GrapheneOSA growing number of apps are using the Play Integrity API to enforce installation from the Play Store. This is clearly highly illegal anti-competitive behavior. It doesn't impact GrapheneOS users installing apps with the sandboxed Play Store but does impact other install sources.
This is being done alongside Google recommending app developers forbid installing their apps from the Play Store on operating systems not licensing Google Mobile Services. The combination of these feature ends up blocking users from easily using the apps without modifying them.
We're going to add a secure way of working around this without breaking the app source security model. We'll be adding support for having the OS automatically verify the Play Store signing metadata and then inform Play services those apps were installed from the Play Store.
It's worth noting Android has a standard hardware attestation API for verifying the hardware, firmware, OS and app. This supports alternate roots of trust and non-stock operating systems if apps choose to support it. Apps could perform stronger checks while allowing GrapheneOS.
Android's hardware attestation API has anti-competition issues due to the official verification libraries hard-wiring the Google roots and encouraging only permitting the stock OS. However, it does fully support any other OS with verified boot and can be used with other root CAs.
Google's Play Integrity API is quite different and only supports verifying devices licensing Google Mobile Devices with the stock OS. It has support for enforcing installing apps from the Play Store. None of this has anything to do with security. It's purely anti-competitive.
Google Play Integrity permits highly insecure devices with years of missing High/Critical severity security patches. They pretend any device licensing Google Mobile Services is secure while running the stock OS and anything else is insecure. This is a lie to lock out competition.
There's no security value to enforcing using devices licensing Google Mobile Services. The vast majority of those devices are highly insecure. Software-based attestation (device integrity) is also highly insecure and easy for attackers to bypass. This is only hurting competition.
Hardware-based attestation can be secure, but the way the Play Integrity API uses it is also highly insecure. It can be bypassed via leaked keys from the most insecure Android devices in the ecosystem. Secure way to use it is pinning, not trusting everything chaining to a root.
Even if apps insist on doing these kinds of integrity checks, they can still permit GrapheneOS. We provide a guide on verifying GrapheneOS via hardware attestation at https://grapheneos.org/articles/attestation-compatibility-guide. They can still fall back to Play Integrity API for insecure devices without this.
Multiple prominent banking apps in Europe have already implemented support for GrapheneOS via hardware attestation. The pace of apps adopting the Play Integrity API is unfortunately currently faster than apps adding support for GrapheneOS. This is due to Google marketing it.
If you run into apps banning using GrapheneOS with Play Integrity, make a Play Store review with no links asking to stop banning a more secure OS. Next, make a customer support request linking https://grapheneos.org/articles/attestation-compatibility-guide. Multiple apps have permitted GrapheneOS due to these efforts.
Baffling7384@GrapheneOS Why should the review have no links?
Exec@Baffling7384 @GrapheneOS Anti-spam reasons, I guess
Perivi Yohanesburgo 🍐@Baffling7384 @GrapheneOS The Play Store automatically hides any review with links. I suppose it is a mechanism to deal with spammers.
Th0mms3n@Baffling7384 @GrapheneOS probably they get flagged as spam, would be my guess
@Baffling7384 It will get hidden and the developers will never see it. It's unclear if it will even count as a rating.
We're pointing it out so that people don't try to link our guide in a review and end up with their review not helping.
Edinburgh Man@edinburgh_man This is the usual consequence of an app marking their Play Store entry as requiring the device or strong integrity levels from the Play Integrity API.
HellaIs there a list for banking apps which reliable work with GraphenOS?
(Background: I'm thinking about to change my bank, this might be one criteria)
@unixwitch There's a community maintained list at https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/.
Banking Applications Compatibility with GrapheneOS
Maintained Compatibility List for International Banking Apps This list includes banking apps that have been tested, submitted, reviewed, and verified as compatible. LIST | SUBMIT | UPDATE | POSSIBLE WORKAROUND SOLUTIONS Introduction Welcome to the crowd-sourced dataset for GrapheneOS users on currently supported devices. New visitors are encouraged to read the official usage guide on banking apps for comprehensive details about how these apps function on GrapheneOS. IMPORTANT Please read GrapheneOS’s important announcement, officially released on Dec 1, 2023:
Jawsh@GrapheneOS I live in the US and hear a lot of people complain about bank apps not working without Google services. Seems I am very lucky as my banks app as well as credit card apps all work perfectly fine. At least for now.
tschuuuls@GrapheneOS You might want to send an email to the European commission. Or talk to Epic Games 😂
Raven (she/her) 
@GrapheneOS is this related to the error in the play store on apps like turo which say: "this app won't work for your device"?
@sparklepanic Yes, that's caused by the app marking their Play Store listing as requiring the Play Integrity API with the device or strong integrity level. The app may not actually require it and may work without it if installed from elsewhere. However, the app may check install location and enforce installing it from the Play Store.
If they properly implement the Play Integrity API, their services will check that the app passes it to use the services. Many apps are missing doing this though.
@sparklepanic If they enforce checking it for their services as was always intended from the beginning, there's no workaround. GrapheneOS shows a notification when an app uses the Play Integrity API so it's very obvious when it's the reason an app is blocking using it. Note the app triggers using it locally but their server fetches the result from Google's server itself and verifies the result there. However, some apps only enforce it via the Play Store toggles which don't do that.