"If it's not an official OS, we have to assume it's bad."
That's how Shawn Wilden, the tech lead for hardware-backed security in Android, described the current reality of custom Android-based operating systems in response to a real security conundrum. GrapheneOS users discovered recently that Authy, a popular (and generally well-regarded) two-factor authentication manager, will not work on their phones—phones running an OS intended to be more secure and hardened than any standard Android phone.
"We don't want to punish users of alternative OSes, but there's really no other option at the moment," Wilden added before his blunt conclusion. "Play Integrity has absolutely no way to guess whether a given custom OS completely subverts the Android security model."
Play Integrity, formerly SafetyNet Attestation, essentially allows apps to verify whether an Android device has provided permissions beyond Google's intended models or has been rooted. Root access is not appealing to the makers of some apps involving banking, payments, competitive games, and copyrighted media.]
There are many reasons beyond cheating and skulduggery that someone might root or modify their Android device. But to prove itself secure, an Android device must contact Google's servers through an API in Google Play Services and then have its bootloader, ROM signature, and kernel verified. GrapheneOS, like most custom Android ROMs, does not contain a Google Play Services package by default but will let users install a sandboxed version of Play Services if they wish.
Wilden offered some hope for a future in which ROMs could vouch for their non-criminal nature to Google, noting "some discussions with makers of high-quality ROMs" about passing the Compatibility Test Suite, then "establishing some kind of relationship we can use to trust them." But it's "a lot of work on both sides, including by lawyers," Wilden notes. And while his team is happy to help, higher-level support is tough because "modders are such a tiny, tiny fraction of the user base."
The official GrapheneOS X account was less hopeful. It noted that another custom ROM, LineageOS, disabled verified boot at installation, and "rolls back security in a lot of other ways," contributing to "a misconception that every alternate OS rolls back security and isn't production quality." A typical LineageOS installation, like most custom ROMs, does disable verified boot, though it can be re-enabled, except it's risky and complicated. GrapheneOS has a page on its site regarding its stance on, and criticisms of, Google's attestation model for Android.
Ars has reached out to Google, GrapheneOS, and Authy (via owner Twilio) for comment. At the moment, it doesn't seem like there's a clear path forward for any party unless one of them is willing to majorly rework what they consider proper security.
