Some apps are distributed as Split APKs (multiple .apk files packaged together) to optimize resources. Standard Android installers cannot open them.
See https://github.com/GrapheneOS/Auditor/releases/tag/92 for the full release notes.
The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:
See the supported device list for a list of devices which can be verified by using them as the Auditee.
It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.
See the tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See the documentation for a more detailed overview.
I'm not going to pretend to understand exactly how this works, but the developer's documentation on the tech is really interesting. I like that the app actually looks pretty nice. My only nitpicks are that the great documentation is not inside the app, but on an external site; there is no screen that shows when the last remote attestation was sent; and that names of most of the options in the three dot menu don't make immediately obvious what they do for your threat model.
It's mostly over my head, but it's pretty awesome to check my graphene OS on my new pixel is legitimate. It's a super easy app to use. Highly recommended!
java.io.IOException: response code: 400 I keep seeing this error, the app hasn't worked a single time.
always worked great for auditing GrapheneOS!
app.attestation.auditor.play on the APK Downloader.This APK download is 100% safe. We verify that the cryptographic signature of the file matches the official developer credentials. No modifications or adware are injected.