Louis: new topic page on google's play integrity api and device attestation, how it locks de-googled and alternative android out of apps, with the grapheneos position and google's stated rationale

2026-06-19T18:58:33Z

new topic page on google's play integrity api and device attestation, how it locks de-googled and alternative android out of apps, with the grapheneos position and google's stated rationale

New page

The '''Play Integrity API''' is a Google service that lets an Android app check whether it is running on what Google calls a ''"genuine and certified Android device"'' before the app agrees to work.<ref name="gintegrity" /> Apps that require it refuse to run on devices that do not return Google's certification verdict, which by design excludes de-Googled and alternative Android systems such as [[GrapheneOS]] and LineageOS even when those systems keep a locked bootloader and current security patches.<ref name="gverdicts" /><ref name="gosguide" /> As banking, government-identity, and other apps adopt the check, an owner who installs a more private or better-maintained operating system on hardware they own can be locked out of software that runs without complaint on an outdated but factory-certified phone.<ref name="gverdicts" /><ref name="eudiissue" />

==How it works==

When an app calls the Play Integrity API, Google returns a device-integrity verdict in one of three tiers: ''MEETS_BASIC_INTEGRITY'', ''MEETS_DEVICE_INTEGRITY'', and ''MEETS_STRONG_INTEGRITY''.<ref name="gverdicts" /> The middle tier, which many banking and corporate apps require, is granted, on Android 13 and higher, only when there is ''"hardware-backed proof that the device bootloader is locked and the loaded Android OS is a certified device manufacturer image."''<ref name="gverdicts" /> The strongest tier additionally requires that the device received security updates in the last year.<ref name="gverdicts" />

[[File:Play-Integrity-device-verdict.png|thumb|center|upright=2.4|Google's Play Integrity documentation defines the ''MEETS_DEVICE_INTEGRITY'' verdict as requiring a locked bootloader and ''"a certified device manufacturer image,"'' the condition an alternative operating system does not meet.<ref name="gverdicts" />]]

The verdict rests on Android hardware-backed key attestation, which Google describes as giving an app ''"more confidence that the keys you use in your app are stored in a device's hardware-backed keystore."''<ref name="keyattest" /> Because an alternative operating system signs its own verified-boot image instead of shipping the manufacturer's, it reports a different cryptographic root of trust and does not produce the device-integrity verdict by default, no matter how current its patches are.<ref name="gverdicts" /><ref name="gosguide" /> The device-integrity tier certifies the origin of the operating system image, not how current it is, so an older, unpatched but factory-certified build passes the check while a fully patched alternative system does not.<ref name="gverdicts" />

==From SafetyNet to Play Integrity==

Play Integrity is the successor to Google's earlier SafetyNet Attestation API. Google deprecated SafetyNet in 2022 and fully turned it down in January 2025, telling developers to ''"migrate to the Play Integrity API,"'' which consolidated the older integrity checks under one interface.<ref name="safetynet" />

==Lockout of alternative operating systems==

In 2026, owners running GrapheneOS reported that Volkswagen's official app would no longer let them control their cars; Volkswagen's support email said the app is supported only on ''"Android devices with supported operating system versions"'' and not on ''"custom ROMs, e.g. GrapheneOS, LineageOS,"'' because it ''"relies on security-relevant system components and certified Android standards."''<ref name="vwemail" /> A related Volkswagen change, the [[Volkswagen Carnet API shutdown]], routed third-party vehicle-data access through an official Volkswagen Group app.<ref name="borncity" />

Government identity software has adopted the same requirement. The Android app for the European Union's Digital Identity Wallet enforces Play Integrity; in February 2025, users opened a request on its official code repository titled ''"Please remove the requirement for Google Play Integrity,"'' reporting that the check shut LineageOS, GrapheneOS, unlocked-bootloader, and older devices out of their digital government documents.<ref name="eudiissue" /> The European Union's age-verification app drew the same criticism in July 2025 for requiring a Google-approved Android device or an iPhone; its developer, Scytales, responded that the app is a white-label product and that Play Integrity is only one of the device checks an implementer can use.<ref name="osnews" /><ref name="biometric" />

==GrapheneOS's objection==

GrapheneOS argues the exclusion is a business decision rather than a security one, and that an app wanting a genuine hardware-backed guarantee already has a better tool.<ref name="gosguide" /> Its attestation compatibility guide says an app can support GrapheneOS ''"by using the standard Android hardware attestation API and permitting our official release signing keys,"'' an approach it calls stronger than Play Integrity because it can ''"whitelist the keys of alternate operating systems."''<ref name="gosguide" /> The project states the reason apps decline to do so directly:

<blockquote>''"The only reason they aren't permitting it is because we do not license Google Mobile Services (GMS) and these apps are enforcing Google's business interests rather than security."''</blockquote><ref name="gosguide" />

[[File:GrapheneOS-attestation-guide-business-interests.png|thumb|center|upright=2.4|The GrapheneOS attestation compatibility guide states that apps blocking the system through Play Integrity do so because GrapheneOS does not license Google Mobile Services and ''"these apps are enforcing Google's business interests rather than security."''<ref name="gosguide" />]]

In May 2026, ''Android Authority'' reported the same position, quoting GrapheneOS that ''"Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit"'' and describing the purpose of such checks, in the project's words, as ''"disallowing people from using hardware and software not approved by Apple or Google."''<ref name="androidauthority" />

==Google's stated rationale==

Google presents the API as an anti-fraud and anti-abuse tool. Its documentation says the service helps a developer ''"check that user actions and server requests are coming from your genuine app, installed by Google Play, running on a genuine and certified Android device,"'' and positions it against tampered app binaries, automated bots, and access from risky environments.<ref name="gintegrity" />

==Apple's counterpart==

Apple enforces a parallel check on iOS through its App Attest service, part of the DeviceCheck framework, which lets an app's server confirm that requests come from a legitimate instance of the app running on a genuine Apple device.<ref name="appattest" />

==Alternatives and pushback==

Unified Attestation presents itself as ''"a free, open-source alternative to Google Play Integrity"'' that an app can run alongside Google's own check; it is led by Volla Systeme GmbH.<ref name="uattest" /> GrapheneOS opposes that scheme as well, arguing it would replace Google's gatekeeping with a new vendor-managed allow-list rather than open access to any hardened operating system.<ref name="piunika" />

On the hardware side, in March 2026 Motorola announced a partnership with the GrapheneOS Foundation to build a future smartphone with GrapheneOS and to bring some of its security features to other Motorola devices, though the companies committed to no release date.<ref name="motorola" />

==See also==

*[[Volkswagen Carnet API shutdown]]
*[[GrapheneOS]]
*[[Right to repair]]
*[[Digital Markets Act]]

==References==

<references>
<ref name="gintegrity">{{Cite web |url=https://developer.android.com/google/play/integrity/overview |title=Play Integrity API overview |publisher=Google, Android Developers |access-date=2026-06-19}}</ref>
<ref name="gverdicts">{{Cite web |url=https://developer.android.com/google/play/integrity/verdicts |title=Play Integrity API verdicts and device integrity field |publisher=Google, Android Developers |access-date=2026-06-19}}</ref>
<ref name="keyattest">{{Cite web |url=https://developer.android.com/privacy-and-security/security-key-attestation |title=Verify hardware-backed key pairs with key attestation |publisher=Google, Android Developers |access-date=2026-06-19}}</ref>
<ref name="safetynet">{{Cite web |url=https://developer.android.com/privacy-and-security/safetynet/deprecation-timeline |title=SafetyNet Attestation API deprecation timeline |publisher=Google, Android Developers |access-date=2026-06-19}}</ref>
<ref name="gosguide">{{Cite web |url=https://grapheneos.org/articles/attestation-compatibility-guide |title=Attestation compatibility guide |publisher=GrapheneOS |access-date=2026-06-19}}</ref>
<ref name="androidauthority">{{Cite web |url=https://www.androidauthority.com/grapheneos-google-apple-approved-devices-web-warning-3665319/ |title=GrapheneOS warns Google and Apple device checks are locking out alternative operating systems |last=Sharma |first=Adamya |publisher=Android Authority |date=2026-05-10 |access-date=2026-06-19}}</ref>
<ref name="vwemail">{{Cite web |url=https://discuss.grapheneos.org/d/35949-volkswagen-app?page=3 |title=Volkswagen App |publisher=GrapheneOS Discussion Forum |access-date=2026-06-19}} (thread in which an affected owner reproduces Volkswagen's support email verbatim).</ref>
<ref name="borncity">{{Cite web |url=https://borncity.com/blog/2026/05/29/vw-und-audi-sperren-api-schnittstelle-smart-home-blackout-seit-27-05-2026-teil-1/ |title=VW und Audi sperren API-Schnittstelle, Smart-Home-Blackout seit 27.05.2026 (Teil 1) |last=Born |first=Günter |publisher=Borncity |date=2026-05-29 |access-date=2026-06-19}}</ref>
<ref name="eudiissue">{{Cite web |url=https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui/issues/287 |title=Please remove the requirement for Google Play Integrity |publisher=GitHub (eu-digital-identity-wallet/eudi-app-android-wallet-ui) |date=2025-02-21 |access-date=2026-06-19}}</ref>
<ref name="osnews">{{Cite web |url=https://www.osnews.com/story/142908/the-eus-age-verification-application-requires-a-google-or-apple-account-and-google-approved-android-device-or-iphone/ |title=The EU's age-verification application requires a Google or Apple account and Google-approved Android device or iPhone |publisher=OSNews |date=2025-07-28 |access-date=2026-06-19}}</ref>
<ref name="biometric">{{Cite web |url=https://www.biometricupdate.com/202507/eu-age-verification-app-integrity-checks-wont-depend-on-google-apple-scytales |title=EU Age Verification app integrity checks won't depend on Google, Apple: Scytales |publisher=Biometric Update |date=2025-07-29 |access-date=2026-06-19}}</ref>
<ref name="appattest">{{Cite web |url=https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity |title=Establishing your app's integrity (App Attest) |publisher=Apple Developer Documentation |access-date=2026-06-19}}</ref>
<ref name="uattest">{{Cite web |url=https://uattest.net/ |title=Unified Attestation |publisher=Volla Systeme GmbH |access-date=2026-06-19}}</ref>
<ref name="piunika">{{Cite web |url=https://piunikaweb.com/2026/03/10/grapheneos-calls-on-privacy-focused-app-developers-to-boycott-european-unified-attestation/ |title=GrapheneOS calls on privacy-focused app developers to boycott European Unified Attestation |publisher=PiunikaWeb |date=2026-03-10 |access-date=2026-06-19}}</ref>
<ref name="motorola">{{Cite web |url=https://9to5google.com/2026/03/01/motorola-confirms-grapheneos-partnership-for-a-future-smartphone-porting-features/ |title=Motorola confirms GrapheneOS partnership for a future smartphone |last=Schoon |first=Ben |publisher=9to5Google |date=2026-03-01 |access-date=2026-06-19}}</ref>
</references>

[[Category:Right to repair]]
[[Category:Privacy]]
[[Category:Google]]

Play Integrity API - Revision history

Louis: new topic page on google's play integrity api and device attestation, how it locks de-googled and alternative android out of apps, with the grapheneos position and google's stated rationale