Google tied reCAPTCHA’s new QR-code challenge flow to Play Services v25.41.30+, silently locking out GrapheneOS and other de-Googled Android users.
Key Takeaways
The new system, branded Google Cloud Fraud Defense and announced at Cloud Next on April 23, replaces image puzzles with a QR scan that requires Play Services running in the background.
iOS users on 16.4+ pass the same challenge with no additional installs; the Play Services dependency applies only to Android, signaling ecosystem control over security.
The requirement existed quietly since at least October 2025 (Play Services v25.39.30) before a Reddit degoogle post surfaced it publicly, roughly seven months of undisclosed dependency.
Every website implementing this reCAPTCHA variant effectively blocks de-Googled Android users, including GrapheneOS users who may already run sandboxed Play Services.
Hacker News Comment Review
Technically, the new flow is remote attestation via a burn-in EK key chain through Google’s servers, making it structurally impossible to pass without Google-controlled hardware attestation, not just a policy choice.
Commenters pushed back on the article’s framing: many de-Googled users run sandboxed Play Services or microG, which still phones home, so the privacy narrative is more nuanced than a clean opt-out story.
The scope concern extends well beyond privacy enthusiasts: Huawei, Xiaomi China-variant, and Amazon tablet users collectively represent over a billion devices without Play Services, a significant web-accessibility problem for site operators.
Notable Comments
@cornholio: frames this as deliberate ladder-kicking to block competitor AI agents while keeping Google’s own bots unimpeded, with inter-platform CAPTCHA bargaining as the endgame.
@amluto: argues the tie-in is an antitrust violation, Google leveraging reCAPTCHA market power to disadvantage devices not running Play Services.
@thecatapps: notes Google could have adopted Private Access Tokens to achieve similar goals with far less exposure, making the Play Services choice look deliberate rather than accidental.
