Proposal: Platform Integrity as an alternative to Play Integrity

urely

Goals:

Prove the APK was signed by the official Developer Key.
Prove the OS is GrapheneOS and the Bootloader is Locked.
No Google dependency.

Solution:
The TEE (Trusted Execution Environment) generates a hardware-backed attestation token. This token cryptographically binds the following data, which the developer's server verifies offline:

APK Certificate Digest: The hash of the app's signing certificate (provided by the verified System process)
OS Root-of-Trust Hash: The cryptographic fingerprint of the OS build
Bootloader Status: locked/unlocked
Nonce: A random challenge sent by the server

Verification:
The developer maintains a whitelist of accepted APK Certificate Digests and OS Root-of-Trust Hashes. The server verifies the TEE's signature using the hardware manufacturer's public root certificate to ensure the token is genuine.

urely

Upon further investigation, I found that this already exists (oops):
https://grapheneos.org/articles/attestation-compatibility-guide

Github code:
https://github.com/android/keyattestation

It might be worth rebranding the process to "Platform Integrity API" to make it extra clear to developers that it is a "Play Integrity API" alternative. And not some weird hardware attestation thing that they need to do as a favour.