This is how Android dies: Volkswagen app attestation requirements stop GrapheneOS from working
442 segments
Hey everybody, how's it going? Hope
you're having a lovely day. Welcome to
today's episode of How You Getting
[ __ ] I'm your host Louis Rossmann and
this is my co-host Blackberry the Kitty.
You're just going to sleep instead of
stand up for the video?
Well,
I guess you're the star. You get to do
what you want. Today we're going to be
following up on a video that I did on
Volkswagen and how they were limiting
people that use their products. If you
buy a Volkswagen car, before you used to
be able to use an application called
Home Assistant to access your car. Home
Assistant is a great open-source
application that's made for the Internet
of Things, except it's not a piece of
[ __ ] It's open-source so you can see
the source code. You can see and verify
that they're not selling your data.
Because it's open-source, they can't rug
pull anything. If they decided to say,
"Hey, now you got to pay a monthly fee
for it to work." it being open-source,
somebody could literally delete the code
that is putting that lock into place and
just continue using it. It's curated by
the community. So for whatever features
you want, you don't have to wait for
Volkswagen to code the features you
want. Often times the community codes
them themselves. It had a lot of
features in it that were not present in
the stock Volkswagen app. If you wanted
to charge only when you had a surplus of
rooftop solar on your house so that your
car would be essentially filling up for
free, you could do that with the Home
Assistant integration, but you couldn't
with the Volkswagen app. There are a
number of different things that you were
able to do with Home Assistant that you
cannot do with the official Volkswagen
app. So a lot of people chose to use
that. And what Volkswagen did is they
closed off their system so that you
cannot use any other application with
their system. You can only use the
Volkswagen app. But now they've decided
to do one better. They've decided to
make it so that not only can you not use
their car's connected system unless
you're using their app, you also now
have to use a very specific operating
system in order to use their app. So
their Android application is not working
if you use any other operating system on
your phone that is based on the Android
open-source project. You have to be
using the manufacturer supplied image in
order for it to work, which is a very
big problem because as I link down
below,
there are a number of things that Google
Play Services does on your phone that
act essentially as spyware and many
people want to be able to use Android,
they just don't want Google spying on
everything they're doing all the time
because that's just like no. I I paid
for the
for the phone, it's mine, and other
operating systems allow that. One of
them is GrapheneOS. A GrapheneOS user
was having issues with the Volkswagen
app, and they contacted Volkswagen, and
they got this reply on the discussion
forum.
Hello. Thank you for contacting
Volkswagen digital services. Please note
that the use of the Volkswagen app is
only supported on iOS devices and
Android devices with supported operating
system versions. On devices which
alternative operating systems, so-called
custom ROMs like GrapheneOS, LineageOS,
or other solutions are installed,
limitations or lack of functionality of
the Volkswagen app may occur. These
systems are not part of the supported
application environment of Volkswagen
for the Volkswagen app, which is why we
unfortunately cannot offer technical
support in such cases. The reason for
this is that the Volkswagen app relies
on security-relevant system components
and certified Android standards to
ensure reliable and secure use of our
digital services. So,
yeah. Not only can I not use my
application with it, but when I use your
application, I have to use the
manufacturer's operating system.
There was a lobbyist there. His name is
Charlie Brown, and I remember him saying
that if you allowed right to repair to
happen, that people would start insta-
these evil repair people would start
pre-installing TikTok onto customer
phones. And what I found funny is that
very shortly after he did that, if you
bought a lower-end Samsung phone, it
actually came with TikTok pre-installed
on it. There's a reason that people
install aftermarket operating systems,
not only because they don't want TikTok
pre-installed, but also because in many
cases they are genuinely more secure. As
I went over in this video that I did a
few years ago, GrapheneOS, the greatest
mobile OS of all time, GrapheneOS is in
many ways more secure than stock Google
Android that comes with your phone.
There were many times that the Graphene
operating system team has actually made
fixes to Android that Google looks at
and goes, "Wait a second. That We did
Why Why don't we think of that? That
does make Android more secure. Thanks."
And those features wind up getting
featured upstream in the Android open
source project. Because Android is an
open source project, there are many
people, whether it's LineageOS, used to
be CalyxOS, GrapheneOS, and many others,
and these forks are each unique in their
own way. And if you wanted to actually
support those forks that are more
secure, rather than just having a
blanket ban on all of them, you could
simply use the standard Android hardware
attestation API and permit their
official release signing keys. The
GrapheneOS project says, and I quote,
that excluding this is a business
choice, not a security requirement. If
an app wants a genuine hardware back
guarantee, there's already a better
tool. The attestation compatibility
guide says that a developer can support
GrapheneOS by using the standard Android
hardware attestation API and permitting
their official release signing keys.
This is a better approach than Play
Integrity because it can whitelist the
keys of alternative operating systems.
If you want to understand what's failing
here, the check behind the certified
Android standards is remote device
attestation. On Android, the dominant
implementation is Google's Play
Integrity API, which Google describes as
a way to confirm that requests come from
a genuine and certified Android device.
When an app calls it, Google returns a
device integrity verdict in three tiers:
meets basic integrity, meets device
integrity, and meets strong integrity.
An app's server can refuse to act unless
it sees the tier that it demands. Now,
GrapheneOS does meet several of these
requirements, like having a locked
bootloader and verified boot, but since
it replaces the manufacturer's operating
system with its own signed build, it's
not going to work. That does not mean
that GrapheneOS is in any way less
secure. You are more secure putting
GrapheneOS on your your Android phone
than you are using the stock [ __ ] that's
filled with spyware. And again, look at
the studies down below if you want exact
details on the the data that is leaving
your phone when you use stock Android.
Now, I know what you're thinking. Lewis,
haven't you said things about how you're
deleting GrapheneOS and not using it
anymore? And yes, I have.
I had a really, really weird
conversation that made me uncomfortable
with somebody on the team, and I stopped
using it. I have never said a word about
the operating system actually being
insecure. If you listen to the words in
that video, I have said that I believe
it is a genuinely secure operating
system, and as long as one of the
proprietors of the operating system
doesn't think that you're trying to kill
him, you're you're probably fine.
Somebody doesn't have to say nice things
about me for me to say nice things about
them. Nor does somebody have to like me
or respect me for me to agree with them.
That's not how this works. We're adults.
What do you think I am? A member of
Congress? I'm not a coding expert, but
from the people that I speak to that I
trust, the code that they ship is more
secure than the code that Google is
shipping. You're getting a more secure
phone when you use GrapheneOS, not a
less secure phone. This has nothing to
do with that and has everything to do
with trying to lock people into their
ecosystem. Last year, Google tried, they
kind of poked a little bit to see how
can we lock down the ecosystem a little
bit more and I went over it in a video
and this is the direction that it's
going in now. There's going to be this
type of attestation to ensure that,
"Okay, you know what? Fine. You're
allowed to use other apps, but if you
actually want to be a part of the real
world, you can't." And this is the thing
that gets me with open source and that's
the reason that when people would hear
Aaron at FUTO say that open source is
losing, they would get very, very
offended and go, "Don't you understand
that open source runs the world? Every
web server uses Linux." "Android is open
source." And it's like, "Yeah, no. All
the servers run Linux
so that Microsoft and Apple and Adobe
and Amazon can serve you closed source
garbage that sucks up all of your data,
that they can change the price on at
will using their Linux server." When you
see these large companies giving a lot
of money to the Linux Foundation, when
you see them giving money to a lot of
these open source projects, they're in
my opinion, just my opinion, they're
cherry-picking the [ __ ] that's going to
be good for them. They want Linux to run
their infrastructure and they want that
[ __ ] to be open source and cheap and
free and easy as possible to use so that
they can serve you as much garbage as
humanly possible. The Android open
source project is technically open
source, but if you actually want to use
a banking app, if you want to connect to
your car, if you want to do anything,
they're setting up a system where
there's so many little closed source
components built on top of the open
source component that are necessary that
you technically can use the open source
version. We have the ability to say that
it's open source in quotes, but it's
open source in quotes and that all the
elements that you need, if you want to
be able to do online banking, if you
want to be able to enjoy online content,
if you want to be able to turn on the
air conditioner in your car, will only
work when you add on this closed source
spyware layer. And that's what it is. It
doesn't make you more secure. Look at
the links that I put down below on all
the different ways that Google Play
Services spies on you and tell me that
that's making you more secure having
that installed in your phone by default.
What GrapheneOS does, which actually
makes it more secure, is it takes Google
Play Services and says, "If you want
this on your phone, you could put it on
your phone, but it's no longer going to
have administrative privileges. You get
to say whether this [ __ ] has elevated
permissions or not. You get to say
whether Google Play services has the
ability to operate outside of the
sandbox. You get to say whether Google
Play services gets to see what you're
doing in other parts of your phone.
That's a good thing. They're taking
Google spyware and they're saying, "You
are limited so that you cannot work as
spyware on the phone." That's good. That
is more [ __ ] secure than stock
Android. And again, this is a business
decision. This is not a security
decision. Imagine if you were going to
install an application and it said, "I'm
sorry, you're using Arch instead of
Ubuntu. You're not going to work."
That's what they're doing. And that's
[ __ ] ridiculous. I hope that you see
this for what it is. They're trying to
move Android in the direction of Google
having control over everything while
simultaneously being able to say that
they're open source because they still
have this little shell of a project that
I guess you could use if you want to use
a Chromium web browser and
I don't know, maybe nothing else. I was
on the Swiss train the other day. It was
I forget if it was April or May. I was
on a train in Switzerland and I wanted
to get a monthly or a weekly pass
instead of using the standard SBB app
and paying $10.70 every time I wanted to
travel for 10 minutes. I wanted to get
one of the monthly passes and I forget
what I went through. It was a week like
a month and a half ago that I did this,
but I remember going through everything
and it's I forget if it wanted my ID or
some more information, but at some point
I was not able to complete the
verification process that I needed to
get the monthly or weekly pass at least
in the rabbit hole that I had went down
in the app because I needed to have
Chrome web browser installed. And on my
phone, I had Firefox and I had Brave. I
didn't have Chrome.
But I needed to use either Safari or
Chrome.
And at some point I said [ __ ] I was at
the point of thinking, "Shit, is it
worth installing Chrome for this?" I'm
like, "No, [ __ ] that. I'm not going to
do that." This is the direction that
this is moving in. Which yeah, if you
want, you can use open source software
on your phone,
but if you want to buy the train pass,
you got to install Chrome.
[ __ ] this. [ __ ] the direction that all
this stuff is going in. You can't say
that open source is winning. Open source
is not winning if you have a separate
[ __ ] water fountain for people who
use open source and people who use the
closed source.
That's what this is.
Oh, you want to be able to enjoy all the
features of it? Install this. That's
what I see this as.
And honestly, I think that's the way
they'll explain it to people. I didn't
really think of that until I started
doing this video.
Oh, you want hardware that doesn't spy
on you? This water fountain is for
people that use software that spies on
them.
[ __ ] that.
What if I want to use my software? What
if I want to use my operating system on
my computer? Who the [ __ ] are you to
tell me what operating system I use on
my computer? And who the [ __ ] are you to
say that I have to have closed-source
spyware on my computer in order to
access what I bought and paid for? And
frankly, if Volkswagen didn't not have
this requirement when they actually sold
me the car, could you actually go back
to the dealership and say, "Listen, when
you sold me this, I had the ability to
use home assistant in my car. And now I
don't."
I want a rebate. I want a refund. If we
lived in a just world, I think that
would be possible. The gym that I go to
enforces that you use their app. There's
one gym that I went to that allows you
to take a picture of a barcode, so you
don't need an app on your phone. You can
just show them your camera roll, and you
immediately there's this right there.
But Gold's Gym has this rolling barcode
thing, so you can't even screenshot it.
You have to use their app. And if you
look at their reviews in the Play Store,
let's just say I'm not the only one that
has problems with this piece of [ __ ]
I've never gotten this thing to work
there regardless of what phone that I'm
using. But imagine getting to a point
where, "Oh, you want to use the gym?
Well, listen. Open-source exists, but
you have to use the closed-source thing
if you want to use the gym. Open-source
exists, but by the way, even though your
web browser that you have on your phone
is 100% capable of rendering all of the
content on our site, we're not going to
sell you a train pass unless you use
Chrome or Safari."
We're getting to the point where it's
like, "Yeah, technically, technically
open-source software works, but they're
adding all of these little closed-source
libraries onto it." And they're creating
their own little ecosystem and
pretending that it's about security so
that they can say that they have
open-source software available while
trapping you into all this [ __ ] if
you want to live like a normal citizen.
I think the GrapheneOS team is
completely on point here. We are moving
towards a world where if I want to buy a
[ __ ] train pass without getting
ripped off every single time I take the
train,
I got to choose. Do I want to pay retail
rates for the train,
or do I want to give up my principles
and install Google Chrome?
You want to be allowed to use this water
fountain?
Install Chrome.
It's [ __ ] up.
We had civil rights.
Some point like software rights.
Truly. Let me know what you think in the
comments down below.
That's it for today. And as always, I
hope you learned something. I'll see you
on the next video. Bye now.
Ask follow-up questions or revisit key timestamps.
Louis Rossmann discusses how major companies, such as Volkswagen and Google, are increasingly restricting users to specific, closed-source ecosystems under the guise of security. By requiring users to utilize only manufacturer-supplied apps or specific operating systems like Android with Google Play Services, these companies create artificial barriers that prevent users from using secure, custom alternatives like GrapheneOS, even when those alternatives are technically capable and more secure.
Videos recently processed by our community