[throwaway52170]

For now, until hardware backed attestation becomes properly enforced... Isn't security great

[sudosysgen]

It probably will never be. It just takes one OEM to fuck it up and everyone can use their device ID. That's why hardware backed attestation doesn't work, OnePlus fucked it up and now Magisk can pretend to be that phone and get exempted.

[alias_neo]

Interesting, I use OnePlus phones, where can I read more about this?

[sickmate]

https://www.synopsys.com/blogs/software-security/cve-2020-79...

[jsudi]

If a Chinese oem loses their keys why not just revoke them?

[sudosysgen]

And cut off the phone from SafetyNet? That would hurt SafetyNet adoption and be bad for Google, which is presumably why they didn't do it for OnePlus.