Actual NFC payments (as well as security in general) are absolutely irrelevant to this attestation technology. NFC for payments works perfectly (and not by a bit less securely) without all this “security” circus — because NFC payments (and any other kind of banking or payments) is just a completely different thing.
The only thing that this kind of attestation does is proves to the app (in this example, a banking app), that the device it runs on has been deemed by the OEM (or Google in case of Play Integrity) as worthy.
And I specifically wrote it as “deemed as worthy” because it is exactly what it is: “deemed” doesn’t mean that it was certified or analysed for vulnerability or even properly updated, and “worthy” doesn’t mean that it’s actually secure or even capable to be secure.
This whole technology and the claims about its “security” is just a marketing scam that allows Google/OEMs to control your phone by ensuring that you’re not running some software not approved/sold by them specifically (e.g. GrapheneOS, LineageOS, PostmarketOS, your own Linux build, MS-DOS 6.11 — doesn’t matter) and for both the OEMs and the apps (banks in this case) to create a visibility of security without actually ensuring this security.
It doesn’t matter who controls the attestation “authority” — Google or random European companies — in the end this technology is still evil and even harmful for real security — by design.
Best solution for Graphene OS seems to be to use a Garmin Smart Watch with Garmin Pay.
Actual NFC payments (as well as security in general) are absolutely irrelevant to this attestation technology. NFC for payments works perfectly (and not by a bit less securely) without all this “security” circus — because NFC payments (and any other kind of banking or payments) is just a completely different thing.
The only thing that this kind of attestation does is proves to the app (in this example, a banking app), that the device it runs on has been deemed by the OEM (or Google in case of Play Integrity) as worthy.
And I specifically wrote it as “deemed as worthy” because it is exactly what it is: “deemed” doesn’t mean that it was certified or analysed for vulnerability or even properly updated, and “worthy” doesn’t mean that it’s actually secure or even capable to be secure.
This whole technology and the claims about its “security” is just a marketing scam that allows Google/OEMs to control your phone by ensuring that you’re not running some software not approved/sold by them specifically (e.g. GrapheneOS, LineageOS, PostmarketOS, your own Linux build, MS-DOS 6.11 — doesn’t matter) and for both the OEMs and the apps (banks in this case) to create a visibility of security without actually ensuring this security.
It doesn’t matter who controls the attestation “authority” — Google or random European companies — in the end this technology is still evil and even harmful for real security — by design.