You're using it wrong. SafetyNet is able to assert that the build the device asserts is what it claims. After you know that, it's up to you to decide whether you trust communications from that build or not. If it's a known-insecure build, you can say that you don't. SafetyNet cannot assert that a third party ROM is what it claims to be, so you have to decide whether you trust communications from that device or not based on not knowing at all what build is on the device.
Potentially, a manufacturer could make a multibuild phone where the user could switch between an attested build and a non-attested build and have access to services whose security requires attestation with just a reboot. Otherwise, you would use different devices for different purposes, as I do today. It's unfortunate, but if you really need something that isn't supported by the existing Android APIs, that's the only way.
Think about "don't use a smartphone" in 2013. That was viable back then.
It isn't anymore. What you can do is live smartphone-lite, using it only as a secondary device (as grandparent suggested). The same will be true in a couple years (if the big G is successful). Until, then, yea, don't use it, actively campaign against it.
If this happens the way google wants, I'll have to have a separate physical box set up specifically to access google's shiternet for things like banking and shopping. I'd be glad to stick to websites that have no need or interest for WEI otherwise.
The internet was already going increasingly-downhill anyway.
I don't use personal devices on corporate networks. If they want a phone with remote attestation, they can pay for it to sit in a drawer.
Though, at this point I am the founder of my own company. Any software we use will not require attestation. I would be willing to switch vendors over that.
As for web attestation: the software I use regularly needs to run on OpenBSD. It's that simple.
> so you have to decide whether you trust communications from that device
"You" in this scenario being, most likely, an engineer at a large, regulated, risk-averse corporation that might have to justify this choice during an audit.
Most (all?) corporate endpoint security systems use it right in my experience. Even when using it right, you would have to block third party builds and cause outcry. You would additionally block some builds that SafetyNet (or Play Integrity) attests.
> Even when using it right, you would have to block third party builds
Unless you have an obvious and accessible way of getting secure third party builds whitelisted, this is still a very anti-user approach, which is not justifiable unless the user of the device isn't its owner (like with company-owned work phones).
That's up to the service to decide on the appropriate level of security risk in whether they allow unknown builds. They already don't allow custom builds on any other mobile OS, so this is really the best you can get as a user. What is your proposed solution?
> They already don't allow custom builds on any other mobile OS ...
Keep in mind that Pinephones and similar are a thing. Lots of people are hoping they don't fizzle out and die off like previous "open" phone projects. :)
And Pinephones and similar don't have apps for these services that require attestation and never will. If some allow web access without build attestation, that works on custom Android builds as well.
