> No, the much more secure while at the same time liberty-preserving way to do this are heavily sandboxed secure enclaves with attestation, or even better standalone tamper-proof devices capable of attestation.
Thats what is being required. The problem is making sure the policy is enforced correctly includes local business logic and user experience components. The money transfer needs to come from an authenticated user providing consent, not from some software that happens to have managed to get installed on the phone with sufficient permissions to interface with the secure element or to have their version of a library loaded.
That means one needs to validate user-facing software, and not just the API to a black box. Thus one is requiring a chain of custody validation up to the boot loader.
Thats what is being required. The problem is making sure the policy is enforced correctly includes local business logic and user experience components. The money transfer needs to come from an authenticated user providing consent, not from some software that happens to have managed to get installed on the phone with sufficient permissions to interface with the secure element or to have their version of a library loaded.
That means one needs to validate user-facing software, and not just the API to a black box. Thus one is requiring a chain of custody validation up to the boot loader.