Hi all,
I have just discovered “Unified Attestation", a European alternative to Google Play Integrity.
Dear Jolla team, are you aware of this?
Sources :
Edit: Feel free to move this post to another category 
25 Likes
If such solution gets implemented indeed, then it MUST be completely software one and user removable if needed.
As someone who doesn’t care about mobile banking, I do care to have the device completely under MY very own control. No TEE, no TPM, no BS!
4 Likes
If this site propose these things right, I believe Jolla should integrate it in sailfish os, that’s amazing.
4 Likes
JI read that this morning too. Great news!
It’s fantastic that Volla is leading the way here as a “pioneer.” We can only wish him every success
and that even more people will get involved.
1 Like
Just added that topic to the community meeting on March 12th…
11 Likes
As I have near zero technical understanding, is this similar as MicroG or something completely different?
1 Like
It’s something completely different:
Many applications use a Google Service (Google Play Integrity, GPI) to check, if a device is “trustworthy” as in “not rooted, original android installation, not manipulated”.
This check is what blocks many apps from being usable on SFOS or alternative Android ROMs. Those devices just can not pass the criteria set by Google. Even if, from a technical perspective, the app would work perfectly fine.
While GPI is part of the Google Play Services, it cannot be (fully) emulated by microG due to a lot of things happening on Google Servers, and being dependent on the device being Google Certified to begin with.
“Unified Attestation” is planned as a replacement for GPI, which can be used by operating system and app developers, instead of relying on Google Certification.
Means: It’s nothing (like microG) you can install to make existing apps work. It’s something that developers can use instead of GPI, to be independent from Google in the first place.
21 Likes
Thank you for the clarification! Now I am just wondering, as to my understanding inside AAS currently the bootloader status is faked somehow. Is it that just most of my apps don’t use GPI to check it but something much lighter? At least I only get the error with Netflix that my device isn’t supported. Anyway, as I think for reason unknown to me even European services want to use something like this with their app, it is amazing to have European alternative for GPI!
3 Likes
There is nuance, as always. Not everyone uses GPI, as there are several “Integrity Check” and “App Security” frameworks on the market.
From my experience, only the “hardliners” like some payment apps and the entertainment industry tend to use it. You can also exclusively secure only parts of you app, for example a working banking app, but NFC payments cannot be set up without a passed integrity check.
As for why it’s used: Easy way to tick off a checkbox on the compliance requirement checklist for the developer. Minimal effort, industry standard protection. Therefore it’s really a good thing that an alternative is being developed. Let’s hope they get it right … and that Jolla includes it in SFOS/AAS.
Otherwise, there will just be one more integrity check system blocking SFOS devices from using certain apps. 
10 Likes
This might help with FOSS RCS clients too. Microg people try to hack around the basic integrity but it will remain a cat and mouse game without such initiatives.
2 Likes
As mentioned above I put that topic/this thread into yesterdays community meeting. The question was
Is Jolla aware of this new initiative, may it be possible to implement that in AAS, would Jolla participate in that initiative?
That’s the short answer:
#info Thank you for asking. We are very well aware :-).
Sadly I was on the road while that topic was on, but used the chance to ask about that later:
Jolla’s Answer sound like they are already involved in the initiative…
@rainemak just answered on that.
To my mind Jolla is already involved on that due to this answers, so fingers crossed for some more information on that, especially a possible implementation into SFOS itself as well as AAS. I think Jolla should make it public if there are involved, would also be good for marketing.
3 Likes
Or maybe they will just expose themself to som groogal assasin, who will wipe the whole Jolla team out.
We wouldn’t want that, would we?
2 Likes
To me Jollas answer sounds like a very polite form of “f*ck off”.
Well done, Jolla!
That’s the reason I’m constantly agitating all my peers to migrate to Sailfish OS!
And many of them already have.
I see what you mean, and I disagree. To me it sounds more like “any clear statement would be misconstrued as a promise and we just don’t need that pressure”.
5 Likes
To complement the community meeting reply. Yes, we are evaluating this together.
22 Likes