Play Integrity API

lalkek

Hey!

I just need someone to complain to about the Play integrity API topic.

My banking apps - all work great
BMW app - works great (even unlock/lock it)
Work apps (M365) - work great

Everything is working. They are accessing the Play Integrity API but still function normally.

Now, out of all of them, two apps I use, don't work.
EWE Go (ev charging provider) - can login, cannot start the charging
Lieferando (german version of Doordash/Uber Eats/so on) - can't even login

Apparently EV charging and food delivery are high security applications, above banking regulations.

Andromxda

The Play Integrity API has multiple levels of attestation. GrapheneOS passes the MEETS_BASIC_INTEGRITY level, but can't pass MEETS_STRONG_INTEGRITY because that requires the OS to be whitelisted by Google. If an app only checks for the basic Play Integrity level, it will work just fine on GrapheneOS.

lalkek

Andromxda So apparently it is very important for my food delivery to have a device with "strong" integrity :(

starglider

lalkek Maybe not a solution depending on the app, but in a lot of cases there's a webapp that works perfectly fine. If I had to guess, they're using Play Integrity to prevent drivers from using OSes that allow for GPS spoofing. Typically it's the same app for customers and workers, and the companies just don't care enough to separate the two.

Generally, if there's a web option, that's going to be the most private and secure option anyway. I really try to limit the number of app installs (same as on a desktop) to what I most critically need and use web/pwa for everything I possibly can.

rjo12

lalkek The usage of the Play Integrity API is a decision for the App developer. Problem is, not all App developers understand (in some cases, don't care about) implications of their choice for GOS users.

One of the implications that not all developers know (or, even care about, if they do know) is that passing "strong" integrity isn't purely about security - it is also about supporting Google's competitive position.

You can try contacting the App developer to encourage using alternative means of checking device security. But not all app developers are interested in accepting the cost/effort of doing so.

I've personally lodged a formal statement to the Australian Government department responsible for the MyGov app with a similar concern. I'm hopeful there will be appropriate and considered followup, but not holding my breath. The process of lodging such a statement was moderately complicated, since the relevant means of contact listed in the Play Store for that App are non-functional.