Open Bug 2016895 Opened 3 months ago Updated 41 minutes ago

Use Android Hardware Attestation instead of Google Play Integrity API

Categories

(Firefox for Android :: Browser Engine, enhancement)

Product:
Firefox for Android
Component:
Browser Engine
Version:
Firefox 149
Platform:
All
Android
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: celenity, Unassigned)

References

Details

Bug 2015109 added integration with the Google Play Integrity API to Fenix, though I’m unable to find the reasoning/rationale for why (Would be interested to hear more about it).

Is there a reason Play Integrity was chosen over Android’s standard Hardware Attestation API? Given Mozilla’s focus on free, open source, and privacy-respecting software/solutions, it’s disappointing to see another dependency on Google Play Services introduced.

For more information, I’d recommend checking out GrapheneOS’ attestation compatibility guide - their article details some of the problems with Play Integrity, and how the Hardware Attestation API can be used/implemented instead.

IMO: To align with Mozilla’s core mission/ideals, Mozilla should consider adopting the Hardware Attestation API instead of Play Integrity, assuming that it’s feasible for the intended use case here.

Flags: needinfo?(jboek)
See Also: → 2015109

Hey celenity, thanks for raising this issue! The Google Play Integrity API was added as an authentication method for the MLPA backend. I surfaced these APIs to the team to see if we can use it as an alternative method to the play integrity APIs.

Severity: -- → N/A
Flags: needinfo?(jboek)

Thanks for passing this on and providing that clarification!

Remote attestation for end-user consumer devices shouldn't exist. Using any form of this, for any reason is unethical.

You need to log in before you can comment on or make changes to this bug.