Google Play Integrity API and Apple App Attest use hardware attestation to lock services to approved devices, blocking competitor OSes like GrapheneOS under a false security pretext.
Key Takeaways
Play Integrity API bans GrapheneOS despite permitting unpatched devices 10 years old; the security rationale is contradicted by Google’s own certification standards.
Google’s reCAPTCHA Mobile Verification extends hardware attestation to desktop web by requiring a QR scan from a certified smartphone, potentially locking out non-iOS/Android users from huge swaths of the web.
Apple’s Privacy Pass brought attestation to the web first; Google’s cancelled Web Environment Integrity is now resurging via reCAPTCHA Mobile Verification.
EU governments are mandating Play Integrity and App Attest for digital payments, ID, and age verification, entrenching the duopoly through regulation rather than limiting it.
GrapheneOS notes Android’s base AOSP attestation API does support alternate roots of trust, meaning Google could permit GrapheneOS in Play Integrity if security were the real goal.
Hacker News Comment Review
Strong consensus that the EU is actively worsening the problem: EUDI Wallet requires Google or Apple hardware attestation, directly contradicting digital sovereignty goals, with EU contacts giving dismissive non-technical responses to concerns.
Commenters debate whether technical workarounds remain viable long-term; the spoofing bypass window is shrinking, leaked TEE/SE keys are increasingly short-lived, and dual-booting Android is floated as a stopgap.
The reCAPTCHA angle draws the sharpest practical concern: even non-mobile desktop Linux and OpenBSD users are already being blocked by reCAPTCHA loops, making this an immediate usability problem, not a future risk.
Notable Comments
@miohtama: EUDI Wallet spec explicitly requires Google or Apple hardware attestation, tying EU digital identity infrastructure to US duopoly.
@mattmaroon: “ReCaptcha should be spun off into a not-for-profit” – frames reCAPTCHA’s web gatekeeping role as a structural governance failure.
@CharlesW: Clarifies GrapheneOS objects not to attestation itself but to Google refusing to accept GrapheneOS’s valid attestation because it lacks GMS licensing.
