- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Apple has deployed a system called Private Access Tokens that allows web servers to verify if a device is legitimate before granting access. This works by having the browser request a signed token from Apple proving the device is approved. While this currently has limited impact due to Safari’s market share, there are concerns that attestation systems restrict competition, user control, and innovation by only approving certain devices and software. Attestation could lead to approved providers tightening rules over time, blocking modified operating systems and browsers. While proponents argue for holdbacks to limit blocking, business pressures may make that infeasible and Google’s existing attestation does not do holdbacks. Fundamentally, attestation is seen as anti-competitive by potentially blocking competition between browsers and operating systems on the web.
And how the fuck is a phone app an alternative for avoiding attestation??? A phone app is inherently attested by being distributed through the app store.
On a rooted phone, they can still fail attestation, apparently. That’s why Magisk Hide (or whatever it’s called) became a thing, to hide that the device is rooted. Google Pay also apparently needs Magisk Hide to function.
I don’t trust my phone to store my payment details, so I don’t care about Google Pay, and my bank’s app works fine while rooted, so I don’t have any personal experience with it, just what I’ve seen in every single root guide I’ve used in at least the last 4 years (if not longer; I don’t remember how I rooted my previous phone.)
Yeah, joke’s on the commenter; Google had had device attestation for phones for ages now and it’s also terrible. Many apps will outright refuse to work if you have a non-typical phone (rooted, some obscure hardware or custom OS).