GrapheneOS developers have issued a sharp rebuke against the two dominant mobile platforms. They argue that Google and Apple cloak control mechanisms in the language of protection. The result squeezes out competition from hardened alternatives like their own project.
The criticism landed this week through a detailed thread on X. It targets hardware attestation systems now spreading from apps into the wider web. Android Authority reported the claims hours after they appeared. GrapheneOS contends these tools do far more than verify safety. They decide which devices and operating systems earn access to banking apps, government portals and ordinary websites.
At the center sits Google’s Play Integrity API. Banks and other services rely on it to confirm a phone runs genuine, uncompromised software. Apple offers a parallel system called App Attest. Both appear reasonable on paper. Yet GrapheneOS points out a glaring inconsistency. The project’s OS receives stronger security hardening and more frequent updates than many certified devices. Still it fails the checks.
“Google’s Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit,” the team stated in the May 10 thread. They note that devices left unpatched for years sometimes sail through. The pattern suggests priorities other than actual protection.
Google requires manufacturers to bundle its services and accept strict rules for full certification. That arrangement, GrapheneOS says, functions as a tax on competition. It also blocks alternate roots of trust that the underlying Android hardware attestation specification technically allows. The project could be permitted. It simply isn’t.
And the reach keeps growing. Google now tests reCAPTCHA changes that demand users scan a QR code with an approved iPhone or certified Android device. The prompt appears when someone tries to prove they are human from a Windows PC, Linux desktop or other non-mobile platform. Digital Trends first highlighted the shift and the GrapheneOS response.
The implication feels stark. Control over reCAPTCHA hands Google leverage over an enormous slice of the internet. “Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web,” the team wrote. They add that Apple already brought similar attestation to the web through Privacy Pass. Google plans to follow.
Services from governments and financial institutions have adopted these verification layers with little public debate. The move effectively outsources trust decisions to two companies. GrapheneOS warns the long-term outcome will lock out hardware and OS competition. Users lose meaningful choice. Developers face pressure to build only for the approved paths.
This isn’t the project’s first stand. In March it declared it would ignore any regulations demanding identity checks or age verification at the OS level. Digital Trends covered that declaration. “GrapheneOS and our services will remain available internationally,” the team said then. “If GrapheneOS devices can’t be sold in a region due to their regulations, so be it.”
The position flows directly from design choices. GrapheneOS ships without Google services by default. It avoids persistent identifiers and centralized accounts. Requiring users to submit government ID or create profiles would shatter that model. The project prefers to shrink its potential market rather than compromise core principles.
Recent regulatory pushes have only sharpened the conflict. Lawmakers in multiple countries eye OS-level age gates to shield children online. Tech giants already possess the account infrastructure to comply. Smaller open-source efforts do not. One analysis tied heavy Meta lobbying to these proposals, suggesting the rules shift liability away from social platforms. GrapheneOS sees the same dynamic at work in attestation requirements.
Critics of the duopoly point to earlier antitrust findings. South Korea and others have ruled against Google’s bundling practices. Yet the verification APIs extend that power into new territory. They reach beyond app stores into the browser itself. A user on a privacy-focused OS might pass basic checks today. Tomorrow those checks could demand hardware signals only the dominant platforms control.
GrapheneOS runs exclusively on Google Pixel hardware for now, though Motorola support is in development. It delivers memory tagging, hardened malloc, strict app sandboxing and rapid security updates. Independent testing often ranks it ahead of stock Android and iOS on exploit resistance. None of that matters to Play Integrity if the software signature doesn’t match Google’s list.
The team stops short of calling for boycotts. Instead it documents the mechanics and urges users to understand the trade-offs. Some continue to run GrapheneOS with sandboxed Google Play services when specific apps demand it. Others avoid those apps entirely. Both paths carry friction that mainstream users rarely encounter.
Neither Google nor Apple has issued a detailed public response to the latest accusations. Their spokespeople have long defended attestation as essential defense against malware, account takeover and device spoofing. The systems do catch real threats. The question GrapheneOS raises is whether they also serve as convenient gatekeepers.
Tech observers note the timing. Governments grow more aggressive about online safety and digital identity. Corporations see regulatory compliance as both burden and moat. In that environment, a small Canadian nonprofit project becomes an awkward counterexample. It proves strong security need not require constant data flows back to Mountain View or Cupertino.
Its defiance carries risks. Law enforcement in some jurisdictions already flags GrapheneOS devices as tools favored by organized crime precisely because of the encryption and lack of telemetry. Banks may tighten restrictions further. Web services could follow.
Yet the project shows no sign of bending. It continues to release updates that close vulnerabilities faster than Google in some cases. It maintains a forum where users debate trade-offs openly. And it keeps publishing these pointed critiques even as its audience remains a fraction of the mainstream.
The broader contest feels lopsided. Billions of users never question the convenience of app stores, automatic updates and single-sign-on. A determined minority seeks alternatives. GrapheneOS gives them one. Whether that option survives the next wave of attestation requirements and regulatory pressure will test how much choice the mobile world actually tolerates.
So far the developers have chosen principle over popularity. They argue the rest of the industry should face harder questions about what its security claims truly protect.
WebProNews is an iEntry Publication