What is Device Integrity Monitoring?
All Omerta handsets support Device Integrity Monitoring, a service comprising of an app called Auditor & a web service located at https://attestation.app - Auditor is GrapheneOS's secret weapon in protecting your phone from low level attack; by utilising a third party server to scan your phone & ensure the OS matches an independent copy of the Operating System.
The Auditor app uses hardware security features to validate the integrity of your phones OS to ensure your handset has not been modified nor the operating system rolled back. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.
If any anomalies are detected, users are emailed so they can decide on the best course of action. The beauty of this security service is the results are produced from the webserver; not your phone. Often a compromised device will deactivate any security tools so they remain undetected. Because monitoring is done by the server, the results cannot be falsified.
How do I set this up?
Setting up Device Integrity Monitoring is very easy, just follow the steps below & you will be enjoying complete peace of mind!
1. Register an account with Attestation.app
- On a computer or tablet, open a web browser and visit https://attestation.app
- Create a new account (making sure you take note of your login details)
- Once logged in, add your email address to ensure you receive notifications of any failed scans
- Leave the webpage open with QR code visible whilst going to step 2.
2. Connect Omerta phone to webserver using Auditor App
- From your handset, open the app tray
- Locate and open Auditor
- On the top right hand side, touch the 3 vertical dots
- Choose "Enable Remote Verification"
- Scan the QR Code shown in step 1 with your handset
- Wait 1 minute and then check notifications for Auditor success message
If you refresh the webpage showing attestation.app on the second device, you will note a significant amount of information about your device, similar to what is shown below:
What now? How Auditor works...
With Auditor successfully configured, you need do nothing else. It simply runs a scan at regular intervals & you will receive silent notifications advising of success. For the majority of users this will be as much of Auditor as they see!
Should Auditor detect an issue, you will receive an email & we discuss this in more detail below. Finally, Operating System updates may affect Auditors ability to successfully submit a scan or you may notice it has malfunctioned an ceased scanning. This is easily rectified & we have documented the fixes in our knowledge base.
What do the email alerts contain?
The service is a completely inert service in as much as it will advise of an issue & no more. Emails alerts are presented using a traffic light colour system to indicate importance/risk. Green means "For Information", Amber means take note & Red is serious.
The most common messages are the service advising no scan has occurred within the configured time. This is normally because a handset has been offline & not something to be concerned about. More serious alerts should be taken seriously and we advise on receipt of a Amber or Red alert to switch your handset off and contact us via the helpdesk or by calling us.