ROMs

Loss of popular 2FA tool puts security-minded GrapheneOS in a paradox

2fa, android, Authy, Google, google play services, grapheneos, lineageos, ROMs, Tech, two-factor authentication / Rejus Almole / July 30, 2024

Just a bit too custom for their taste —

Losing access to Authy leads to another reckoning with Google’s security model.

Kevin Purdy – Jul 30, 2024 4: 36 pm UTC

Scientist looking at a molecular model of graphene in a laboratory — Enlarge / Graphene is a remarkable allotrope, deserving of further study. GrapheneOS is a remarkable ROM, one that Google does not quite know how to accommodate, due to its “tiny, tiny” user numbers compared to mainstream Android.

“If it’s not an official OS, we have to assume it’s bad.”

That’s how Shawn Wilden, the tech lead for hardware-backed security in Android, described the current reality of custom Android-based operating systems in response to a real security conundrum. GrapheneOS users discovered recently that Authy, a popular (and generally well-regarded) two-factor authentication manager, will not work on their phones—phones running an OS intended to be more secure and hardened than any standard Android phone.

“We don’t want to punish users of alternative OSes, but there’s really no other option at the moment,” Wilden added before his blunt conclusion. “Play Integrity has absolutely no way to guess whether a given custom OS completely subverts the Android security model.”

Play Integrity, formerly SafetyNet Attestation, essentially allows apps to verify whether an Android device has provided permissions beyond Google’s intended models or has been rooted. Root access is not appealing to the makers of some apps involving banking, payments, competitive games, and copyrighted media.]

There are many reasons beyond cheating and skulduggery that someone might root or modify their Android device. But to prove itself secure, an Android device must contact Google’s servers through an API in Google Play Services and then have its bootloader, ROM signature, and kernel verified. GrapheneOS, like most custom Android ROMs, does not contain a Google Play Services package by default but will let users install a sandboxed version of Play Services if they wish.

Wilden offered some hope for a future in which ROMs could vouch for their non-criminal nature to Google, noting “some discussions with makers of high-quality ROMs” about passing the Compatibility Test Suite, then “establishing some kind of relationship we can use to trust them.” But it’s “a lot of work on both sides, including by lawyers,” Wilden notes. And while his team is happy to help, higher-level support is tough because “modders are such a tiny, tiny fraction of the user base.”

The official GrapheneOS X account was less hopeful. It noted that another custom ROM, LineageOS, disabled verified boot at installation, and “rolls back security in a lot of other ways,” contributing to “a misconception that every alternate OS rolls back security and isn’t production quality.” A typical LineageOS installation, like most custom ROMs, does disable verified boot, though it can be re-enabled, except it’s risky and complicated. GrapheneOS has a page on its site regarding its stance on, and criticisms of, Google’s attestation model for Android.

Ars has reached out to Google, GrapheneOS, and Authy (via owner Twilio) for comment. At the moment, it doesn’t seem like there’s a clear path forward for any party unless one of them is willing to majorly rework what they consider proper security.

Modder re-creates Game Boy Advance games using the audio from crash sounds

To truly catch them all —

Create a bootable, working Pokémon game by recording it crash multiple times.

Kevin Purdy – Jan 22, 2024 5: 08 pm UTC

Game Boy Advance, modded, on display — Enlarge / Andrew Cunningham’s modded and restored Game Boy Advance could, with enough time, sing out all the data loaded into a cartridge.

Andrew Cunningham

Sometimes, a great song can come from great pain. The Game Boy Advance (GBA), its software having crashed nearly two hours ago, will, for example, play a tune based on the game inside it. And if you listen closely enough—using specialty hardware and code—you can tell exactly what game it was singing about. And then theoretically play that same game.

This was discovered recently by TheZZAZZGlitch, whose job is to “sadistically glitch and hack the crap out of Pokémon games.” It’s “hardly a ready-to-use solution,” the modder notes, as it requires a lot of tuning specific to different source formats. So while there are certainly easier ways to get GBA data from a cartridge, none make you feel quite so much like an audio datamancer.

TheZZAZZGlitch’s demonstration of re-creating Game Boy Advance ROM data using the sounds from a crashing system.

After crashing a GBA and recording it over four hours, the modder saw some telltale waveforms in a sound file at about the 1-hour, 50-minute mark. Later in the sound-out, you can hear the actual instrument sounds and audio samples the game contains, played in sequence. Otherwise, it’s 8-bit data at 13,100 Hz, and at times, it sounds absolutely deranged.

“2 days of bugfixing later,” the modder had a Python script ready that could read the audio from a clean recording of the GBA’s crash dump. Did it work? Not without more troubleshooting. One issue with audio-casting ROM data is that there are large sections of 0-byte data in the ROM, which are hard to parse as mute sounds. After running another script that realigned sections based on their location in the original ROM, the modder’s ROM was 99.76 percent accurate but “still didn’t boot tho.” TheZZAZZGlitch later disclaimed that, yes, this is technically using known ROM data to surface unknown data, or “cheating,” but there are assumptions and guesses one could make if you were truly doing this blind.

The next fix was to refine the sound recording. By recording three times and merging them with a “majority vote” algorithm, their accuracy notched up to 99.979 percent. That output ROM booted—but with glitched text and a title screen crash. After seven different recordings are meshed and filtered for blank spaces, they achieve 100 percent parity. That’s about the halfway point of the video; you should watch the rest to learn how it works on physical hardware, how it works with a different game (an ARM code mystery in a replica cartridge), and how to get the best recordings, including the use of a “cursed adapter” that mixes down to one channel the ugly way.