HomeVideos

This is how Android dies: Volkswagen app attestation requirements stop GrapheneOS from working

Now Playing

This is how Android dies: Volkswagen app attestation requirements stop GrapheneOS from working

Transcript

442 segments

0:00

Hey everybody, how's it going? Hope

0:00

you're having a lovely day. Welcome to

0:01

today's episode of How You Getting

0:02

[ __ ] I'm your host Louis Rossmann and

0:04

this is my co-host Blackberry the Kitty.

0:08

You're just going to sleep instead of

0:10

stand up for the video?

0:11

Well,

0:13

I guess you're the star. You get to do

0:15

what you want. Today we're going to be

0:16

following up on a video that I did on

0:17

Volkswagen and how they were limiting

0:19

people that use their products. If you

0:20

buy a Volkswagen car, before you used to

0:22

be able to use an application called

0:23

Home Assistant to access your car. Home

0:25

Assistant is a great open-source

0:26

application that's made for the Internet

0:28

of Things, except it's not a piece of

0:30

[ __ ] It's open-source so you can see

0:31

the source code. You can see and verify

0:33

that they're not selling your data.

0:34

Because it's open-source, they can't rug

0:36

pull anything. If they decided to say,

0:37

"Hey, now you got to pay a monthly fee

0:38

for it to work." it being open-source,

0:40

somebody could literally delete the code

0:42

that is putting that lock into place and

0:44

just continue using it. It's curated by

0:46

the community. So for whatever features

0:47

you want, you don't have to wait for

0:48

Volkswagen to code the features you

0:49

want. Often times the community codes

0:51

them themselves. It had a lot of

0:52

features in it that were not present in

0:54

the stock Volkswagen app. If you wanted

0:55

to charge only when you had a surplus of

0:57

rooftop solar on your house so that your

0:59

car would be essentially filling up for

1:01

free, you could do that with the Home

1:02

Assistant integration, but you couldn't

1:03

with the Volkswagen app. There are a

1:05

number of different things that you were

1:06

able to do with Home Assistant that you

1:08

cannot do with the official Volkswagen

1:09

app. So a lot of people chose to use

1:11

that. And what Volkswagen did is they

1:13

closed off their system so that you

1:14

cannot use any other application with

1:16

their system. You can only use the

1:17

Volkswagen app. But now they've decided

1:19

to do one better. They've decided to

1:21

make it so that not only can you not use

1:23

their car's connected system unless

1:25

you're using their app, you also now

1:27

have to use a very specific operating

1:29

system in order to use their app. So

1:31

their Android application is not working

1:33

if you use any other operating system on

1:35

your phone that is based on the Android

1:36

open-source project. You have to be

1:37

using the manufacturer supplied image in

1:39

order for it to work, which is a very

1:41

big problem because as I link down

1:42

below,

1:42

there are a number of things that Google

1:44

Play Services does on your phone that

1:46

act essentially as spyware and many

1:49

people want to be able to use Android,

1:50

they just don't want Google spying on

1:52

everything they're doing all the time

1:54

because that's just like no. I I paid

1:56

for the

1:57

for the phone, it's mine, and other

1:59

operating systems allow that. One of

2:00

them is GrapheneOS. A GrapheneOS user

2:02

was having issues with the Volkswagen

2:04

app, and they contacted Volkswagen, and

2:05

they got this reply on the discussion

2:07

forum.

2:08

Hello. Thank you for contacting

2:10

Volkswagen digital services. Please note

2:12

that the use of the Volkswagen app is

2:13

only supported on iOS devices and

2:14

Android devices with supported operating

2:16

system versions. On devices which

2:18

alternative operating systems, so-called

2:20

custom ROMs like GrapheneOS, LineageOS,

2:22

or other solutions are installed,

2:23

limitations or lack of functionality of

2:25

the Volkswagen app may occur. These

2:27

systems are not part of the supported

2:28

application environment of Volkswagen

2:30

for the Volkswagen app, which is why we

2:31

unfortunately cannot offer technical

2:32

support in such cases. The reason for

2:34

this is that the Volkswagen app relies

2:35

on security-relevant system components

2:37

and certified Android standards to

2:38

ensure reliable and secure use of our

2:39

digital services. So,

2:42

yeah. Not only can I not use my

2:44

application with it, but when I use your

2:45

application, I have to use the

2:47

manufacturer's operating system.

2:50

There was a lobbyist there. His name is

2:52

Charlie Brown, and I remember him saying

2:54

that if you allowed right to repair to

2:55

happen, that people would start insta-

2:57

these evil repair people would start

2:58

pre-installing TikTok onto customer

3:00

phones. And what I found funny is that

3:02

very shortly after he did that, if you

3:03

bought a lower-end Samsung phone, it

3:05

actually came with TikTok pre-installed

3:06

on it. There's a reason that people

3:08

install aftermarket operating systems,

3:09

not only because they don't want TikTok

3:10

pre-installed, but also because in many

3:12

cases they are genuinely more secure. As

3:14

I went over in this video that I did a

3:15

few years ago, GrapheneOS, the greatest

3:17

mobile OS of all time, GrapheneOS is in

3:19

many ways more secure than stock Google

3:21

Android that comes with your phone.

3:22

There were many times that the Graphene

3:24

operating system team has actually made

3:25

fixes to Android that Google looks at

3:28

and goes, "Wait a second. That We did

3:30

Why Why don't we think of that? That

3:31

does make Android more secure. Thanks."

3:34

And those features wind up getting

3:35

featured upstream in the Android open

3:36

source project. Because Android is an

3:38

open source project, there are many

3:39

people, whether it's LineageOS, used to

3:41

be CalyxOS, GrapheneOS, and many others,

3:42

and these forks are each unique in their

3:44

own way. And if you wanted to actually

3:46

support those forks that are more

3:47

secure, rather than just having a

3:48

blanket ban on all of them, you could

3:50

simply use the standard Android hardware

3:52

attestation API and permit their

3:53

official release signing keys. The

3:55

GrapheneOS project says, and I quote,

3:56

that excluding this is a business

3:57

choice, not a security requirement. If

3:59

an app wants a genuine hardware back

4:01

guarantee, there's already a better

4:02

tool. The attestation compatibility

4:04

guide says that a developer can support

4:05

GrapheneOS by using the standard Android

4:07

hardware attestation API and permitting

4:09

their official release signing keys.

4:11

This is a better approach than Play

4:12

Integrity because it can whitelist the

4:13

keys of alternative operating systems.

4:14

If you want to understand what's failing

4:16

here, the check behind the certified

4:17

Android standards is remote device

4:19

attestation. On Android, the dominant

4:20

implementation is Google's Play

4:22

Integrity API, which Google describes as

4:24

a way to confirm that requests come from

4:25

a genuine and certified Android device.

4:27

When an app calls it, Google returns a

4:28

device integrity verdict in three tiers:

4:30

meets basic integrity, meets device

4:31

integrity, and meets strong integrity.

4:33

An app's server can refuse to act unless

4:35

it sees the tier that it demands. Now,

4:37

GrapheneOS does meet several of these

4:39

requirements, like having a locked

4:40

bootloader and verified boot, but since

4:42

it replaces the manufacturer's operating

4:43

system with its own signed build, it's

4:44

not going to work. That does not mean

4:46

that GrapheneOS is in any way less

4:48

secure. You are more secure putting

4:50

GrapheneOS on your your Android phone

4:52

than you are using the stock [ __ ] that's

4:54

filled with spyware. And again, look at

4:55

the studies down below if you want exact

4:57

details on the the data that is leaving

4:59

your phone when you use stock Android.

5:01

Now, I know what you're thinking. Lewis,

5:02

haven't you said things about how you're

5:04

deleting GrapheneOS and not using it

5:05

anymore? And yes, I have.

5:07

I had a really, really weird

5:09

conversation that made me uncomfortable

5:11

with somebody on the team, and I stopped

5:13

using it. I have never said a word about

5:15

the operating system actually being

5:17

insecure. If you listen to the words in

5:18

that video, I have said that I believe

5:20

it is a genuinely secure operating

5:21

system, and as long as one of the

5:23

proprietors of the operating system

5:24

doesn't think that you're trying to kill

5:25

him, you're you're probably fine.

5:26

Somebody doesn't have to say nice things

5:28

about me for me to say nice things about

5:29

them. Nor does somebody have to like me

5:31

or respect me for me to agree with them.

5:32

That's not how this works. We're adults.

5:34

What do you think I am? A member of

5:35

Congress? I'm not a coding expert, but

5:36

from the people that I speak to that I

5:37

trust, the code that they ship is more

5:39

secure than the code that Google is

5:40

shipping. You're getting a more secure

5:41

phone when you use GrapheneOS, not a

5:43

less secure phone. This has nothing to

5:44

do with that and has everything to do

5:45

with trying to lock people into their

5:47

ecosystem. Last year, Google tried, they

5:48

kind of poked a little bit to see how

5:50

can we lock down the ecosystem a little

5:51

bit more and I went over it in a video

5:52

and this is the direction that it's

5:54

going in now. There's going to be this

5:55

type of attestation to ensure that,

5:57

"Okay, you know what? Fine. You're

5:58

allowed to use other apps, but if you

5:59

actually want to be a part of the real

6:01

world, you can't." And this is the thing

6:03

that gets me with open source and that's

6:05

the reason that when people would hear

6:06

Aaron at FUTO say that open source is

6:08

losing, they would get very, very

6:09

offended and go, "Don't you understand

6:11

that open source runs the world? Every

6:13

web server uses Linux." "Android is open

6:15

source." And it's like, "Yeah, no. All

6:17

the servers run Linux

6:19

so that Microsoft and Apple and Adobe

6:22

and Amazon can serve you closed source

6:25

garbage that sucks up all of your data,

6:27

that they can change the price on at

6:29

will using their Linux server." When you

6:31

see these large companies giving a lot

6:32

of money to the Linux Foundation, when

6:34

you see them giving money to a lot of

6:35

these open source projects, they're in

6:37

my opinion, just my opinion, they're

6:38

cherry-picking the [ __ ] that's going to

6:40

be good for them. They want Linux to run

6:42

their infrastructure and they want that

6:43

[ __ ] to be open source and cheap and

6:45

free and easy as possible to use so that

6:47

they can serve you as much garbage as

6:49

humanly possible. The Android open

6:50

source project is technically open

6:52

source, but if you actually want to use

6:54

a banking app, if you want to connect to

6:56

your car, if you want to do anything,

6:57

they're setting up a system where

6:59

there's so many little closed source

7:00

components built on top of the open

7:02

source component that are necessary that

7:04

you technically can use the open source

7:05

version. We have the ability to say that

7:07

it's open source in quotes, but it's

7:09

open source in quotes and that all the

7:11

elements that you need, if you want to

7:12

be able to do online banking, if you

7:14

want to be able to enjoy online content,

7:15

if you want to be able to turn on the

7:17

air conditioner in your car, will only

7:18

work when you add on this closed source

7:20

spyware layer. And that's what it is. It

7:22

doesn't make you more secure. Look at

7:24

the links that I put down below on all

7:26

the different ways that Google Play

7:28

Services spies on you and tell me that

7:30

that's making you more secure having

7:31

that installed in your phone by default.

7:32

What GrapheneOS does, which actually

7:34

makes it more secure, is it takes Google

7:36

Play Services and says, "If you want

7:38

this on your phone, you could put it on

7:39

your phone, but it's no longer going to

7:41

have administrative privileges. You get

7:42

to say whether this [ __ ] has elevated

7:44

permissions or not. You get to say

7:45

whether Google Play services has the

7:47

ability to operate outside of the

7:48

sandbox. You get to say whether Google

7:50

Play services gets to see what you're

7:51

doing in other parts of your phone.

7:53

That's a good thing. They're taking

7:54

Google spyware and they're saying, "You

7:56

are limited so that you cannot work as

7:58

spyware on the phone." That's good. That

8:00

is more [ __ ] secure than stock

8:02

Android. And again, this is a business

8:04

decision. This is not a security

8:05

decision. Imagine if you were going to

8:06

install an application and it said, "I'm

8:08

sorry, you're using Arch instead of

8:09

Ubuntu. You're not going to work."

8:12

That's what they're doing. And that's

8:13

[ __ ] ridiculous. I hope that you see

8:14

this for what it is. They're trying to

8:16

move Android in the direction of Google

8:18

having control over everything while

8:19

simultaneously being able to say that

8:21

they're open source because they still

8:23

have this little shell of a project that

8:26

I guess you could use if you want to use

8:27

a Chromium web browser and

8:29

I don't know, maybe nothing else. I was

8:31

on the Swiss train the other day. It was

8:33

I forget if it was April or May. I was

8:35

on a train in Switzerland and I wanted

8:36

to get a monthly or a weekly pass

8:39

instead of using the standard SBB app

8:41

and paying $10.70 every time I wanted to

8:43

travel for 10 minutes. I wanted to get

8:45

one of the monthly passes and I forget

8:47

what I went through. It was a week like

8:48

a month and a half ago that I did this,

8:49

but I remember going through everything

8:50

and it's I forget if it wanted my ID or

8:52

some more information, but at some point

8:54

I was not able to complete the

8:55

verification process that I needed to

8:56

get the monthly or weekly pass at least

8:58

in the rabbit hole that I had went down

8:59

in the app because I needed to have

9:00

Chrome web browser installed. And on my

9:02

phone, I had Firefox and I had Brave. I

9:04

didn't have Chrome.

9:06

But I needed to use either Safari or

9:07

Chrome.

9:08

And at some point I said [ __ ] I was at

9:09

the point of thinking, "Shit, is it

9:10

worth installing Chrome for this?" I'm

9:12

like, "No, [ __ ] that. I'm not going to

9:13

do that." This is the direction that

9:15

this is moving in. Which yeah, if you

9:17

want, you can use open source software

9:19

on your phone,

9:20

but if you want to buy the train pass,

9:21

you got to install Chrome.

9:24

[ __ ] this. [ __ ] the direction that all

9:26

this stuff is going in. You can't say

9:28

that open source is winning. Open source

9:29

is not winning if you have a separate

9:31

[ __ ] water fountain for people who

9:32

use open source and people who use the

9:34

closed source.

9:35

That's what this is.

9:37

Oh, you want to be able to enjoy all the

9:38

features of it? Install this. That's

9:40

what I see this as.

9:41

And honestly, I think that's the way

9:42

they'll explain it to people. I didn't

9:44

really think of that until I started

9:45

doing this video.

9:46

Oh, you want hardware that doesn't spy

9:47

on you? This water fountain is for

9:49

people that use software that spies on

9:50

them.

9:51

[ __ ] that.

9:52

What if I want to use my software? What

9:54

if I want to use my operating system on

9:56

my computer? Who the [ __ ] are you to

9:57

tell me what operating system I use on

9:58

my computer? And who the [ __ ] are you to

10:00

say that I have to have closed-source

10:01

spyware on my computer in order to

10:02

access what I bought and paid for? And

10:03

frankly, if Volkswagen didn't not have

10:05

this requirement when they actually sold

10:06

me the car, could you actually go back

10:08

to the dealership and say, "Listen, when

10:09

you sold me this, I had the ability to

10:11

use home assistant in my car. And now I

10:13

don't."

10:14

I want a rebate. I want a refund. If we

10:16

lived in a just world, I think that

10:17

would be possible. The gym that I go to

10:19

enforces that you use their app. There's

10:20

one gym that I went to that allows you

10:22

to take a picture of a barcode, so you

10:24

don't need an app on your phone. You can

10:25

just show them your camera roll, and you

10:26

immediately there's this right there.

10:28

But Gold's Gym has this rolling barcode

10:30

thing, so you can't even screenshot it.

10:31

You have to use their app. And if you

10:32

look at their reviews in the Play Store,

10:34

let's just say I'm not the only one that

10:35

has problems with this piece of [ __ ]

10:36

I've never gotten this thing to work

10:37

there regardless of what phone that I'm

10:38

using. But imagine getting to a point

10:40

where, "Oh, you want to use the gym?

10:42

Well, listen. Open-source exists, but

10:46

you have to use the closed-source thing

10:47

if you want to use the gym. Open-source

10:48

exists, but by the way, even though your

10:50

web browser that you have on your phone

10:51

is 100% capable of rendering all of the

10:54

content on our site, we're not going to

10:56

sell you a train pass unless you use

10:57

Chrome or Safari."

10:59

We're getting to the point where it's

11:00

like, "Yeah, technically, technically

11:03

open-source software works, but they're

11:05

adding all of these little closed-source

11:07

libraries onto it." And they're creating

11:08

their own little ecosystem and

11:09

pretending that it's about security so

11:10

that they can say that they have

11:11

open-source software available while

11:13

trapping you into all this [ __ ] if

11:15

you want to live like a normal citizen.

11:16

I think the GrapheneOS team is

11:17

completely on point here. We are moving

11:18

towards a world where if I want to buy a

11:20

[ __ ] train pass without getting

11:21

ripped off every single time I take the

11:22

train,

11:23

I got to choose. Do I want to pay retail

11:25

rates for the train,

11:27

or do I want to give up my principles

11:28

and install Google Chrome?

11:34

You want to be allowed to use this water

11:35

fountain?

11:36

Install Chrome.

11:39

It's [ __ ] up.

11:42

We had civil rights.

11:44

Some point like software rights.

11:46

Truly. Let me know what you think in the

11:48

comments down below.

11:49

That's it for today. And as always, I

11:50

hope you learned something. I'll see you

11:52

on the next video. Bye now.

Interactive Summary

Louis Rossmann discusses how major companies, such as Volkswagen and Google, are increasingly restricting users to specific, closed-source ecosystems under the guise of security. By requiring users to utilize only manufacturer-supplied apps or specific operating systems like Android with Google Play Services, these companies create artificial barriers that prevent users from using secure, custom alternatives like GrapheneOS, even when those alternatives are technically capable and more secure.

Suggested questions

3 ready-made prompts