GrapheneOS is threatening legal action against Google, claiming that “Play Integrity API is based on lies,” and saying Google’s behavior “is highly anti-competitive.”
GrapheneOS is an open source, security hardened version of Android that offers a level of security that stock standard Android—or even iOS—can’t match. GrapheneOS is the OS of choice for Edward Snowden, as well as journalists, activists, and yours truly.
Despite GrapheneOS offering superior privacy and security as the standard Android, Google is taking steps to keep it and other third-party Android ROMs second-class citizens within the Android ecosystem. In particular, Google is restricting access to Play Integrity API, the security feature that verifies that apps have not been maliciously tampered with. Unfortunately, some apps won’t work without Play Integrity API, including some banking and multi-factor authentication apps.
In a long Mastodon thread, the GrapheneOS devs say Google is unfairly banning the OS from using Play Integrity API, despite GrapheneOS being far more secure than Android vendors that do have access to the API.
Play Integrity API is claimed to be based on devices complying with the Compatibility Test Suite and Compatibility Definition Document. We have irrefutable proof that the majority of certified Android devices do not comply with the CTS/CDD. Play Integrity API is based on lies.
Essentially every non-Pixel device has important CTS failures not caused by CTS bugs. OEMs are cheating to obtain certification. Google claims GrapheneOS can’t be permitted because we don’t have a certification where they freely allow cheating and don’t ban non-compliant devices.
Since Play Integrity doesn’t even have a minimum security patch level, it permits a device with multiple years of missing patches. Hardware attestation was required on all devices launched with Android 8 or later, but they don’t enforce it to permit non-compliant devices.
The devs then make the point that Google allows partners using the stock Android to use Play Integrity API, despite missing years of security patches. Meanwhile, GrapheneOS remains banned using the API.
The reality is that the Play Integrity API permits devices from companies partnered with Google with privileged Google Play integration when they’re running the stock OS. It’s easy to bypass, but they’ll make changes to block it being done at scale long term such as if we did it.
It does not matter if these devices have years of missing security patches. It doesn’t matter if the companies skipped or improperly implemented mandatory security features despite that being required by CDD compliance. Failing even very important CTS tests doesn’t matter either.
GrapheneOS devs says Google can either allow them access to Play Integrity API or face a lawsuit.
Google can either permit GrapheneOS in the Play Integrity API in the near future via the approach documented at https://grapheneos.org/articles/attestation-compatibility-guide or we’ll be taking legal action against them and their partners. We’ve started the process of talking to regulators and they’re interested.
Given Google’s recent loss in court, with the company being designated an illegal monopoly, it’s likely not an idle threat that regulators are interested in complaints from the GrapheneOS devs.
Either way, hopefully Google will provide—or be forced to provide—GrapheneOS and other third-party Android ROMs access to Play Integrity API. Doing so will ensure a more robust Android ecosystem and give people true options when it comes to the choice of their mobile OS.