Paying without Google: New consortium wants to remove custom ROM hurdles

Contents

Pay securely with an Android smartphone, completely without Google services: This is the plan being developed by the newly founded industry consortium led by the German Volla Systeme GmbH. It is an open-source alternative to Google Play Integrity. This proprietary interface decides on Android smartphones with Google Play services whether banking, government, or wallet apps are allowed to run on a smartphone.

Secure payment without Google

Obstacles and tips for paying with an Android smartphone without official Google services have been highlighted by c’t in a comprehensive article. The European industry consortium now wants to address some problems mentioned. To this end, the group, which includes Murena, which develops the hardened custom ROM /e/OS, Iodé from France, and Apostrophy (Dot) from Switzerland, in addition to Volla, is developing a so-called “UnifiedAttestation” for Google-free mobile operating systems, primarily based on the Android Open-Source Project (AOSP).

According to Volla, a European manufacturer and a leading manufacturer from Asia, as well as European foundations such as the German UBports Foundation, have also expressed interest in supporting it. Furthermore, developers and publishers of government apps from Scandinavia are examining the use of the new procedure as “first movers”.

“With UnifiedAttestation, we are creating a transparent and trustworthy procedure for security checks that developers and app publishers can rely on equally. This removes the last hurdle for the use of alternative mobile operating systems,” says Dr. Jörg Wurzer, CEO of Volla Systeme GmbH and initiator of the consortium. The goal is to break free from the control of a single US corporation – towards greater digital sovereignty, it says.

“Security Paradox”

In its announcement, Volla explains that Google provides app developers with an interface called Play Integrity, which checks whether an app is running on a device with specific security requirements. This primarily affects applications from “sensitive areas such as identity verification, banking, or digital wallets – including apps from governments and public administrations”.

The company criticizes that the certification is exclusively offered for Google's own proprietary “Stock Android” but not for Android versions without Google services, such as /e/OS or similar custom ROMs. “Since this is closely intertwined with Google services and Google data centers, a structural dependency arises – and for alternative operating systems, a de facto exclusion criterion,” the company states.

From the consortium's perspective, this also leads to a “security paradox,” because “the check of trustworthiness is carried out by precisely that entity whose ecosystem is to be avoided at the same time”.

UnifiedAttestation with Open Architecture

The alternative to Google Play Integrity in the form of UnifiedAttestation is intended to be modular and developed as open source, according to the consortium's plan. Similar to Google's freely usable AOSP (Android Open-Source Project), it will be released under a liberal Apache 2.0 license.

The consortium further explains that UnifiedAttestation is to consist of three central elements. Firstly, it will be an “operating system service” that can be integrated into apps with a few lines of code. Apps could use it to request whether the respective operating system meets defined security requirements. Secondly, a validation service will be operated decentrally. This will then check whether the operating system's certificate is valid on the respective device. The third element is an open test suite. This is intended for “checking and certifying an operating system for a specific device model”.

Furthermore, a peer review process is planned, through which the consortium members will mutually check and certify their operating systems and smartphone or tablet models. “This is intended to create transparency and replace trust with traceability.”

“We don't want to centralize trust, but organize it transparently and publicly verifiable. When companies check competitors' products, we can strengthen that trust,” explains Dr. Wurzer. The consortium's goal is also to establish the new industry initiative as an open cooperation format under the umbrella of the Eclipse Foundation, the largest open-source foundation in Europe. Initial discussions have already begun.

(afl)