Skip to content

Releases: GrapheneOS/Auditor

16

23 Aug 23:40
@thestinger thestinger
16
This tag was signed with the committer’s verified signature.
thestinger Daniel Micay
GPG key ID: F9E712E59AF5F22A
Learn about vigilant mode.
c4aa65e
Compare
Choose a tag to compare
16

Full list of changes from the previous release (version 15). Notable changes:

  • add support for Samsung Galaxy S10+ SM-G975F
  • add support for Samsung Galaxy J3 2018 SM-J337A
  • add support for Samsung Galaxy S9 G9600
  • add support for Samsung Galaxy J7 Duo SM-J720F
  • add support for Oppo A7 CPH1903
  • add support for Nokia 6.1 Plus
  • add support for Huawei P20 EML-L09
  • add support for LG Style 5 LM-Q720

This release will be bundled with the next release of GrapheneOS and is also being pushed out via the Play Store.

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

  • BlackBerry Key2 (BBF100-6 model)
  • BQ Aquaris X2 Pro
  • Google Pixel 2
  • Google Pixel 2 XL
  • Google Pixel 3
  • Google Pixel 3 XL
  • Google Pixel 3a
  • Google Pixel 3a XL
  • Huawei Honor 7A Pro (AUM-L29 model)
  • Huawei Honor 10 (COL-L29 model)
  • Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
  • Huawei Mate 10 (ALP-L29 model)
  • Huawei Mate 20 Pro (LYA-L29 model)
  • Huawei P20 (EML-L09 model)
  • Huawei P20 Pro (CLT-L29 model)
  • Huawei Y9 2019 (JKM-LX3 model)
  • HTC EXODUS 1
  • HTC U12+
  • LG Style 5 (LM-Q720 model)
  • Motorola moto g⁷
  • Nokia 6.1
  • Nokia 6.1 Plus
  • Nokia 7.1
  • Nokia 7 Plus
  • OnePlus 6 (A6003 model)
  • OnePlus 6T (A6013 model)
  • OnePlus 7 Pro (GM1913 model)
  • Oppo A7 (CPH1903 model)
  • Samsung Galaxy J3 2018 (SM-J337A model)
  • Samsung Galaxy M20 (SM-M205F model)
  • Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
  • Samsung Galaxy S9 (SM-G960F, SM-G960U, SM-G960U1, SM-G960W and G9600models)
  • Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
  • Samsung Galaxy S10+ (SM-G975F model)
  • Samsung Galaxy Tab A 10.1 (SM-T510 model)
  • Sony Xperia XA2 (H3113, H3123 and H4113 models)
  • Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
  • Sony Xperia XZ1 Compact (G8441 model)
  • Sony Xperia XZ2 (H8216 model)
  • Sony Xperia XZ2 Compact (H8314 and H8324 models)
  • T-Mobile REVVL 2
  • Vivo 1807
  • Xiaomi Mi A2
  • Xiaomi Mi A2 Lite
  • Xiaomi Mi 9
  • Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See https://attestation.app/tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See https://attestation.app/about for a more detailed overview.

Assets 2
Loading

15

30 Jun 00:09
@thestinger thestinger
15
This tag was signed with the committer’s verified signature.
thestinger Daniel Micay
GPG key ID: F9E712E59AF5F22A
Learn about vigilant mode.
bc5dbfe
Compare
Choose a tag to compare
15

Full list of changes from the previous release (version 14). Notable changes:

  • add support for verifying the Samsung Galaxy Tab A 10.1 (SM-T510 model)
  • add support for verifying the Nokia 7.1
  • add support for verifying the Huawei Y9 2019 (JKM-LX3 model)
  • add support for verifying the Samsung Galaxy M20 (SM-M205F model)
  • add support for verifying the T-Mobile REVVL 2

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

  • BlackBerry Key2 (BBF100-6 model)
  • BQ Aquaris X2 Pro
  • Google Pixel 2
  • Google Pixel 2 XL
  • Google Pixel 3
  • Google Pixel 3 XL
  • Google Pixel 3a
  • Google Pixel 3a XL
  • Huawei Honor 7A Pro (AUM-L29 model)
  • Huawei Honor 10 (COL-L29 model)
  • Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
  • Huawei Mate 10 (ALP-L29 model)
  • Huawei Mate 20 Pro (LYA-L29 model)
  • Huawei P20 Pro (CLT-L29 model)
  • Huawei Y9 2019 (JKM-LX3 model)
  • HTC EXODUS 1
  • HTC U12+
  • Motorola moto g⁷
  • Nokia 6.1
  • Nokia 7.1
  • Nokia 7 Plus
  • OnePlus 6 (A6003 model)
  • OnePlus 6T (A6013 model)
  • OnePlus 7 Pro (GM1913 model)
  • Samsung Galaxy M20 (SM-M205F model)
  • Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
  • Samsung Galaxy S9 (SM-G960F, SM-G960U, SM-G960U1 and SM-G960W models)
  • Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
  • Samsung Galaxy Tab A 10.1 (SM-T510 model)
  • Sony Xperia XA2 (H3113, H3123 and H4113 models)
  • Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
  • Sony Xperia XZ1 Compact (G8441 model)
  • Sony Xperia XZ2 (H8216 model)
  • Sony Xperia XZ2 Compact (H8314 and H8324 models)
  • T-Mobile REVVL 2
  • Vivo 1807
  • Xiaomi Mi A2
  • Xiaomi Mi A2 Lite
  • Xiaomi Mi 9
  • Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See https://attestation.app/tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See https://attestation.app/about for a more detailed overview.

Assets 2
Loading

14

14 Jun 00:27
@thestinger thestinger
14
This tag was signed with the committer’s verified signature.
thestinger Daniel Micay
GPG key ID: F9E712E59AF5F22A
Learn about vigilant mode.
97a1353
Compare
Choose a tag to compare
14

Full list of changes from the previous release (version 13). Notable changes:

  • add support for verifying GrapheneOS on the Pixel 3a and Pixel 3a XL
  • add support for verifying the stock OS on the Motorola moto g⁷
  • add support for verifying the stock OS on the Vivo 1807
  • fix support for verifying the Xiaomi Mi 9
  • add OS enforced check for whether Auditor is on the main user profile

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

  • BlackBerry Key2 (BBF100-6 model)
  • BQ Aquaris X2 Pro
  • Google Pixel 2
  • Google Pixel 2 XL
  • Google Pixel 3
  • Google Pixel 3 XL
  • Google Pixel 3a
  • Google Pixel 3a XL
  • Huawei Honor 7A Pro (AUM-L29 model)
  • Huawei Honor 10 (COL-L29 model)
  • Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
  • Huawei Mate 10 (ALP-L29 model)
  • Huawei Mate 20 Pro (LYA-L29 model)
  • Huawei P20 Pro (CLT-L29 model)
  • HTC EXODUS 1
  • HTC U12+
  • Motorola moto g⁷
  • Nokia 6.1
  • Nokia 7 Plus
  • OnePlus 6 (A6003 model)
  • OnePlus 6T (A6013 model)
  • OnePlus 7 Pro (GM1913 model)
  • Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
  • Samsung Galaxy S9 (SM-G960F, SM-G960U, SM-G960U1 and SM-G960W models)
  • Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
  • Sony Xperia XA2 (H3113, H3123 and H4113 models)
  • Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
  • Sony Xperia XZ1 Compact (G8441 model)
  • Sony Xperia XZ2 (H8216 model)
  • Sony Xperia XZ2 Compact (H8314 and H8324 models)
  • Vivo 1807
  • Xiaomi Mi A2
  • Xiaomi Mi A2 Lite
  • Xiaomi Mi 9
  • Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See https://attestation.app/tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See https://attestation.app/about for a more detailed overview.

Assets 2
Loading

13

08 Jun 17:07
@thestinger thestinger
13
This tag was signed with the committer’s verified signature.
thestinger Daniel Micay
GPG key ID: F9E712E59AF5F22A
Learn about vigilant mode.
750a313
Compare
Choose a tag to compare
13

Full list of changes from the previous release (version 12). Notable changes:

  • add support for verifying CalyxOS on the Pixel 2, Pixel 2 XL, Pixel 3 and Pixel 3 XL
  • clear pairing when disabling remote verification
  • add verified boot hash display
  • reschedule remote verification once the app is opened again after being force stopped or disabled

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

  • BlackBerry Key2 (BBF100-6 model)
  • BQ Aquaris X2 Pro
  • Google Pixel 2
  • Google Pixel 2 XL
  • Google Pixel 3
  • Google Pixel 3 XL
  • Google Pixel 3a
  • Google Pixel 3a XL
  • Huawei Honor 7A Pro (AUM-L29 model)
  • Huawei Honor 10 (COL-L29 model)
  • Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
  • Huawei Mate 10 (ALP-L29 model)
  • Huawei Mate 20 Pro (LYA-L29 model)
  • Huawei P20 Pro (CLT-L29 model)
  • HTC EXODUS 1
  • HTC U12+
  • Nokia 6.1
  • Nokia 7 Plus
  • OnePlus 6 (A6003 model)
  • OnePlus 6T (A6013 model)
  • OnePlus 7 Pro (GM1913 model)
  • Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
  • Samsung Galaxy S9 (SM-G960F, SM-G960U, SM-G960U1 and SM-G960W models)
  • Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
  • Sony Xperia XA2 (H3113, H3123 and H4113 models)
  • Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
  • Sony Xperia XZ1 Compact (G8441 model)
  • Sony Xperia XZ2 (H8216 model)
  • Sony Xperia XZ2 Compact (H8314 and H8324 models)
  • Xiaomi Mi A2
  • Xiaomi Mi A2 Lite
  • Xiaomi Mi 9
  • Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See https://attestation.app/tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See https://attestation.app/about for a more detailed overview.

Assets 2
Loading

12

03 Jun 07:33
@thestinger thestinger
12
This tag was signed with the committer’s verified signature.
thestinger Daniel Micay
GPG key ID: F9E712E59AF5F22A
Learn about vigilant mode.
eadb73e
Compare
Choose a tag to compare
12

Changes from the previous release (version 11).

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

  • BlackBerry Key2 (BBF100-6 model)
  • BQ Aquaris X2 Pro
  • Google Pixel 2
  • Google Pixel 2 XL
  • Google Pixel 3
  • Google Pixel 3 XL
  • Google Pixel 3a
  • Google Pixel 3a XL
  • Huawei Honor 7A Pro (AUM-L29 model)
  • Huawei Honor 10 (COL-L29 model)
  • Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
  • Huawei Mate 10 (ALP-L29 model)
  • Huawei Mate 20 Pro (LYA-L29 model)
  • Huawei P20 Pro (CLT-L29 model)
  • HTC EXODUS 1
  • HTC U12+
  • Nokia 6.1
  • Nokia 7 Plus
  • OnePlus 6 (A6003 model)
  • OnePlus 6T (A6013 model)
  • OnePlus 7 Pro (GM1913 model)
  • Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
  • Samsung Galaxy S9 (SM-G960F, SM-G960U, SM-G960U1 and SM-G960W models)
  • Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
  • Sony Xperia XA2 (H3113, H3123 and H4113 models)
  • Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
  • Sony Xperia XZ1 Compact (G8441 model)
  • Sony Xperia XZ2 (H8216 model)
  • Sony Xperia XZ2 Compact (H8314 and H8324 models)
  • Xiaomi Mi A2
  • Xiaomi Mi A2 Lite
  • Xiaomi Mi 9
  • Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The initial verification has some security provided by the Google root certificate. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See https://attestation.app/tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process.

Assets 2
Loading

11

20 May 21:32
@thestinger thestinger
11
This tag was signed with the committer’s verified signature.
thestinger Daniel Micay
GPG key ID: F9E712E59AF5F22A
Learn about vigilant mode.
14e872a
Compare
Choose a tag to compare
11

Changes from the previous release (version 10).

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

  • BlackBerry Key2 (BBF100-6 model)
  • BQ Aquaris X2 Pro
  • Google Pixel 2
  • Google Pixel 2 XL
  • Google Pixel 3
  • Google Pixel 3 XL
  • Google Pixel 3a
  • Google Pixel 3a XL
  • Huawei Honor 7A Pro (AUM-L29 model)
  • Huawei Honor 10 (COL-L29 model)
  • Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
  • Huawei Mate 10 (ALP-L29 model)
  • Huawei Mate 20 Pro (LYA-L29 model)
  • Huawei P20 Pro (CLT-L29 model)
  • HTC EXODUS 1
  • HTC U12+
  • Nokia 6.1
  • Nokia 7 Plus
  • OnePlus 6 (A6003 model)
  • Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
  • Samsung Galaxy S9 (SM-G960F, SM-G960U, SM-G960U1 and SM-G960W models)
  • Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
  • Sony Xperia XA2 (H3113, H3123 and H4113 models)
  • Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
  • Sony Xperia XZ1 Compact (G8441 model)
  • Sony Xperia XZ2 (H8216 model)
  • Sony Xperia XZ2 Compact (H8314 and H8324 models)
  • Xiaomi Mi A2
  • Xiaomi Mi A2 Lite
  • Xiaomi Mi 9
  • Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The initial verification has some security provided by the Google root certificate. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See https://attestation.app/tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process.

Assets 2
Loading

10

12 May 18:52
@thestinger thestinger
10
This tag was signed with the committer’s verified signature.
thestinger Daniel Micay
GPG key ID: F9E712E59AF5F22A
Learn about vigilant mode.
f340d69
Compare
Choose a tag to compare
10

Changes from the previous release (version 9).

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

  • BlackBerry Key2 (BBF100-6 model)
  • BQ Aquaris X2 Pro
  • Google Pixel 2
  • Google Pixel 2 XL
  • Google Pixel 3
  • Google Pixel 3 XL
  • Huawei Honor 7A Pro (AUM-L29 model)
  • Huawei Honor 10 (COL-L29 model)
  • Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
  • Huawei Mate 10 (ALP-L29 model)
  • Huawei Mate 20 Pro (LYA-L29 model)
  • Huawei P20 Pro (CLT-L29 model)
  • HTC EXODUS 1
  • HTC U12+
  • Nokia 6.1
  • Nokia 7 Plus
  • OnePlus 6 (A6003 model)
  • Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
  • Samsung Galaxy S9 (SM-G960F, SM-G960U, SM-G960U1 and SM-G960W models)
  • Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
  • Sony Xperia XA2 (H3113, H3123 and H4113 models)
  • Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
  • Sony Xperia XZ1 Compact (G8441 model)
  • Sony Xperia XZ2 (H8216 model)
  • Sony Xperia XZ2 Compact (H8314 and H8324 models)
  • Xiaomi Mi A2
  • Xiaomi Mi A2 Lite
  • Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The initial verification has some security provided by the Google root certificate. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

Usage instructions:

The device being verified (Auditee) must be one of the supported devices. Android developer previews aren't supported since the hardware verified version is set to a placeholder value. The device performing verification (Auditor) just needs to be any Android 7.0+ compatible device with a camera.

  1. press Auditor on the device that will be verifying the Auditee
  2. press Auditee on the device that's going to be verified
  3. point the camera of the Auditee at the QR code on the Auditor to read the challenge
  4. tap the QR code on the Auditor to advance ahead (if you do this too early, you can press back)
  5. point the camera of the Auditor at the QR code on the Auditee to read the attestation
  6. view verification of the attestation results

An Auditor can verify any number of different Auditee devices. It shows a fingerprint and the first / last verification time in successful paired attestation results. An Auditee can be verified by any number of Auditors but there will be a different fingerprint for each unique pairing rather than the same fingerprint shown on each Auditor for the same Auditee.

To set up regularly scheduled remote verification via the remote attestation service:

  1. create an account on https://attestation.app/ from a separate device
  2. press the menu button in the app
  3. press the 'Enable remote verification' action in the menu
  4. scan the account QR code displayed on https://attestation.app/
  5. configure an alert email address to receive alerts if the device fails to provide valid attestations in time
  6. refresh https://attestation.app/ to view the initial attestation result
Assets 2
Loading

9

06 May 22:37
@thestinger thestinger
9
This tag was signed with the committer’s verified signature.
thestinger Daniel Micay
GPG key ID: F9E712E59AF5F22A
Learn about vigilant mode.
89f44b5
Compare
Choose a tag to compare
9

Changes from the previous release (version 8).

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

  • BlackBerry Key2 (BBF100-6 model)
  • BQ Aquaris X2 Pro
  • Google Pixel 2
  • Google Pixel 2 XL
  • Google Pixel 3
  • Google Pixel 3 XL
  • Huawei Honor 7A Pro (AUM-L29 model)
  • Huawei Honor 10 (COL-L29 model)
  • Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
  • Huawei Mate 10 (ALP-L29 model)
  • Huawei Mate 20 Pro (LYA-L29 model)
  • Huawei P20 Pro (CLT-L29 model)
  • HTC EXODUS 1
  • HTC U12+
  • Nokia 6.1
  • Nokia 7 Plus
  • OnePlus 6 (A6003 model)
  • Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
  • Samsung Galaxy S9 (SM-G960F, SM-G960U and SM-G960W models)
  • Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
  • Sony Xperia XA2 (H3113, H3123 and H4113 models)
  • Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
  • Sony Xperia XZ1 Compact (G8441 model)
  • Sony Xperia XZ2 (H8216 model)
  • Sony Xperia XZ2 Compact (H8314 and H8324 models)
  • Xiaomi Mi A2
  • Xiaomi Mi A2 Lite
  • Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The initial verification has some security provided by the Google root certificate. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

Usage instructions:

The device being verified (Auditee) must be one of the supported devices. Android developer previews aren't supported since the hardware verified version is set to a placeholder value. The device performing verification (Auditor) just needs to be any Android 7.0+ compatible device with a camera.

  1. press Auditor on the device that will be verifying the Auditee
  2. press Auditee on the device that's going to be verified
  3. point the camera of the Auditee at the QR code on the Auditor to read the challenge
  4. tap the QR code on the Auditor to advance ahead (if you do this too early, you can press back)
  5. point the camera of the Auditor at the QR code on the Auditee to read the attestation
  6. view verification of the attestation results

An Auditor can verify any number of different Auditee devices. It shows a fingerprint and the first / last verification time in successful paired attestation results. An Auditee can be verified by any number of Auditors but there will be a different fingerprint for each unique pairing rather than the same fingerprint shown on each Auditor for the same Auditee.

To set up regularly scheduled remote verification via the remote attestation service:

  1. create an account on https://attestation.app/ from a separate device
  2. press the menu button in the app
  3. press the 'Enable remote verification' action in the menu
  4. scan the account QR code displayed on https://attestation.app/
  5. configure an alert email address to receive alerts if the device fails to provide valid attestations in time
  6. refresh https://attestation.app/ to view the initial attestation result
Assets 2
Loading

8

23 Apr 11:37
@thestinger thestinger
8
This tag was signed with the committer’s verified signature.
thestinger Daniel Micay
GPG key ID: F9E712E59AF5F22A
Learn about vigilant mode.
53b1725
Compare
Choose a tag to compare
8

Changes from the previous release (version 7).

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

  • BlackBerry Key2 (BBF100-6 model)
  • BQ Aquaris X2 Pro
  • Google Pixel 2
  • Google Pixel 2 XL
  • Google Pixel 3
  • Google Pixel 3 XL
  • Huawei Honor 7A Pro (AUM-L29 model)
  • Huawei Honor 10 (COL-L29 model)
  • Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
  • Huawei Mate 10 (ALP-L29 model)
  • Huawei Mate 20 Pro (LYA-L29 model)
  • Huawei P20 Pro (CLT-L29 model)
  • HTC EXODUS 1
  • HTC U12+
  • Nokia 6.1
  • Nokia 7 Plus
  • OnePlus 6 (A6003 model)
  • Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
  • Samsung Galaxy S9 (SM-G960F, SM-G960U and SM-G960W models)
  • Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
  • Sony Xperia XA2 (H3113, H3123 and H4113 models)
  • Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
  • Sony Xperia XZ1 Compact (G8441 model)
  • Sony Xperia XZ2 (H8216 model)
  • Sony Xperia XZ2 Compact (H8314 and H8324 models)
  • Xiaomi Mi A2
  • Xiaomi Mi A2 Lite
  • Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) including the verified boot state, operating system variant and operating system version. The initial verification has some security provided by the Google root certificate. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

Usage instructions:

The device being verified (Auditee) must be one of the supported devices. Android developer previews aren't supported since the hardware verified version is set to a placeholder value. The device performing verification (Auditor) just needs to be any Android 7.0+ compatible device with a camera.

  1. press Auditor on the device that will be verifying the Auditee
  2. press Auditee on the device that's going to be verified
  3. point the camera of the Auditee at the QR code on the Auditor to read the challenge
  4. tap the QR code on the Auditor to advance ahead (if you do this too early, you can press back)
  5. point the camera of the Auditor at the QR code on the Auditee to read the attestation
  6. view verification of the attestation results

An Auditor can verify any number of different Auditee devices. It shows a fingerprint and the first / last verification time in successful paired attestation results. An Auditee can be verified by any number of Auditors but there will be a different fingerprint for each unique pairing rather than the same fingerprint shown on each Auditor for the same Auditee.

To set up regularly scheduled remote verification via the remote attestation service:

  1. create an account on https://attestation.app/ from a separate device
  2. press the menu button in the app
  3. press the 'Enable remote verification' action in the menu
  4. scan the account QR code displayed on https://attestation.app/
  5. configure an alert email address to receive alerts if the device fails to provide valid attestations in time
  6. refresh https://attestation.app/ to view the initial attestation result
Assets 2
Loading

7

16 Mar 17:06
@thestinger thestinger
7
This tag was signed with the committer’s verified signature.
thestinger Daniel Micay
GPG key ID: F9E712E59AF5F22A
Learn about vigilant mode.
567e095
Compare
Choose a tag to compare
7

Changes from the previous release (version 6).

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

  • BlackBerry Key2 (BBF100-6 model)
  • BQ Aquaris X2 Pro
  • Google Pixel 2
  • Google Pixel 2 XL
  • Google Pixel 3
  • Google Pixel 3 XL
  • Huawei Honor 7A Pro (AUM-L29 model)
  • Huawei Honor 10 (COL-L29 model)
  • Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
  • Huawei Mate 10 (ALP-L29 model)
  • Huawei Mate 20 Pro (LYA-L29 model)
  • Huawei P20 Pro (CLT-L29 model)
  • HTC EXODUS 1
  • HTC U12+
  • Nokia 6.1
  • Nokia 7 Plus
  • OnePlus 6 (A6003 model)
  • Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
  • Samsung Galaxy S9 (SM-G960F, SM-G960U and SM-G960W models)
  • Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
  • Sony Xperia XA2 (H3113, H3123 and H4113 models)
  • Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
  • Sony Xperia XZ1 Compact (G8441 model)
  • Sony Xperia XZ2 (H8216 model)
  • Sony Xperia XZ2 Compact (H8314 model)
  • Xiaomi Mi A2
  • Xiaomi Mi A2 Lite
  • Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) including the verified boot state, operating system variant and operating system version. The initial verification has some security provided by the Google root certificate. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

Usage instructions:

The device being verified (Auditee) must be one of the supported devices. Android developer previews aren't supported since the hardware verified version is set to a placeholder value. The device performing verification (Auditor) just needs to be any Android 7.0+ compatible device with a camera.

  1. press Auditor on the device that will be verifying the Auditee
  2. press Auditee on the device that's going to be verified
  3. point the camera of the Auditee at the QR code on the Auditor to read the challenge
  4. tap the QR code on the Auditor to advance ahead (if you do this too early, you can press back)
  5. point the camera of the Auditor at the QR code on the Auditee to read the attestation
  6. view verification of the attestation results

An Auditor can verify any number of different Auditee devices. It shows a fingerprint and the first / last verification time in successful paired attestation results. An Auditee can be verified by any number of Auditors but there will be a different fingerprint for each unique pairing rather than the same fingerprint shown on each Auditor for the same Auditee.

To set up regularly scheduled remote verification via the remote attestation service:

  1. create an account on https://attestation.app/ from a separate device
  2. press the menu button in the app
  3. press the 'Enable remote verification' action in the menu
  4. scan the account QR code displayed on https://attestation.app/
  5. configure an alert email address to receive alerts if the device fails to provide valid attestations in time
  6. refresh https://attestation.app/ to view the initial attestation result
Assets 2
Loading