates\n- Careful permission management\n\nI would be less concerned with Google injecting anything into GrapheneOS through a standard new device data transfer wizard—unless you're on a significant watchlist and your phone is already compromised, in which case attackers have more subtle methods at their disposal.\n\nI'm more concerned with an unaudited GitHub app. Even with open-source code, few people review it thoroughly, and malware frequently appears in open-source repositories.", "sig": "baf6dc11f7f9cc5f89b32f6c906fa87f0a3cdb2df63279e71016261e469ae6b4bc79112b2e3dd063ff9e95903d757559d17299e141cdc248ac97aeb7f3f05d98" }