Someone in the comments of that post linked to a long FAQ section for GrapheneOS about how apps can identify it and so forth [1]. I don't understand why it doesn't just attempt to spoof that's it's stock Android/Google everywhere it possibly can?
The goal is to normalize the usage of alternative OS. The moment you find workarounds and not question, you accept their position and eventually you'll run out of workarounds.
'you can still do X through Y, they are not removing it' is a popular and often the top reply on posts related to companies tightening their walled gardens. It gives an immediate solution to the problem but it doesn't address the core issue. I wish that wasn't the case.
Maybe the whole age verification push will change that discussion, if suddenly requests for entire categories of services have to be funneled through a small number of age verification providers that intentionally try to block alternative OSes.
The discussion might have been mostly theoretical before, but it sure isn't anymore...
Sue whoever blocked your device. I was about to consider it for my bank but an update enabled Graphene. Now it thinks my other phone is insecure and won't let me log in on that one, heh.
Because that would be pointless. If you have use-after-free exploit mitigations active, apps can test for its presence by simply trying to use after free. The only way to make the mitigation unnoticeable would be disabling it.
And lets not forget how pointless Play Integrity is for what it is being touted to be for, when there is millions of "Certified" devices ready for us by shady people via clickfarms.
Unless the app has certificate pinning, the modification of app behaviour is also not guaranteed. Really, it is just a pointless exercise for most of the use cases.
They are focused on making their users more private and secure, not trying to trick 0.01% of apps that give them problems.
It's a cat and mouse game that would require significant investment and could make things look more suspicious, better to focus on adoption so it becomes harder for companies to make stupid decisions like this. I've seen a banking apps that have expressly added support for GrapheneOS with their hardware attestation after customers mentioned it.
Even dedicated anti-detect browsers are constantly blocked and need patches. It's not something I would want GrapheneOS to focus on.
> GrapheneOS not only upholds the app security model but substantially reinforces it, so it cannot be justified with reasoning based on security, anti-fraud, etc.
It depends on what you're trying to do with it, right? If I have my browser spoof it's useragent to say it's firefox when it's chrome, is that fraud? At what point are we saying something is fraud and at what point are we just trying to avoid needless fingerprinting in apps/operating systems/whatever else?
If you're using any type of adblock in your browser, you're essentially spoofing countless systems just to have those ads not show up. But if I'm having my operating system tell an app that I'm not OS XYZ that's fraud?
AIUI if they decide members of a category receive some tangible benefit, so you fake being in that category and get the benefit, it's technically criminal fraud.
Sibling comment says running this simple curl command would be illegal. Guess what? It is illegal.
'you can still do X through Y, they are not removing it' is a popular and often the top reply on posts related to companies tightening their walled gardens. It gives an immediate solution to the problem but it doesn't address the core issue. I wish that wasn't the case.