Hacker News new | ask | show | jobs
by matheusmoreira 1218 days ago
Yeah, sure. An "optional security feature".

> don't complain when services don't want to serve you or treat you different since you are less secure than the other users

Hell no. They should not be allowed to discriminate against me just because I chose to own my system. They should not even be able to figure out what software I'm running, to say nothing of "treating me different".

"Don't want to serve us" unless we let them invade and own our machines? Please. This should be illegal.
1 comments
charcircuit 1218 days ago
>They should not be allowed to discriminate against me just because I chose to own my system.

App developers don't care if you own your system. They just want a way to prove that the device their app is running on is secure and that the client has not been modified. If there was a way for you to prove that to them they wouldn't mind.

>They should not even be able to figure out what software I'm running, to say nothing of "treating me different".

They just want to know that the client has not been tampered with so that they know you are not going to shall user's tokens, scrape people's information, or mondo automated actions as a bot. A signal that you are using the vanilla client makes you much more trust worthy to a service.

>"Don't want to serve us" unless we let them invade and own our machines?

Apps aren't invading your machine. They just want some guarantees about the environment they are operating in. The information that they get from you is the package's name, certificate, version, whether it's from the play store, whether your device passes integrity checks, and whether the app is properly licensed.

link
matheusmoreira 1218 days ago
> App developers don't care if you own your system.

> They just want a way to prove that the device their app is running on is secure and that the client has not been modified.

Contradictory. If I own the system, I can obviously modify it and everything running on it. Including your app. Therefore what they want is proof that I don't own the system.

> They just want to know that the client has not been tampered with

"Tampered with" -- there's that language again. Owning my computer is not "tampering", it is freedom.

> They just want some guarantees about the environment they are operating in.

Who cares what they want? It's my machine, I decide what they get. If they get anything at all. If I want them to believe they are running on a clean environment, that's what they should believe.

> The information that they get from you is the package's name, certificate, version, whether it's from the play store, whether your device passes integrity checks, and whether the app is properly licensed.

"Integrity" checks? Rooting my phone does not violate its "integrity". If anything it restores it.

Certificates? Store? Licensing checks? Look at all this crap that must be installed on "my" system just to give you your "guarantees". My phone's gotta come out of the factory pwned at the hardware level for your "guarantees" to be worth anything. It has to come with a full root of trust from the firmware to the bootloader to the operating system to each individual app just to prevent my "tampering". But you're seriously claiming apps aren't invading our machines.

An app "wanting" anything is invasion enough.

link
charcircuit 1218 days ago
>Contradictory

I disagree. You can have control in modifying your system, but the software just needs a way to prove that the security features it assumes are true. There could be a way for it to analyze the changes you made and decide whether or not it should trust your system.

>"Tampered with" -- there's that language again. Owning my computer is not "tampering", it is freedom.

It's someone else's software. You may own your computer, but you don't own the YouTube client. Google owns the YouTube client. Tampering with Google's client is tampering.

>"Integrity" checks? Rooting my phone does not violate its "integrity". If anything it restores it.

No, it does not. One part of Android's security model is that app's have storage that only they can access. Take for example a 2FA app which stores it's private key in this location. This makes it so that you must physically have your phone in order to get a 2FA code. This is the "something you have" part of 2FA. Rooting your phone violates the integrity of the system because now someone can just become root and steal the private key. Now they can generate 2FA codes without physically having the device with them. It then becomes another "something you know."

>My phone's gotta come out of the factory pwned at the hardware level for your "guarantees" to be worth anything.

These are security features. Your phone is less secure without them. It's not pwned.

>An app "wanting" anything is invasion enough.

Everyone wants something. Every business transaction includes both parties wanting something from the other.

link