Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This, or even sell "dev units" with the bootloader unlocked so that you explicitly have to accept the risk before purchasing the device.

The problem though is that rooting by itself is not that useful when a lot of apps use remote attestation to deny you service if you're rooted.

We don't just need root access, we need undetectable root access.



I agree useful rooting should be easier, but it's definitely possible and not super hard to hide rooting.

I'm typing this on a rooted phone where all (banking) apps work just fine. All it takes is downloading an app (magisk) and add apps to a list that need to have rooting hidden.


> it's definitely possible and not super hard to hide rooting.

Worth noting that this could change with every update. It's an unstable situation right now, which is undesirable.

For that reason, e.g. the GrapheneOS team isn't employing measures to fake compliance at all. They'd really like to get SafetyNet compliance for their operating system (you need that to get Google Pay/Wallet to work), but funamentally can't get it. Right now, they could just fake it, but that's not guaranteed to work reliably, forever (and doing so would probably threaten their official BasicIntegrity compliance).


This is why I'm convinced that relying on Google hardware is a dead end for freedom in the longer term. I'm using a GNU/Linux phone instead.


Magisk only works because Google still supports devices that don't support hardware attestation. Very soon you won't be able to fool Play Integrity without hacking the TEE


Well that's going to really really suck.


> We don't just need root access, we need undetectable root access.

At some point the argument morphs from 'I should be able to do whatever I want with my device' to 'I should be able to access your service/device with whatever I want'.

The fact that Google allows this shows that

1. Apple could do it with zero security impact on anyone who doesn't opt in

2. They could keep any service-based profit source intact

But they still would never do it. Because it's not only service based profit they want to protect. They want to restrict customers from running competitor's software on their hardware, to ensure they get their cut.


> At some point the argument morphs from 'I should be able to do whatever I want with my device' to 'I should be able to access your service/device with whatever I want'.

I'm not demanding to be able to log in to your service/device and replace IIS with Apache on it. I'm just demanding to be able to access it as a normal user with Firefox instead of Chrome.


I'm not saying you shouldn't be able to access from unlocked devices. I'm just saying it's a different argument.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: