50

Notable changes in version 50:

• fall back to using front camera if rear camera is unavailable
• update CameraX library to 1.2.0-alpha02
• update AndroidX appcompat library to 1.4.2
• update Bouncy Castle library to 1.71

A full list of changes from the previous release (version 49) is available through the Git commit log between the releases.

---

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See the tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See the documentation for a more detailed overview.

49

Notable changes in version 49:

• use correct size format for QR scanning focus size
• update Material library to 1.6.1

A full list of changes from the previous release (version 48) is available through the Git commit log between the releases.

---

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See the tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See the documentation for a more detailed overview.

48

Notable changes in version 48:

• extend the attestation reference implementation library with a way to precisely detect the key description extension
• prevent bypass for the initial verification inherited from Android's key attestation reference implementation (our pinning approach prevents these issues after pairing) by checking that only the first and second certificates have a key description extension and if the second certificate has a key description extension it needs to be a valid attest key with a matching security level, challenge and the attest key purpose
• enforce that the redundant data provided by the key description for the attest key matches the key that it's signing since despite the lack of a clear security benefit we might as well check that all the data fields have the expected values
• remove unused code and improve code quality
• update Material to 1.6.0
• update CameraX to 1.2.0-alpha01
• update Android gradle plugin to 7.2.1

A full list of changes from the previous release (version 47) is available through the Git commit log between the releases.

---

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See the tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See the documentation for a more detailed overview.

47

Notable changes in version 47:

• migrate to using attest key when it's supported by the device (6th gen Pixels) for pairings not already using it to provide forward compatibility with remote provisioning in Android 13 (will not upgrade pre-v46 Pixel 6 / Pixel 6 Pro pairings to the new higher security pinning provided by attest key mode since the pinning is still based on the initial verification)
• only check attestation chain expiry for pairing to prepare for short-lived remote provisioning chains since the attest key feature will still have the same attestation chain for each verification to support pinning just as it works now before remotely provisioned chains are being used anywhere
• add back timestamp verification for our own signing key certificate since this workaround for a 3rd generation Pixel secure element bug no longer appears to be required on those devices
• increase permitted clock skew to 5 minutes from 1 minute to avoid most errors from clocks not being synced
• avoid starting camera focus timer if camera service failure occurred
• fix back gesture and activity resuming for the Auditee error page
• improve message for cert chain length mismatch

A full list of changes from the previous release (version 46) is available through the Git commit log between the releases.

---

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See the tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See the documentation for a more detailed overview.

46

Notable changes in version 46:

• add support for the Android 12 attest key feature to add a pairing-specific hardware attestation signing key in between our generated keys and the batch key for significantly improved security from attestation key pinning (GrapheneOS proposed the concept used by the attest key feature several years back for use by Auditor and Android ended up implementing it as a standard feature)
• enable attest key support for new pairings with an Auditee supporting it in the hardware keystore including the Pixel 6 and later (migrating to it for existing pairings will be a future improvement)
• display attest key use as part of the security level with the combination of StrongBox and attest key considered to be a Very High security level instead of only High for StrongBox alone
• add error handling/reporting for OS/hardware camera issues
• add support for 3rd generation key attestation root for future devices
• increase Auditor protocol to version 3 with a new DEFLATE dictionary including the new attestation root and an updated sample attestation chain to improve compression for easier to scan QR codes
• add exception messages to sample submission and remote attestation failure notifications
• update CameraX to 1.1.0-rc01 providing various improvements which are partially documented in their release notes
• update ZXing (barcode library) to 3.5.0 providing significant improvements for barcode decoding including fixes for many edge cases discovered through fuzzing where unexpected exceptions were thrown (many of these would have been serious security bugs instead of unexpected exceptions if ZXing was written in C rather than memory safe Java code)
• update Kotlin Gradle plugin to 1.6.21
• update Android Gradle plugin to 7.2.0

A full list of changes from the previous release (version 45) is available through the Git commit log between the releases.

---

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See the tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See the documentation for a more detailed overview.

45

Notable changes in version 45:

• update CameraX to 1.1.0-beta03 providing various improvements which are partially documented in their release notes
• update target API level to 32 (Android 12.1)
• sync attestation library with upstream CTS (android-cts-12.0_r3)
• add failure notification for sample submission failures
• update Guava to 31.1
• update Gradle to 7.4.2
• update Kotlin Gradle plugin to 1.6.20
• update Android Gradle plugin to 7.1.3
• improve code quality

A full list of changes from the previous release (version 44) is available through the Git commit log between the releases.

---

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See the tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See the documentation for a more detailed overview.

44

Full list of changes from the previous release (version 43). Notable changes:

• update CameraX to 1.1.0-beta02 providing various improvements which are partially documented in their release notes
• update other dependencies

---

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See the tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See the documentation for a more detailed overview.

43

Full list of changes from the previous release (version 42). Notable changes:

• improve dark theme for confirmation dialogs
• make verification result text selectable
• rename "Identity" to "Pairing identity" and add text clarifying that it's the hash of a hardware-backed public key to help clarify that it's not a device/profile identifier
• make pairing identity into the 1st field of the verification result
• make security level into the 2nd field of the verification result
• add verified boot key hash to verification result above verified boot hash
• make it clear which fields in the verification result are pinned for the pairing and either have enforced immutability (device, OS, verified boot key hash) or can only increase (OS version, patch levels, app version)
• miscellaneous string improvements
• reorganize code as part of sharing code with AttestationServer and gradually working towards it being a library

---

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

• BlackBerry Key2 (BBF100-1 and BBF100-6 models)
• BQ Aquaris X2 Pro
• Google Pixel 2
• Google Pixel 2 XL
• Google Pixel 3
• Google Pixel 3 XL
• Google Pixel 3a
• Google Pixel 3a XL
• Google Pixel 4
• Google Pixel 4 XL
• Google Pixel 4a
• Google Pixel 4a (5G)
• Google Pixel 5
• Google Pixel 5a
• Google Pixel 6
• Google Pixel 6 Pro
• Huawei Honor 7A Pro (AUM-L29 model)
• Honor 9 Lite (LLD-L31 model)
• Huawei Honor 10 (COL-L29 model)
• Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
• Huawei Mate 10 (ALP-L29 model)
• Huawei Mate 20 lite (SNE-LX1 model)
• Huawei Mate 20 Pro (LYA-L29 model)
• Huawei P smart 2019 (POT-LX3 model)
• Huawei P20 (EML-L09 model)
• Huawei P20 Pro (CLT-L29 model)
• Huawei Y7 2019 (DUB-LX3 model)
• Huawei Y9 2019 (JKM-LX3 model)
• HTC EXODUS 1
• HTC U12+
• LG Stylo 5 (LM-Q720 model)
• LG Q Stylo 4 (LG-Q710AL model)
• Motorola moto g⁷
• Motorola One Vision
• Nokia 3.1
• Nokia 6.1
• Nokia 6.1 Plus
• Nokia 7.1
• Nokia 7 Plus
• OnePlus 6 (A6003 model)
• OnePlus 6T (A6013 model)
• OnePlus 7 Pro (GM1913 model)
• Oppo R15 Pro (CPH1831 model)
• Oppo A7 (CPH1903 model)
• Oppo A5s (CPH1909 model)
• Realme C2 (RMX1941 model)
• Samsung Galaxy A70 (SM-A705FN model)
• Samsung Galaxy Amp Prime 3 (SM-J337AZ model)
• Samsung Galaxy J2 Core (SM-J260A, SM-J260F and SM-J260T1 models)
• Samsung Galaxy J3 2018 (SM-J337A and SM-J337T models)
• Samsung Galaxy J7 (SM-J737T1 model)
• Samsung Galaxy M20 (SM-M205F model)
• Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
• Samsung Galaxy Note 10 (SM-N970F and SM-N970U models)
• Samsung Galaxy Note 10+ (SM-N975U model)
• Samsung Galaxy S9 (SM-G960F, SM-G960U, SM-G960U1, SM-G960W and SM-G9600 models)
• Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
• Samsung Galaxy S10e (SM-G970F model)
• Samsung Galaxy S10+ (SM-G975F model)
• Samsung Galaxy Tab A 10.1 (SM-T510 model)
• Samsung Galaxy Tab S4 (SM-T835 model)
• Sony Xperia XA2 (H3113, H3123 and H4113 models)
• Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
• Sony Xperia XZ1 Compact (G8441 model)
• Sony Xperia XZ2 (H8216 model)
• Sony Xperia XZ2 Compact (H8314 and H8324 models)
• T-Mobile REVVL 2
• Vivo 1807
• Xiaomi Mi A2
• Xiaomi Mi A2 Lite
• Xiaomi Mi 9
• Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See the tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See the documentation for a more detailed overview.

42

Full list of changes from the previous release (version 41). Notable changes:

• generated a new icon following our upcoming revised icon style
• update dependencies

---

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

• BlackBerry Key2 (BBF100-1 and BBF100-6 models)
• BQ Aquaris X2 Pro
• Google Pixel 2
• Google Pixel 2 XL
• Google Pixel 3
• Google Pixel 3 XL
• Google Pixel 3a
• Google Pixel 3a XL
• Google Pixel 4
• Google Pixel 4 XL
• Google Pixel 4a
• Google Pixel 4a (5G)
• Google Pixel 5
• Google Pixel 5a
• Google Pixel 6
• Google Pixel 6 Pro
• Huawei Honor 7A Pro (AUM-L29 model)
• Honor 9 Lite (LLD-L31 model)
• Huawei Honor 10 (COL-L29 model)
• Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
• Huawei Mate 10 (ALP-L29 model)
• Huawei Mate 20 lite (SNE-LX1 model)
• Huawei Mate 20 Pro (LYA-L29 model)
• Huawei P smart 2019 (POT-LX3 model)
• Huawei P20 (EML-L09 model)
• Huawei P20 Pro (CLT-L29 model)
• Huawei Y7 2019 (DUB-LX3 model)
• Huawei Y9 2019 (JKM-LX3 model)
• HTC EXODUS 1
• HTC U12+
• LG Stylo 5 (LM-Q720 model)
• LG Q Stylo 4 (LG-Q710AL model)
• Motorola moto g⁷
• Motorola One Vision
• Nokia 3.1
• Nokia 6.1
• Nokia 6.1 Plus
• Nokia 7.1
• Nokia 7 Plus
• OnePlus 6 (A6003 model)
• OnePlus 6T (A6013 model)
• OnePlus 7 Pro (GM1913 model)
• Oppo R15 Pro (CPH1831 model)
• Oppo A7 (CPH1903 model)
• Oppo A5s (CPH1909 model)
• Realme C2 (RMX1941 model)
• Samsung Galaxy A70 (SM-A705FN model)
• Samsung Galaxy Amp Prime 3 (SM-J337AZ model)
• Samsung Galaxy J2 Core (SM-J260A, SM-J260F and SM-J260T1 models)
• Samsung Galaxy J3 2018 (SM-J337A and SM-J337T models)
• Samsung Galaxy J7 (SM-J737T1 model)
• Samsung Galaxy M20 (SM-M205F model)
• Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
• Samsung Galaxy Note 10 (SM-N970F and SM-N970U models)
• Samsung Galaxy Note 10+ (SM-N975U model)
• Samsung Galaxy S9 (SM-G960F, SM-G960U, SM-G960U1, SM-G960W and SM-G9600 models)
• Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
• Samsung Galaxy S10e (SM-G970F model)
• Samsung Galaxy S10+ (SM-G975F model)
• Samsung Galaxy Tab A 10.1 (SM-T510 model)
• Samsung Galaxy Tab S4 (SM-T835 model)
• Sony Xperia XA2 (H3113, H3123 and H4113 models)
• Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
• Sony Xperia XZ1 Compact (G8441 model)
• Sony Xperia XZ2 (H8216 model)
• Sony Xperia XZ2 Compact (H8314 and H8324 models)
• T-Mobile REVVL 2
• Vivo 1807
• Xiaomi Mi A2
• Xiaomi Mi A2 Lite
• Xiaomi Mi 9
• Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See the tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See the documentation for a more detailed overview.

41

Full list of changes from the previous release (version 40). Notable changes:

• update CameraX to 1.1.0-beta01 providing a bunch of improvements which are partially documented in their release notes (fixes several issues we reported)
• update SDK and build tools to 32 (Android 12L) without targeting API 32 yet (waiting for stable release)
• update other dependencies

---

The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version. Supported devices:

• BlackBerry Key2 (BBF100-1 and BBF100-6 models)
• BQ Aquaris X2 Pro
• Google Pixel 2
• Google Pixel 2 XL
• Google Pixel 3
• Google Pixel 3 XL
• Google Pixel 3a
• Google Pixel 3a XL
• Google Pixel 4
• Google Pixel 4 XL
• Google Pixel 4a
• Google Pixel 4a (5G)
• Google Pixel 5
• Google Pixel 5a
• Google Pixel 6
• Google Pixel 6 Pro
• Huawei Honor 7A Pro (AUM-L29 model)
• Honor 9 Lite (LLD-L31 model)
• Huawei Honor 10 (COL-L29 model)
• Huawei Honor View 10 (BKL-L04 and BKL-L09 models)
• Huawei Mate 10 (ALP-L29 model)
• Huawei Mate 20 lite (SNE-LX1 model)
• Huawei Mate 20 Pro (LYA-L29 model)
• Huawei P smart 2019 (POT-LX3 model)
• Huawei P20 (EML-L09 model)
• Huawei P20 Pro (CLT-L29 model)
• Huawei Y7 2019 (DUB-LX3 model)
• Huawei Y9 2019 (JKM-LX3 model)
• HTC EXODUS 1
• HTC U12+
• LG Stylo 5 (LM-Q720 model)
• LG Q Stylo 4 (LG-Q710AL model)
• Motorola moto g⁷
• Motorola One Vision
• Nokia 3.1
• Nokia 6.1
• Nokia 6.1 Plus
• Nokia 7.1
• Nokia 7 Plus
• OnePlus 6 (A6003 model)
• OnePlus 6T (A6013 model)
• OnePlus 7 Pro (GM1913 model)
• Oppo R15 Pro (CPH1831 model)
• Oppo A7 (CPH1903 model)
• Oppo A5s (CPH1909 model)
• Realme C2 (RMX1941 model)
• Samsung Galaxy A70 (SM-A705FN model)
• Samsung Galaxy Amp Prime 3 (SM-J337AZ model)
• Samsung Galaxy J2 Core (SM-J260A, SM-J260F and SM-J260T1 models)
• Samsung Galaxy J3 2018 (SM-J337A and SM-J337T models)
• Samsung Galaxy J7 (SM-J737T1 model)
• Samsung Galaxy M20 (SM-M205F model)
• Samsung Galaxy Note 9 (SM-N960F and SM-N960U models)
• Samsung Galaxy Note 10 (SM-N970F and SM-N970U models)
• Samsung Galaxy Note 10+ (SM-N975U model)
• Samsung Galaxy S9 (SM-G960F, SM-G960U, SM-G960U1, SM-G960W and SM-G9600 models)
• Samsung Galaxy S9+ (SM-G965F, SM-G965U, SM-G965U1 and SM-G965W models)
• Samsung Galaxy S10e (SM-G970F model)
• Samsung Galaxy S10+ (SM-G975F model)
• Samsung Galaxy Tab A 10.1 (SM-T510 model)
• Samsung Galaxy Tab S4 (SM-T835 model)
• Sony Xperia XA2 (H3113, H3123 and H4113 models)
• Sony Xperia XZ1 / XZ1 Compact (G8341 and G8342 models)
• Sony Xperia XZ1 Compact (G8441 model)
• Sony Xperia XZ2 (H8216 model)
• Sony Xperia XZ2 Compact (H8314 and H8324 models)
• T-Mobile REVVL 2
• Vivo 1807
• Xiaomi Mi A2
• Xiaomi Mi A2 Lite
• Xiaomi Mi 9
• Xiaomi POCOPHONE F1

It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) or Hardware Security Module (HSM) including the verified boot state, operating system variant and operating system version. The verification is much more meaningful after the initial pairing as the app primarily relies on Trust On First Use via pinning. It also verifies the identity of the device after the initial verification.

See the tutorial for detailed usage instructions. This is included as the Help entry in the app menu. The app also provides basic guidance through the process. See the documentation for a more detailed overview.