This thread is to continue the discussion going on at Spoof CTS Profile checks in Play Integrity API checks to pass with MEETS_DEVICE_INTEGRITY #1986.
The issue has been closed but still is the point of discussion. To clear everyone's issue notification on the issue tracker, I'm proposing moving here the discussion.
While I don't speak for the GrapheneOS team directly, GrapheneOS generally doesn't accept bounties as what is delivered can differ from what people expect, and that can cause friction. GrapheneOS accepts donations, but they do not come with "strings attached".
I would assume that this goes doubly for this specific feature because even if this is added, it is added with the explicit understanding that it can stop working at any time. The moment an app decides to use strong hardware-based attestation instead of weak, spoofable software attestation, any such feature or workaround will immediately stop working without a clear way to ever make it work again.
As such, one can imagine a scenario in which this feature is developed, and stops working shortly after that. You've now "paid" for a feature that doesn't work, and the team has no recourse.
It is much simpler for the team work on what makes sense to work on at the time and for people to support that work, rather than being sidetracked with bounties (in my opinion).
With all of that said, though, your offer is still generous, and I'm glad to see people willing to fund GrapheneOS feature development, even if this specific way of doing so is one which I think doesn't make a lot of sense.
(matchboxbananasynergy commented on Nov 4, 2023)
So what's the long-term solution here? It seems that the Uber Driver app, ChatGPT, Starbucks, American Airlines, Marriott, and a growing number of apps are using Play Integrity API and MEETS_DEVICE_INTEGRITY is the culprit? Are we going to be in a situation in 6-12 months time where that list of apps has grown even more?
The long-term solution is those apps not using Play Integrity API, or whitelisting GrapheneOS via hardware attestation, for which we provide a guide for app developers: https://grapheneos.org/articles/attestation-compatibility-guide
Alternatively, it could be ruled illegal, and apps could stop doing it based on that.
Beyond that, there's nothing we can do.
(matchboxbananasynergy commented on Apr 1)
There's one thing that's important to note here. None of these apps are blacklisting GrapheneOS. They're blacklisting everything that's not a Google-certified OS.
This is important as it wouldn't make any sense to try to convince anyone if they'd already made the decision to specifically blacklist GrapheneOS. We're just essentially being ruled out along with every other non-certified OS based on these checks, not because we're lacking something these apps expect.
(matchboxbananasynergy commented on Apr 1)
Please, do continue the discussion.