We’ve implemented a system for notifying users when apps use the Play Integrity API. This will help users determine which apps are banning using a non-stock OS. Some of these will still work if they only enforce basic integrity rather than requiring a Google certified device running the stock OS.
Using Play Integrity is an incredibly anti-privacy and anti-security practice despite being wrongly portrayed as a security feature. The notification will include a link for leaving a rating and review for the app via sandboxed Play Store to make it very convenient for people to send complaints.
App developers can implement support using standard hardware-based attestation and allowlist the GrapheneOS signing keys if they insist on checking device integrity. There’s a guide for this at https://grapheneos.org/articles/attestation-compatibility-guide. There’s no good excuse for only permitting a device/OS licensing GMS.
Most apps using the Play Integrity API are enforcing the device integrity level. This enforces having a device licensing Google Mobile Services with the stock OS. It has no issue with a device behind on patches by a decade. Strong integrity level checks for the same thing via hardware attestation.
We may also add a way to block the Play Integrity API with a per-app toggle if we determine this helps improve compatibility due to some apps still having a fallback to other approaches. Spoofing device integrity level is possible but increasingly problematic and will get worse.
I’m glad they’re trying to fight it, because if banks apps enforce “play integrity” I’m guessing that’ll be a nail in the coffin for Graphene.
With the reviews however I don’t think we’ll be able to make much of an impact. Revolut already has 1 star from me, can’t give it any fewer I’m afraid.
And I think so few people use Graphene that the banks can just ignore us.
Let’s hold out hope that the banks or those who they get their libraries from will move towards officially supporting GOS or stopping with Play Integrity
I’ve been using GrapheneOS for a few years now and simply log into my bank via my web browser. Sure I can’t depoit checks remotely but I don’t understand why this is such a deal breaker for people
I don‘t know where you are from, but the EU requires banks to use 2FA for login even via a browser. This is commonly implemented via a banking app, where you grant permissions for login/payments. So it is a huge dealbraker when those apps are not working on GrapheneOs
And before anyone goes blaming the EU as it‘s fashionable right now: mandatory 2FA for banks is a good idea, this is entirely Googles and the banks fault.
Is the 2FA a ToTP? Here in the US it seems like most banks use SMS 2FA which is terrible. You say you can still use the 2FA on the web browser so that doesn’t make sense to me why it’s a deal breaker.
The second factor is the app on your phone. It‘s not Totp. When you log in somewhere or make a transaction it will send a notification to the app asking you to confirm.
When you open the bank account you get a letter with a code to register in the app, which authorizes it to receive the notification.
Gotcha. That’s unfortunate
It’s a big deal breaker when your bank is online only. Mobile deposit is the only way I can make a deposit.
Move banks, leave feedback why you left.
My bank removes features from the website and only makes them available through the app.
My plan if something like that happens to me is to get a normie Android with a removable battery (like the Samsung xcover pro) and only ever power it on if I need to use those apps. Granted, not everyone wears pants with 6 pockets.