This might be a hot take but the best way to avoid or “bypass” onerous things like the “integrity API” is to opt out of the proprietary world as much as possible. Use exclusively free (Libre) software and technology where you can.
We should not be thinking in terms of how do we get proprietary crapware onto our free systems, because that defeats the purpose of a free system. The idea is to build an alternative to the proprietary world.
GrapheneOS is already working on it:
We’re going to add a secure way of working around this without breaking the app source security model. We’ll be adding support for having the OS automatically verify the Play Store signing metadata and then inform Play services those apps were installed from the Play Store.
That’s already released and only deals with recent changes. It doesn’t fix apps using strong integrity challenges
Google is banned in china so 1/6 of the world population can bypass it automatically. You need state power to deal with oppressive corpos.
Do you think we can find a way to bypass these,
Yes. Direct physical access always wins. A device in my hands is my device.
or is the future of the digital world just authoritarian and dystopian?
Yes. Many people aren’t going to explore the solutions, or be willing to give up the convenience that comes with not changing what they’re doing.
A device in my hands is my device.
Could you then please help root the Meta Quest 3? So far I believe nobody managed.
We’re a decade too early for open source vr.
That’s not a VR headset, You bought an expensive Facebook paperweight.
Edit for TL;DR as this became lengthy : agreed, do NOT buy “an expensive Facebook paperweight” but also, open source VR exists today! Depending on your definition and needs, there is a lot that can be done and you can help.
Rooting isn’t open source…
Anyway Valve Index runs perfectly on Linux, that’s how I finished Half-life: Alyx. I also do already have a rooted Lynx XR1 and a Project NorthStar which is open hardware (even though not OSHW iirc).
There are also :
- open source runtimes for OpenXR like Monado,
- runtime managers or switches e.g. xr-chooser or openxr-explorer
- window managers (ish) like xrdesktop or Stardust XR
- browser like Wolvic (with Gecko and now Chromium backend) with cross-platform supports with WebXR
- streaming from desktop to standalone HMDs e.g. WiVRn or ALVR
- some distributions have dedicated documentation e.g. NixOS for desktop and PostMarketsOS mobile
- plenty of tools that run on standalone HMDs as most are “just” Android devices, e.g. termux letting you install NodeJS then run your own on device Web server to code on device, standalone, offline, alternative launchers e.g. LightningLauncher, removing some telemetry and plenty more I’m not even aware of.
IMHO one of the best resource covering that and more is https://lvra.gitlab.io/
So… I’m a bit confused, maybe I misunderstood, what did you mean by being “a decade too early”? Which functionality specifically is missing today?
The Index and the Quest are entirely different things.
The index is a monitor with sensors attached to it.
The Quest is a proprietary PC with an ecosystem, DRM and billion dollar company backing.
Rooting isn’t open source They don’t have anything to do with each other other than the fact that you don’t need to root open source devices. They lock us out of root because they don’t want us to control our own devices, They want us to use their stores, they’re walled gardens, and their support for everything which is very un-open source.
My point behind touting an open source mobile VR device would be that it would not need to be rooted.
I looked at the hardware you mentioned and while the open stuff looks very nice it looks very not available for anyone to purchase. Do you expect any of that hardware to be more available soon?
- for the Lynx (that can’t be bought rooted already but takes about 15min to root) I wouldn’t buy it right now but wait for their AndroidXR release… and see if that would be rootable. I personally share my Lynx with hardware and software hacker friends nearby because I know it’s a relatively rare device.
- NorthStar is AR, not VR, and by default isn’t mobile but there are compute pack explorations and opaque covers. Honestly if you are not into hardware tinkering I would not recommend it. If you are though then you probably don’t need a lot of hand holding, just connecting with peers to learn from each other.
- SimulaVR https://simulavr.com/ is very tempting but the price tag is quite high and to be honest I worry that they are following the Lynx delivery delay path. I also haven’t put my actual hands on an actual product so I can’t comment on it.
- Valve itself has been leaving hints for mobile VR and they did IMHO an amazing job with the SteamDeck, namely something reliable (it “just works”) while running Linux proper (even though most players will be totally unaware of it) … but it’s Valve. So they will release it, if they ever do, whenever they will believe it’s ready. This is also pure speculation! They have not announced anything but they did sell the Index, SteamDeck, SteamVR on Linux, and there are bits of code hinting at a standalone HMD.
IMO the only reason tech world can be authoritarian is people’s negligence. Otherwise even if all major brands produce unhackable locked down hardware, people could boycott those and buy the one obscure open device (like pine64) and market force will force big names to revert.
Corporations do not have power by themselves. People refusing to think and understand gives them power. Same applies to mainstream politics.
They have money which means they advertise which influences peoples decisions. As much as some people might deny it ads work.
So unless I can convince my mom to install Firefox we’re fucked.
…we’re fucked.
yes. also your friends, not only mom.
(/s aside, most people of younger generations don’t care as well, not only elderly less tech literate folks)
We are soooo fucked.
Unless you can convince them to get out of the ‘surveillance for free stuff’ market then they’re fucked, not everyone.
You can choose to use free and open source software and sped time learning and putting together a system that benefits you. Or you can just sign up for Google, let them do all of the work in exchange for spying on you with every device that you buy and put in your house.
Oh I’m gonna dodge corporate bullshit at every opportunity, but they’re also allowed to gather data on me simply tracking my friends and family
I’m fucked either way. Big corporations control so much of the internet devices the chances are my stuff is going to them anyway.
I sadly believe we’re fucked
We where fucked when the internet got consolidated into what five companies.
And them being in the USA as well
We were fucked a long time ago it’s just the effects showing now. But I hope the rebels at Graphene OS and other custom ROMs will find a way.
Sadly I moved away from Graphene because of all the restrictions :(
Genuinely curious here, I but what restrictions?
No mobile payments, a lot of apps have integrity check which means I can’t really use them, no way to reset the unique device ID sent to apps so they can track you (why am I even using Graphene 🙄?), slow device, annoying to set up things like carplay’s android thingy…
If you can root your phone and use an xposed module, maybe. Or the EU forces them. Otherwise, there’s not much option.
Well the idea of having attestation isn’t the problem. The problem is that apps requiring attestation (banks, insurance providers, ID-systems) use the most convenient solution. Slapping on Googles prebuild attestation. Graphene for example, provides alternative attestation for their OS and offers docs for anyone to implement a more fitting set of checks.
There are two approaches here: If you’re upset that your hacked-to-bits, rooted, unlocked and/or unencrypted device is failing checks: I’d say, tough luck. Until we can create provably untampered app-containers, that level of access genuinely breaks TOS on apps and regulations on handling personal data. Breaking those checks is then breaking those compliances in an unsafe way.
If you believe your setup is actually secure and compliant, just not in a way the allmighty Google intended: Try and get an attestation module for your setup. Fight for these apps to accept non-Google attestation and fight for devices that don’t artificially limit what can pass as secure.
What kind of bullshit is this. Breaks what regulations? You know everyone allows things to happen on a computer which guess what you have root access to and is “unsecure” This bullshit gets said so many times but it is not true.
If you’re upset that your hacked-to-bits, rooted, unlocked and/or unencrypted device is failing checks: I’d say, tough luck. Until we can create provably untampered app-containers, that level of access genuinely breaks TOS on apps and regulations on handling personal data.
Hard disagree. If you own the device, you should be in full control of what’s going on. Sure, attestation can give some extra security, but that decision should be up to the user. Everything else is just excuses for user hostile DRM: platforms levaraging technology to secure their own profit margin against the interests of user.
Yyyyyyupp
“Oh no, this device is rooted! :(” Yes because I know what I am doing, now show me my account balance you stupid piece of ahit banking app.
Banking app: “Oh no, your device does not conform to Google’s latest whim, terribly insecure, can’t let you make a SEPA.”
Baking website: “Opera on an outdated, pirated copy of Windows? Looks a-ok to me!”
I don’t disagree with owning your hardware. I’m saying that a regulatory body can pose rules on where critical software can run. Part of this is data exposure: A banking app running in a tampered environment makes some malwares possible, which is the side you want an “I know what I’m doing”-button for. But it also creates risk for the bank. In letting you look into network-traffic and memory-dumps, you may discover ways to manipulate an unrooted instance or the backend server. This is security through obscurity and I’d much rather have everything open-source, but it’s what we’re dealing with.
On the other hand, the bank promises to cover damages, whenever they do mess up. You could give them an easy excuse by taking on that responsibility. But regulations don’t allow that, much like they don’t allow you to do your own high-voltage, high-current electricity. And frown upon you breaking load-bearing walls in a housing complex to have a more open kitchen. There is a line where “let me do what I want” becomes anarchy.
Now bringing DRM into this, misses the point. There is telemetry in these apps. But there is no piracy or copyright infringement to be had. The bank doesn’t fear you giving yourself a million dollars by changing your balance in memory. It’s all about responsibility in case something goes south. They would love to shift it all onto you, but they’re not allowed to do that. Attestation was never about protecting you, it’s about protecting them from being blamed.
There is a bunch of parties making guarantees and complying with rulesets. Domino-ing all of them would make you extremely vulnerable. Which is why I opted for “tamper-proof containers running in a unproven host”, rather than signing an unlimited waiver.
Bullshit show me the regulations about a banking app nedding attestation on a phone. Most of them are just wrapped websites anyway. So why do they run on PC’s if regulations demand data security? This is so much bullshit.
I switched to a feature phone that has nothing to do with Android for calling (Mocor RTOS) because I’m tired of fighting Android for the moment. I keep an unrooted smartphone at home for online banking. Kinda extreme but that’s one way.
Can relate. I have a phone with stock Android and a removable battery for anything won’t or I’d rather not have on my primary GrapheneOS phone. I only ever plug in the battery as needed and when I’m settled at the safety of my desk.
So if your at your desk why would you need a phone just use a laptop or desktop?
Some companies like to roll out just an app with no desktop equivalent. An Android phone with the SIM taken out is also one of the few ways to create a new Google account without disclosing your phone number nowadays.
I personally don’t know how a non-smartphone is better is terms of privacy. Can you explain?
AFAIK, they have the same level of spying, just more restrictions and less features.
Common vulnerabilities: Tracking by carrier, including cell tower triangulation, SMS, and call logs.
Non-smartphone specific vulnerabilities: Lack of security updates. However, the data to be exfiltrated from a non-smartphone is limited. If it’s only call logs and text messages, everything’s already compromised by virtue of the carrier. So the level of concern will vary with your threat model.
Smartphone-specific vulnerabilities: Tracking by apps, manufacturer, OS vendor, or just about anything that can take advantage of the smartphone’s computing power. More data to be exfiltrated if it falls to a security vulnerability.
Smartphone-specific advantages: Can be run Wi-Fi only to avoid tracking by carrier.
It’s a rat race. You can only win by not playing.
But if you don’t play, your pay with convenience and your time. You lose the freedom of installing a lot of apps. You lose a lot :( - to the point where it would make most people give up
If you keep feeding the monster, you know what will happen.
The problem is I want to you know have a life with people. Don’t want to be isolated all to myself.
I become the monster 👀
No, not this?
Imagine I said that I would come into your house and install a new TV and entertainment system, re-build your bathroom, fix your maintenance issues, clean your floors, wash your dishes, etc. That’d save you a lot of time.
Now, I’ll even do it for free! But, you have to let me install a door that only I have a key to so you can’t stop me from entering your house and also to install cameras and microphones covering every square foot of your house and you consent to being recorded.
That’s the deal people are making with their digital lives.
Yeah, it was inconvenient to have to learn how to setup the software so I could have ‘cloud storage’ using my home server. It’s annoying that I have to deal with IP Cameras and ZoneMinder. But, because I do the work myself, I don’t have to let Google/Meta/FBI/Amazon have access to listening devices in my home (Oh, sorry Alexa, I didn’t know you were listening), footage from my security system or the contents of my personal files.
Oh I agree and self host stuff as well. But I tried switching to GrapheneOS and I really can’t.
If graphene would implement find my and tracker notification, I’d be good.
Mobile payments, better UI, all apps working without Google play services… those are the needed things, but they won’t happen anytime soon
As of now, I find very few apps beneficial, convenient or time savers - maybe I’m a weirdo luddite. Most apps seem to be for pastimes anyway so saving time seems odd - I prefer to take time to savour my pastimes. I think mp3 player app, and organic maps are the real ones that I actually find useful.
But refusing GPS/microG and therefore Microsoft Authenticate will become a problem for me quite soon I think. For now a phonecall still works, but I think it’s only a matter of time. Once that goes I might have to quit my job, and will struggle to find one in my field that doesn’t require it, so I guess I’ll have to look for less skilled work or retrain, and I’m far too old for that shit. That’s where it’ll get constraining, when the tentacles of bundling enwrap and bind many other aspects of real society.
I really hope the EU keeps on at MS for bundling and other market power abuse, it seems so obvious that they’ve effectively ignored the fines from the old Internet Exploder case, and ramped up their misbehaviour regardless.
Of course the twats where I live are easily radicalised against EU regulations (or any regulations really) , so I’m probably still fucked. But at least someone needs to stand up for consumer rights and competition and keep kicking MS in the balls every time they pull their dick out to fuck consumers. Ideally kick them harder and harder too, ‘punitive damages’ are more than justified due to them being a repeat offender.
Why Microsoft and not Google?
Idk what’s Microsoft Authenticator. Can’t use another 2FA app?
MS is who they choose - I think its all bundled in with windows and azure and dynamics and office and that stuff. I think MS is trying to use their B2B OS deals to get some market share from AWS, so they’re probably offering cheap deals for now.
MS doesn’t allow 3rd party 2FA. They created a proprietary algorithm so no other apps can do it.
For push-notification login, there is really no other choice beside the proprietary one.
But they do also provide universal TOTP for 2FA login, it does work with other apps too. (unless your org had set special 2FA rules) The alternative option is not so obvious on initial onboarding IIRC, though.
Removed by mod
Big tech can’t win because you can’t force the internet to do something.
They already are? Big tech controls the internet at this point.
Depends on what your definition of winning is. If we reach a state where it is literally impossible to run your own software without heavy hardware modification, which would exclude 99.9% of users, that would be like big tech winning in my book. That’s why right to repair is important, and we probably also need laws to prevent OEMs from disallowing the use of alternate OS.
They don’t need to make us do anything. They just need to make it too inconvenient not to.
The Net interprets censorship as damage and routes around it.
Gilmore’s quote was true then, it is not the current state of play.
If you need to use banking/government/transit apps, you need to play by the rules now
Apps are not the internet.
Many things need an app. I have to use a government one for work, there is no website for it. It’s locked down and will not work on a rooted phone. That’s what I mean.
I must be missing something here. Can we not just use the web version of the bank interface insteadvof an app? It still works for my banking, and I don’t even have the app. I just have to put my browser into desktop mode.
Yep but somehow apps have become the standard I guess.
You can hide root/fake play integrity.
They can make it so much harder to do that, to the point where almost everyone just gives up.
i think we are already at this point.
its not necessarily harder, but its so annoying to do and find comprehensive information on the process.
