Stewart If it works fine, you can simply hide the notification. It means there's a high chance the app is going to ban using a non-stock OS in the future. If it works fine right now, it likely means they're only enforcing basic integrity rather than Google certification via device/strong integrity.

    Top thanks for the explanations, as usual, well done to the GOS team for this update.

    Just installed on my Pixel 8a. All is running fine untill now

    GrapheneOS
    Dang.... Thank You Guys!

    It warms the heart to see your attention to hardened_malloc/libdivide and Sandboxed Google Play.

      Just installed this build from alpha-channel on P8 and toggling exploit protection compatibility mode doesn't work in private space for any app.

        Berlino Just installed this build from alpha-channel on P8 and toggling exploit protection compatibility mode doesn't work in private space for any app.

        Can't reproduce on a 6a. Could you describe what you mean by "not working"? Such as, does "not working" mean that the toggle doesn't toggle, or that something crashes…?

            fid02
            When toggling the compatibility mode, a dialog pops up for cancellation or proceeding. Hitting proceed doesn't toggle to 'on'-position. This only hapoens in Private Space for me.

                Are there any plans in a future update to display the list of apps using the Play Integrity API in the settings, as in app exploit protection for example?

                  Stewart there is a list available. click the notification, I was able to find a list of apps that ever used Play Integrity.

                    Whatsapp uses Play Integrity but works when blocking it.

                    Does blocking Play Integrity protect privacy in any way? Like does it reveal some private information otherwise?

                      missing-root No, it doesn't protect privacy in any way. The reason we added a toggle to block it is because some apps send a result to a service and disallow having a non-stock OS but they work fine if it's unavailable such as due to a networking issue and doesn't provide any result. Blocking it resembles what would happen if it couldn't connect to Google's service due to a network issue.

                          Berlino It's a regression that's being addressed by the next release. This release wasn't moved to Beta because of it. You can work around by launching Settings from the Private Space. It only happens with Settings launched from Owner for apps in a work profile or Private Space.

                            I like this one. because unfortunately it keeps bothering me...

                            disable standard Android feature holding a 10 minute screen wake lock after the screen brightness is raised at least 2 times within 5 minutes since this is confusing for users and it's far better if keep awake is done explicitly

                            Will this then be configurable?

                              GrapheneOS No, it doesn't protect privacy in any way.

                              A possibly related question I have. Does hardware-based strong attestation in general, Google Play Integrity specifically, have a unique persistent ID similar to the MediaDRM ID, that can be used by apps and the associated web service to fingerprint that the app is running on the same device as another app, or that the user is the same user as before, even across different profiles? Is this persistent ID changed after a factory reset, or it necessarily needs to be the same because of relying directly on some kind of factory provisioned or factory generated key pair? If it is persistent, are there any plans to block all attestation as well, based on a per-app toggle, similar to the plans for MediaDRM?

                                  ryrona A possibly related question I have. Does hardware-based strong attestation in general, Google Play Integrity specifically, have a unique persistent ID similar to the MediaDRM ID, that can be used by apps and the associated web service to fingerprint that the app is running on the same device as another app, or that the user is the same user as before, even across different profiles? Is this persistent ID changed after a factory reset, or it necessarily needs to be the same because of relying directly on some kind of factory provisioned or factory generated key pair? If it is persistent, are there any plans to block all attestation as well, based on a per-app toggle, similar to the plans for MediaDRM?

                                  Nevermind, I could have answered my own question if I only opened the FAQ page.

                                  From https://grapheneos.org/faq#default-connections:

                                  Initially, attestation signing keys were required to be batch keys provisioned to at least 100k devices to avoid them being used as unique identifiers. Unique attestation signing keys are an optional feature only available to privileged system components. Recent devices have replaced the batch and unique key system with remotely provisioned signing keys. The device obtains encrypted keys from a service to be decrypted by batch or unique keys inside the TEE and optional secure element. The new system improves privacy and security by using separate attestation signing keys for each app instead of needing to balance privacy and security by sharing the same attestation signing keys across a large batch of devices.

                                  So, each app has its own attestation key, and new ones will be provided after a factory reset. So this feature cannot be used for fingerprinting, and is properly decoupled from the factory provided key pairs, which actually didn't even seem to be device unique to begin with them either.

                                    Sigh, I installed GrapheneOS literally a few hours before this came out (so I have build number 2025011500) and Revolut isn't working. When I tap on the system update, I get "the system is up to date" notification, do I have to reflash everything manually and restore from backup or will the system update on its own later?