Losing access to Authy leads to another reckoning with Google’s security model.

  • UnpopularCrow@lemmy.world
    link
    fedilink
    English
    arrow-up
    51
    arrow-down
    1
    ·
    edit-2
    4 months ago

    “We don’t want to punish users of alternative OSes, but there’s really no other option at the moment,” Wilden added before his blunt conclusion. “Play Integrity has absolutely no way to guess whether a given custom OS completely subverts the Android security model.”

    Then don’t. Allow the user to choose what to do with their device and shut the fuck up and get out of the way. You are punishing users for using alternative OSes. That is exactly what you are doing.

    • BearOfaTime@lemm.ee
      link
      fedilink
      English
      arrow-up
      22
      arrow-down
      2
      ·
      4 months ago

      Lol, what a fucking joke of a toolbag.

      Play IS insecure, full of malware, and is itself malicious.

      Fuck that douchebag with a pineapple.

    • Carighan Maconar@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      4 months ago

      They do, kinda. But they also choose to not let their software interact with it, then.

      Which puts us in this weird position countries like the US AFAIK have no laws for, the EU is just starting to employ gatekeeping-laws for technology forms in a big way. Play Services is Google’s piece of software, legally they have every right to refuse to let it run on hardware whatever. It’s their software after all. But, they have such a market-controlling situation that it’d be unfair of them to specifically exclude company X, Y or Z.

  • Admiral Patrick@dubvee.org
    link
    fedilink
    English
    arrow-up
    47
    arrow-down
    3
    ·
    edit-2
    4 months ago

    Wilden offered some hope for a future in which ROMs could vouch for their non-criminal nature to Google

    Oh, that rubs me the wrong way! It’s my godd***ed device, I paid for it with my money, and I’ll run whatever I damn well want on it (which is never vanilla Android because I refuse to allow my devices to be ad platforms).

    I shouldn’t have to prove anything to anyone let alone have it treated as a “criminal OS” by default.

    Google needs to be broken up and both Chrome and Android divested to 3rd party, non-profit companies (as well as being demoted to a minority on both steering committees).

    • MaXimus421@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      9
      ·
      edit-2
      4 months ago

      No, it absolutely NOT your gd device. No more than a DVD, an Xbox or similar device. You paid for the “right” to use Their hardware/software and agreed to use it under THEIR conditions.

      What in the name of fuck makes yall think these electronics are your actual property to do as you wish with??

      Yes, I’m serious. As shitty as what I just said, sounds. You don’t technically own shit to any degree. You’re essentially renting the right to use it on their terms.

      • Carighan Maconar@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        ·
        4 months ago

        Or more specifically, legally you do own the hardware. You bought it.

        But you do not have free permission to run whatever you want on it and have the original software vendor agree to make their stuff work with what you do.

        This is similar to how once you opened your lawmower and tinkered with it, the original manufacturer does no longer have to provide mechanical and engineering warranty for the parts you worked with. You modified it, they cannot and will not guarantee shit still works.

        However, of course, in this context Google is so big that they might still be legally obliged in places such as the EU to allow free access as they act as a gatekeeper for a whole piece of technology. Similar to how Meta has to provide a sort-of open access to Whatsapp APIs.

  • ililiililiililiilili@lemm.ee
    link
    fedilink
    English
    arrow-up
    39
    ·
    4 months ago

    This is a non-issue. Why not use Aegis and backup your own credentials? I wouldn’t trust Authy (or any 2FA app that includes cloud backup).

    • 𝕸𝖔𝖘𝖘@infosec.pub
      link
      fedilink
      English
      arrow-up
      12
      ·
      4 months ago

      Aegis all the way. Looked at authy and hardpassed after reading the permissions it requires. Your job is to calculate the OTP. You don’t need wifi access if you’re an offline OTP calculator.

        • 𝕸𝖔𝖘𝖘@infosec.pub
          link
          fedilink
          English
          arrow-up
          5
          ·
          edit-2
          4 months ago

          It can, but it doesn’t have to (or at least it didn’t used to). But if you ever choose to leave, you can’t export anything (or, at least you couldn’t). My statement is using old information, at least a year old, since that’s about when I hardpassed on them.

          Edit: correct autocorrect

  • shortwavesurfer@lemmy.zip
    link
    fedilink
    English
    arrow-up
    32
    ·
    4 months ago

    There are tons of other two factor authentication apps that can be used that are totally open source and available on the fdroid application store. The first 2 that come to mind are KeepassDX and FreeOTP

  • limerod@reddthat.comM
    link
    fedilink
    English
    arrow-up
    28
    arrow-down
    1
    ·
    4 months ago

    Authy is the last thing a security minded person should ever have been using. Counting the not so recent security breach and all.

  • AmbiguousProps
    link
    fedilink
    English
    arrow-up
    18
    ·
    4 months ago

    The author is implying that Authy is the only option for some reason. It’s not, this is a non-issue.

    • The Cuuuuube@beehaw.org
      link
      fedilink
      English
      arrow-up
      4
      ·
      4 months ago

      Conspiracy theory: got paid to write a smear piece about a piece of technology the spies of capitalism doesn’t like

  • The Cuuuuube@beehaw.org
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    1
    ·
    4 months ago

    Um… What fucking paradox? Authy is a know security vulnerability. If you’re installing GrapheneOS before switching away from Authy, you’re putting the condom on after getting fucked

  • smeg@feddit.uk
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    4 months ago

    “We don’t want to punish users of alternative OSes, but there’s really no other option at the moment,” Wilden added before his blunt conclusion. “Play Integrity has absolutely no way to guess whether a given custom OS completely subverts the Android security model.”

    Bollocks. GrapheneOS even provides instructions on how to use Android’s hardware attestation API which is supported by every Android device on version 8 or newer.