This post assumes you know what “unlocked bootloader” and “Play Integrity” means. In case you don’t, here’s a short summary:
By default, most Android devices’ bootloaders are locked. This prevents the user from modifying the operating system of the device, just like on iOS. However, there is an official procedure for disabling these restrictions [1], allowing the user to install any custom firmware they want on the device. Play Integrity allows an app developer to verify whether the bootloader of a device is locked or not [2]. This verification process is more generally called “device attestation”.
Importantly, Windows and the Web [3] lack device attestation. On MacOS, there is something kind of similar available, though with a less strong threat model (System Integrity Protection).
Currently, if you use an Android device with an unlocked bootloader and try signing into the ChatGPT app on Android, it will block you with a cryptic error message (“Something went wrong. Please make sure your device’s date and time are set properly.”) If you research this further, you find that ChatGPT requires users to pass Play Integrity device attestation to use the app [4][5].
I get why OpenAI would do this. It certainly makes it much harder for bots to abuse certain features, which is probably also part of the reason why some of these features are not available on the web, where such protections are not available.
However, it also locks out some legitimate users like me. I, for example, use an open source up-to-date Android OS [6] on my phone, since otherwise I would not get any security updates anymore. Without doing this, I likely would have to have bought a new phone long ago.
You may argue the stance OpenAI are taking here is just standard security practice. At least for US financial apps, this seems to be so. However, I want to say this is not universally accepted as good practice. For example, here in Europe, most [7] banking apps allow it, some only displaying a warning to the user that the bank shall not be held liable if the user has their data compromised.
So I suggest a compromise: Allow only paying users to use the app on unlocked devices. This way, the risk of abuse is vastly decreased, since hackers would have to put in their credit cards which tie the accounts to their identity, and would not be able to just create tons of accounts for cheap. And of course, allowing unlocked devices does not require giving up other anti-abuse checks, such as may be present on platforms like Windows.
Thank you for reading this far!
Kunci dan buka kunci bootloader | Android Open Source Project ↩︎
https://help.openai.com/en/articles/9945489-something-went-wrong-please-make-sure-your-device-s-date-and-time-are-set-properly-check-that-your-internet-connection-is-stable-then-restart-the-app-and-try-again ↩︎
When I log in to ChatGPT, I am prompted for a login failure and a message "something went wrong. please make sure your device's date and time are set properly" - #75 by opena100 ↩︎
I use LineageOS: https://lineageos.org/ ↩︎
https://www.kartensicherheit.de/media/banking_mobile_apps_-_white_paper_-_eshard.pdf ↩︎