Banks cant trust every client device to be secure and not compromise their infra, therefore they are using a certificate from a software authority to make sure their apps only run on secure devices. Currently, this authority is Google.
But since everything is using google as their authority, google can at any time decide if they want to exclude any devices/manufacturers/whatever from running most banking apps.
For example, they are excluding everything that is not shipping their G services Spyware. (And to ship the G services, you need a license, so you can’t have most banking apps without paying google)
Now, volla, a maker of a Linux Phone is trying to make a new attestation API. This in no way mitigates any problem I mentioned in the paragraphs above. In that case, Volla is the Authority, and they can at any time exclude anyone for any reason.
There is already an adequate Attestation system that mitigates every issue I mentioned built into android. Since the system is present at any time, this will not only reduce the attack vector on a system, but allow any app to add any authority they want.
Every company will at some time become corrupt. This happened with google, this will happen with volla, every company will at some time become corrupt. Therefore, every software must be designed in a way that the company behind it dosent have total control over it.
If the original Lemmy.ml defederates, it will not kill every other instance. If volla/google decides to exclude a specific phone model/OS from running it, be it for purely ideological reasons, no one will have any access to it. There are no alternatives in a system with volla attestation.
If the app uses the android attestation api on the other hand, you simply add the OSs authority key. No rewrite required.
/e/ has Murena Services, which is a completely different can of worms
Its basically the replacement to Google Photos, drive, etc, and it advertises itself as private, yet it has no privacy benefits over google. The data is still stored unencrypted on a server with your email/number and name on it, and it can just be sold or given out or hacked at any time. Its google with a different name
Also, MicroG theoretically works, but its more like wine or a windows 11 TPM back than a replacement. It spoofs everything, which just means that besides the phone being insecure since there’s no way you can verify if someone tampered with it, because it just spoofs the values anyway, it can also be disabled by google at any time by an update which makes the values unspoofable.
If you ever wondered why enterprises don’t just use win 11 with no TPM, its because Microsoft (like google) can at any time decide to say fuck you and brick all your systems, since they don’t officially support it anyway