Posted by marbartolome 10/27/2025
Apart from the viruses, nothing of the above is true any more. Apple doesn't care if you're getting screwed over by an app, and neither does Google. If they can increase their profits by taking away our freedom and/or control over "our" devices, then it WILL happen, as sure as death and taxes.
Hardware cryptoprocessor. Keys are held in a tamper resistant secure element. You're not gonna get at those keys without pouring some serious resources into the task.
The keys are owned by the corporation and used to establish a root of trust from boot. If you change anything at all to suit your interests, verification fails, your machine is identified as "tampered with" and designated as untrusted.
We’ll probably get to the point where you need a verified id to buy a phone that does attestation. Tamper with it and go to jail. Who’s going to hack that?
A small, hardly exclusive list of things we have been unable to protect through technology:
- DVD/Blu Ray/HDMI copy protection
- Windows product registration
- Device jailbreaking (manufacturers are constantly running to keep ahead of this but old versions are frequently unlocked even with iOS)
- Classified diplomatic documents
- Classified details of warfighting equipment
- Identities of federal employees (and even covert agents)
- Nuclear secrets
Technical measures aren’t always the weak point—bribery works just as well. As the US tech stack continues to decouple from China, they will also have the motivation to break our systems.
iOS jailbreak enthusiasts say it wasn't practical since years.
Some state secrets leaked. Many did not.
And yeah, it's a politics problem, not an economic one. If corporations could simply push Trusted Computing without a corrupt police (and military) backing them, we would be there since the 90s already.
https://www.eff.org/deeplinks/2019/06/felony-contempt-busine...
I don't disagree, but is that really a game you want to be playing with your government and your bank?
The fact that you can make it pass in some cases using Magisk and so on is because it's spoofing an older device (launched before Android 8) without hardware-bound keys and Google is deliberately allowing that in order not to blacklist the genuine users.
However, once Google decides that the collateral damage is tolerable and those devices should no longer pass Play Integrity, then it's game over. You can't spoof any newer stuff, as you can't produce the desired signature -- only the hardware can do it and the hardware won't do it.
The only way would be if the manufacturer screwed up and it's possible to run unsigned code (or signed by a different key) and maintain a pristine bootloader, or if the hardware key leaks somehow. In either case, the key is per device so Google is always free to blacklist that device if it really wants to. (Verification of the signatures is always done off-device, through Google's servers.)
So then the problem gets moved up to why are you (or group of you) not powerful enough to negotiate being able to run what you want and either not need “them” or be important enough that “they” need you.
And the answer will come down to the fact that 90% of people don’t care about running whatever they want on their machine, and they want the cheapest, quickest, easiest solution.
How tiresome.
You're right, we gotta become more powerful. Via radicalization. They seek to marginalize us. To turn us into second class citizens. To destroy free computing as we know it, destroy everything the word hacker ever stood for. If you're on this site and this doesn't radicalize you, then I don't know what to say to you.
Gotta start lobbying governments to make it a literal crime for them to discriminate against us in this manner. Just like racism.
My brother in <deity of your choice>, you are not on a Hacker site. This site exists as the community arm of one of the most capitalistic venture capital ecosystems on the planet.
When are you all going to stop expecting HN to be what it’s not?
Off topic but how does this work for non-believers?
"My brother out of" ?
The best argument “for” building codes is the same as “for” secure platforms; that people should be able to expect a certain level of competence when buying a structure or phone.
But if you want to do it yourself, there should be a path.
I have mixed feelings about unenforced regulations. Having unenforced regulations opens up the possibility of targeted abuse of any individuals that are not a cultural fit in the eyes of the government offices and being very relaxed regarding anyone that fits in. This also drives the need for very detailed and expensive inspections prior to purchasing a home and that is a loaded topic all by itself.
Linux.
Linux as an answer doesn't address the needs of 99% of people, so 98% will never adopt it. It's better to meet people where they're at and push for sideloading and alternative app stores.
A much bigger problem for running Linux on phones is that standard Linux runs like crap on phones. It doesn't have the mainline driver support amd64 computers have, and the battery life optimizations that make Android usable need to be reimplemented on top of Linux to get a day's worth of use out of your phone. Unfortunately, most Linux applications are written for desktops where they expect the CPU to be running all the time, the WiFi to be accessible whenever they want, and for sleep/suspend to be extremely incidental rather than every two minutes.
Some folks don't like digital identity controlled by government, but it seems like the alternative is digital identity controlled by oligopoly.
Banking on GrapheneOS
This in combination with using webapps where possible
Is that a problem these days? It was over a decade ago that I last needed to jailbreak a phone, nowadays it’s just "I’d like to unlock" "Ok".
Source: 7 years of running deGoogled Android phones and 11 years of running ROM’d Android phones before recently moving to iOS and giving up.
So not as great as I thought, but also not as bad as you made it seem ;)
[0]: https://github.com/zenfyrdev/bootloader-unlock-wall-of-shame...
Pretty sure I read Google was no longer going to publish device tree sources for Pixel phones, which will make ROM development for them significantly harder, whether or not the bootloader is open.
Protecting 1 million grannies is an entirely different risk class than the security implications of stopping everyone from using their devices as they see fit.
Protecting 1 million grannies means everyone loses ability to install apps that:
-allow encrypted chat
-allow use of privacy respecting software
-download art/games/entertainment that is deemed inappropriate to unelected parties
-use software to organize protests and track agents of hostile governments
-download software that opposes monopolistic holds of controlling parties
Thus the risk widens to the sovereign control a nation has over its own services. A US president could attempt to force Google and Apple to shutoff citizen access of banks and health services of an entire nation. Merely the threat could give them leverage in any sort of negotiations they might be in. For some nations in the future, the controlling nation may be China I imagine.
I think the real regulatory solution here is to break up monopoly practices. While the EU's DMA is all well and good in some ways, the EU is also pushing Chat Control... In a more fragmented market it becomes impossible for a bank or health service to mandate specific devices for access (they lose potential customers) so you could theoretically move to a device that doesn't do draconian style remote attestation that breaks if you go off the ranch. We need more surgically precise regulatory tools than sweeping legislation that would keep using alternatives like Linux or FreeBSD or whatever actually viable. It also makes it much harder for that same legislative body to enforce insane ideas like Chat Control.
The answer is not protect users from themselves. The answer is more freedom, with a legal framework that helps all users have more choices while helping victims acquire restitution.
This. We can’t anymore say to ourselves “but surely a US president would never do that”?
Reference: recent tirades at Canada, Spain, Colombia, Ukraine, ...
Without limitations on authority and control, I worry more that the world will devolve into a multilateral legal hellscape, even moreso than exists today. Given how much is dependent on software, you are going to have the governments of pretty much any country with multinational exposure trying this in the next 10 years if recent UK and EU developments are any indicator.
I knew of banks, but how is it that health services need remote attested mobile devices? Do clinics not support setting appointments through calls anymore, or what?
I believe if we look at the past compared to now, and then extrapolate towards the future, without proper action, we will keep slipping down the slope.
As someone in the USA, I could toss my phone in the dumpster forever and still live my life pretty much as I live it today. I might have to make a few minor sacrifices, but I'm grateful we still have that choice here.
Unfortunately, I think that depends on whether the portion of citizens without a phone is significant. People need to care for businesses/government to care.
See also countries where they struggle to use cash. What happens when a customer does not have a bank account?
For government services, both will work. But you must use some of them, otherwise no government for you. You can still do some things by paper, but those are getting rarer and rarer nowadays. The general assumption is that everything is done online. Some government services can't be done by paper or physical visit, not without involving this authentication at some point.
For most of everything else, only BankID (the oldest of the two and the most deployed by far). Especially for banking, only this works. Even if you call the bank and try to sort out via phone, they will refuse service until you can prove that you are you by authenticating via BankID.
But Sweden is mostly cashless nowadays (even some bank branches are refusing to deal with cash). For example, you can't take a bus or train and pay with cash. You have to use a vending machine that only exists on train stations, or depending on which kind of transport and the region you live you might be able to do a contactless payment, or you must use the app (the default choice that 99% use). If you use the app, to pay you need to use a "card not present" flow, or Swish (Sweden's mobile payment system), and to complete either you must use BankID. You can't use your card or do any payment without BankID (if the card is not present).
Even if you do use your card, if it gets denied for any reason, for you to sort out the issue you'll need the mobile phone and BankID.
If you go out with friends to a restaurant, most restaurants don't accept cash. If the restaurant doesn't accept charging each one individually then someone needs to pay for the group, and they will expect you to pay them via Swish which requires BankID. People won't take cash either.
As you can see, it's not actually trivial here to live as part of society without a working mobile phone. If you're outside, you better have 100% faith on your card, and/or be prepared that you might need to walk back home as you can't do much now, might not even be able to buy transportation.
Some smaller shops/kiosks only take Swish: no cash, no card. That requires a phone plus BankID.
If (or better said: when) BankID starts requiring the device to pass Play Integrity, then not only you must be carrying the device at all times, but it must be a blessed device from Google or Apple.
In Denmark the situation is very similar, and in their case their app (which is called MitID) already mandates that the device has to pass Play Integrity.
I meant: it is convenient. No doubt. I do use all this because it is convenient. When it works, it is great. The dumb part is to not have a backup plan.
All these things were done for a single reason: cost cutting. They cost less, and the "old-fashioned" flow that could work as a backup no longer makes financial sense so it is retired.
But then again, here we are. Here and now, without a phone, without agreeing with a relationship with a foreign entity and their one-sided T&C, you won't even be able to get service from your own government. And you need to maintain your good standing with that foreign company in perpetuity, because if they ban you as a person then good luck — your are going to be cut off from your own government, your own bank.
There exists no path where a publicly traded company doesn't eventually view its customers as subjects. Every business school on the planet is teaching their students strategies and tactics that squeeze their customers in pursuit of maximizing revenue. And those strategies and tactics are often at the expense of creativity, ethics, and community. Just last week people's bed didn't work because the company that makes them architected things such that they have absolute control.
Only a reasonably altruistic private company might buck the trend. But the publicly traded companies are allowed, by the government(s), to use their largesse in a predatory fashion to prevent competition. They bundle and bleed and leverage every step of the way. They not only contribute to the politicians that do their bidding, they are frequently asked to write the laws and regulations they're expected to follow. Magically, it has the effect of increasing the costs of their competition to enter the markets they dominate. And so, the odds of an altruistic private company emerging from that muck is low.
Worse still, many of the elected officials (and bureaucrats) actively own stock in the very companies they are responsible for regulating. Widespread corruption and perversion of the market is the inevitable result.
I'm trying to do a better job and redirect my money to the places that better reflect my values. It's not even a drop in the bucket, but it's a lever where I feel like I have a measure of control.
The companies that make stuff could easily be beaten in the market by a non-profit competitor. With no worries about stock market prices and dividends, a non-profit could direct all it's money into making better products.
But the problems are that 1) nobody wants to work for a non-profit and 2) greed redirects the money away from better products into the founder's (or top management's) pockets. Firefox is an example.
Curious, but what bed/company do you speak of?
Probably won't help, but it is something.