reCAPTCHA Mobile Verification Is Bringing the Play Integrity API to Desktops(discuss.grapheneos.org)

36 pointsby Cider99865 hours ago7 comments

rambambram16 minutes ago
> linux desktop
That's the only part I'm interested in. I've read this article - or something similar - before and it doesn't surprise me that these big tech companies want more control. What I don't understand is how this affects linux desktop?
Is it going to be that online services or websites or webapps can choose to require attestation? Whether you use this OS or that OS? Or are linux developers forced to change their open source software?
rvz2 hours ago
I am going to assume that this also destroys millions of AI agents and bot scrapers this time which is why some “AI Engineers” were complaining about this recently.
Well, this is how Google will kill all the scrapers on its search data.
- jeroenhdan hour ago
  Not entirely, Google's own page says:
  > Fraud Defense leverages a sophisticated and adaptable risk analysis engine to shield against automated software. It is specifically designed to orchestrate trust for the agentic web, neutralizing malicious scrapers while welcoming legitimate AI agents.
  I'm sure it'll block a whole bunch of awful scrapers but if Google doesn't hate a bot, it'll be able to pass.
  - dns_snek41 minutes ago
    Sounds like an anti-competitive play to build an AI moat. They'll introduce a sham "verification program" and only allow bots operated by entities large enough to sue them for anti-competitive conduct.
- hsbauauvhabzb31 minutes ago
  Does mass scraping need google for content discovery? Surely most sites contain a site map or index that would effectively self enumerate once you know the domain, which is more often than not publicly disclosed?
CalRobert2 hours ago
Aside from the horrendous privacy implications, is there a possible argument that this is anti-competitive?
- jeroenhdan hour ago
  the only anticompetitive element I can think of is the way they pushed their scanning app to Android phones with Play Services. On IOS they're not in control but still able to launch an app (app snippets the feature is called, I think?) but on Android they themselves killed off Instant Apps because nobody used it. If one of Google's competitors like hCAPTCHA tries to do the same, they'll have more friction on Android than Google does.
  When it comes to GrapheneOS, it's the website owners that decided to block those devices by using this service. There are other services that don't block those phones they can use instead.
- realusername2 hours ago
  That's the whole goal of the concept. Safetynet (the predecessor of Play Integrity) was developed to block CyanogenMod and then later used to block Huawei.
  - jeroenhdan hour ago
    App developers need to put effort into enabling these APIs so it's not like Google is actively blocking your favorite apps. Their makers are.
    Like with reCAPTCHA, there are other services and libraries out there to detect root access and other things companies want to detect in their apps.
    realusername26 minutes ago
    Sure, Google was betting that bureaucratic companies would enroll voluntarily and it worked.
    > Like with reCAPTCHA, there are other services and libraries out there to detect root access and other things companies want to detect in their apps.
    My opinion on this is that any method to check integrity, root access or if developer mode is enabled is a security vulnerability by itself, no such app should be able to know that.
an hour ago
undefined
bekonan hour ago
So fuck blind people I guess?
- hsbauauvhabzb30 minutes ago
  That is a cost that our future authoritarian world leader has decided is more than acceptable.
M95D22 minutes ago
So, let me see if I understand it:
Apple+Google got punished by the EU for non-competitive practices and now they offered to ordinary websites their most desired features: bot blocking and unavoidable user tracking across all devices and operating systems.
And if EU wants to sue, they'll have to sue each and every website that requires this, and they would loose, because there are no alternatives and even if there were, they would be just as bad.
Great job Google+Apple! I'm proud of you. /s
charcircuit2 hours ago
If Windows wasn't so far behind Apple and the rest of the industry in regards to integrity APIs this wouldn't be necessary. It's embarrassing for Microsoft that someone needs to use a separate, more secure device since their security is so bad.
- chadgpt32 hours ago
  It's embarrassing for Hacker News that people here are commenting to support attestation systems that prevent you from owning the device you bought.
  - charcircuit2 hours ago
    Attestation isn't against being able to do whatever you want with your own device. It just means that if you want other people to trust your custom device you need to get them to trust your signing key.
    dns_snek35 minutes ago
    Pray tell, how might you get them to trust your signing key? Do you just email Mr. Pichai and ask nicely, is that enough?
    foltik36 minutes ago
    Not sure if you’re being deliberately obtuse, but a signing key means nothing by itself. What exactly do you think is being attested TO?
    Thats right: that the user can’t do what they want with their own device. Obviously your key wouldn’t be trusted if they could.
    There is no other conceivable purpose that attestation could serve.
    dns_snek33 minutes ago
    > Not sure if you’re being deliberately obtuse
    Yes, they are. If there's a thread on HN about user-hostile features, you can be pretty confident that they've written a comment defending it.
- jeroenhdan hour ago
  Windows Hello offers an attestation API according to the releases I found, though because Microsoft has called at least four products "hello" now, I can't easily find the details. I don't think there's a technical reason why Google couldn't have released an app with a URL handler that uses that API except maybe for the Windows TPMs being less secure than mobile ones in general.
- realusername2 hours ago
  Integrity doesn't guarantee any security to your device, just that the device is same as from the factory. That's a common misconception.
  - jeroenhdan hour ago
    "strong integrity" also takes into account if a security update has been installed recently enough. I don't believe hardware integrity spoofing has been accomplished on Android yet. Software integrity and compatibility with old hardware has been used to spoof device IDs and pretend a phone doesn't have the ability to do hardware attestation.
    It's technically possible to exploit a kernel and get root access on a running device, of course, but the persistent root that is used most often will be detected by hardware integrity mechanisms. Exploit based root might be as well if it makes itself detectable enough.
    realusername25 minutes ago
    > "strong integrity" also takes into account if a security update has been installed recently enough.
    My Galaxy S10, last update in 2023 passes strong integrity.