Auditor can be installed from either the Google Play Store or the releases on GitHub. The releases through both are identical and use the same signing key so you can install updates from either regardless of how you installed it.

GrapheneOS comes with Auditor included.

Local verification

The device being verified (Auditee) must be one of the supported devices. Android developer previews aren't supported since the hardware verified version is set to a placeholder value. The device performing verification (Auditor) just needs to be any Android 7.0+ compatible device with a camera.

  1. press Auditor on the device that will be verifying the Auditee
  2. press Auditee on the device that's going to be verified
  3. point the camera of the Auditee at the QR code on the Auditor to read the challenge
  4. tap the QR code on the Auditor to advance ahead (if you do this too early, you can press back)
  5. point the camera of the Auditor at the QR code on the Auditee to read the attestation
  6. view verification of the attestation results

Scheduled remote verification

An Auditor can verify any number of different Auditee devices. It shows a fingerprint and the first / last verification time in successful paired attestation results. An Auditee can be verified by any number of Auditors but there will be a different fingerprint for each unique pairing rather than the same fingerprint shown on each Auditor for the same Auditee.

To set up regularly scheduled remote verification via the remote attestation service:

  1. create an account on https://attestation.app/ from a separate device
  2. press the menu button in the app
  3. press the 'Enable remote verification' action in the menu
  4. scan the account QR code displayed on https://attestation.app/
  5. configure an alert email address to receive alerts if the device fails to provide valid attestations in time
  6. refresh https://attestation.app/ to view the initial attestation result

Expanding device support

Support for verifying a device needs to be added to the app based on at least one valid key attestation sample from the stock OS with the bootloader locked. The Auditor app can theoretically support verifying any Android devices launched with Android 8 or later. An upgrade to Android 8 isn't enough since hardware key attestation support is required and the minimum requirements only became mandatory with Android 8.

To submit a sample, open the menu from the action bar and select 'Submit sample data'. This will submit a sample attestation and device information, enabling the development of support for the device. It may take a few weeks before support is shipped in a new version of the app.

A valid key attestation sample for each device model along with a stripped down subset of the system properties is published on GitHub to help other projects interested in using key attestation.