• sloppy_diffuser
    link
    fedilink
    English
    arrow-up
    9
    ·
    1 year ago

    The same host could fake the payload to the attestation server. Cat and mouse game with security through obscurity.

    • Anafabula@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      If you are on android or ios the phone already cryptografically verifies that the operating system has not been tampered with on a hardware level. Since the operating system is then “trusted” it can verify anything you do on it

      • l0v9ZU5Z@feddit.de
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        Doesn’t work. It’s possible to let many banking apps think they are running on a normal device although it is rooted.

        • Koffiato@lemmy.ml
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          Yup Play attestation is dead, even the new and shiny “secure” one is bypassed. It’s now just a hinderence.