• General
  • Play Integrity API and Future of GrapheneOS

I've been rading this, https://grapheneos.org/articles/attestation-compatibility-guide , not being a tech person I can't say I'm fully understanding what's being discussed, the article seems to be aimed at people with a more advanced understanding than a regular person like me. But what I gleaned from it is that Google (?) will soon be implementing this Play Integerity API thingy that app developoers can choose to work with, and unless the app developer takes additional steps to ensure his app works with GrapheneOS, it won't work with GrapheneOS.

Am I understanding this correctly?

If I am: How likely is it that soon we users of GrapheneOS will find ourselves in a situation in which a very large proportion of those many apps that are available only on the Google Play Store will no longer work with GrapheneOS? Or is this not the likely way this will play out?

    dln949 The vast majority of apps check only whether the phone meets basic integrity in the Play Integrity API, if at all, which GrapheneOS passes. Therefore, the vast majority of apps work fine on GrapheneOS.

    There are, however, a small number of apps or services that require the phone to meet device integrity of the Play Integrity API, which GrapheneOS fails.

    The target audience of this article is app developers who want to do verification, with instructions on how they can use Android's hardware attestation API, instead of the Play Integrity API. GrapheneOS passes the hardware attestation API, which provides a stronger form of attestation than the Play Integrity API.

    So, if you encounter any apps that do not work on GrapheneOS for this reason, you can send the app developers this article, and ask them to use the hardware attestation API from Android instead.

      treequell Thanks much treequell.

      I'm wondering what the thinking is regarding the future: Over the next few years need we be concerned that a very large number of app developers will go down the path of simply relying on the Play Integrity API, and therefore there'll be a growing and large number app developers people will need to be contacting? Or.... perhaps this is well known already in the app developer world, so there won't be the problem of lots of app developers failing to consider their apps working with GrapheneOS?

        • [deleted]

        • Edited

        dln949 For me personally, I focus on the here and now. Worrying about the future is beyond our control.

        dln949 Keep in mind that Play Integrity API is essentially the evolution of, and replacement for SafetyNet. Apps have had the ability to block out non-Stock OSes for years, this isn't really something new.

        Only a minority of apps will realistically use this to block non-Stock OSes, as they did with SafetyNet. I don't think much will change in the quantity of apps opting for this.

        Exodus7675

        Lol I don't think they (Google wallet developers) would even dare to move away from Play Integrity API.

        I dream of a solution to install banking applications without having the Sandbox play services. They managed to make gcam work without having Google services but not the banks ... I'm sure there is a way to create a Sandbox thing like the play services but just to make the banks work.

          Sindaquil Many banking apps do not depend on Google Play Services. For those that do, you can use sandboxed Google Play Services on GrapheneOS. Google Play Services works within the normal all sandbox, like any other app on GrapheneOS.

          9 months later

          Fsck, Niantic is placing their Ingress Prime game behind GPI STRONG_INTEGRITY starting 5/27. I'm thinking this decision is the writing on the wall for all the rest of their properties, including the rather popular Pokémon Go franchise. I've already sent their support contact a plea to support the hardware attestation API and allowlist GOS' verified boot keys. I really don't want to have to relegate my current phone to "burner" status and revert to the stock image just to be able to enjoy these games.

          https://niantic.helpshift.com/hc/en/3-ingress/faq/4495-ingress-is-not-supported-on-this-device-configuration-error-android-only/

            My Arculus wallet is throwing an integrity check error after an update from April 8 2024

            Is this the issue being discussed re: integrity api?
            What can be done?

              adamc1999 If the app is using Play integrity API, they need to either add support for whitelisting GrapheneOS (for which we provide a guide), or stop using these checks.

              • [deleted]

              To add my two cents, GrapheneOS has a great future without using Google Play Services. No one is forced to use them and in fact not using them gives one much higher level of privacy than if you did. Not talking here about security, that comes with the OS and its setup in both cases.

                [deleted] Is it really a higher level of privacy?

                What if you turn off your all data collection preferences in your Google account, or never sign in?

                Some may not trust this to be honored, but if it wasn't, then Google would be called out on it once people still were seeing personalized ads after turning off Web and App Activity and using Google apps and search. They haven't been, out of millions of users...

                I've confirmed that turning on the toggle "Reroute location requests to the OS" prevents your device giving location to Location History, completely! Its an opt in thing in GrapheneOS.

                One can do many things to make use of Google (Sandboxed) Play privacy respecting, yet I keep seeing assumptions and speculation like this, and I've tested as thoroughly as I can to try and disprove these speculative remarks. Nothing I have ever seen points to Google not respecting its privacy controls, and why should they be special and untrusted when other companies are trusted?

                Sandboxed Google Play is an excellent feature! I dont think we should be discouraging others from using it! Especially when there are no hard facts presented for why, only one's feelings on the matter and one's speculation.

                  • [deleted]

                  Tryptamine I mention the overall picture not the granularity off whichever toggle. You are welcome to believe in whatever it is that you believe in and use whatever it is that you use to make you happy and satisfied. I will not get nerdy here like you.

                    • [deleted]

                    Just to add to my previous comment, I should have said great future with or without Google Play Services and I was in no way hinting against its use.

                      [deleted]
                      Then please dont spread your speculation around without some evidence. Its irresponsible and could easily make things more difficult for new users who dont share the same level if paranoia.

                      For example, the new users who dive head first into believing that they need to use separate profiles for everything just because others do so and portray that as the only secure solution in relation for apps that run with Google Play. The main advice given to these people is to not bother at first!

                      Your comments as an experienced user can have them ignoring a powerful feature in GrapheneOS. That may be right for you, but not for others. Believe what you want, but here is a place of facts, not beliefs.

                      [deleted] can't edit my last comment, just saw this.

                      Yeah, that's a lot better! Thank you.

                        • [deleted]

                        • Edited

                        Tryptamine Okay. I just have to reiterate like you said for those newcomers, that with its use you are basically bringing another trust party into play and in fact not very privacy respecting despite all the available toggles (and let's not start pulling out all those online articles mentioning user data misuse, which predominantly happen on stock devices) and Google Play Store opens a door to a whole world of potentially harmful apps (and that is not to say that all FOSS apps are harmless). You just have to do your research and learn how to restrict the environment and conditions those apps operate in to achieve desired functionality if possible without giving up too much privacy and convenience. It is and evolving battle and using Google Play Services on GrapheneOS will undoubtedly create app compatibilty problems in the future.

                          [deleted] It is and evolving battle and using Google Play Services on GrapheneOS will undoubtedly create app compatibilty problems in the future.

                          Not at all clear what you mean here, and the conversation seems to drifting away from what the thread's topic is about.

                          I'd appreciate if you could please stick to what the thread is about instead of trying to push your opinions on different topics on all threads. This goes for everyone, not just @[deleted].