My impression is that they are against remote attestation in apps/websites in general and if apps really want to do it, they should do it using the attestation API that AOSP already provides. The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).

The most damning part about Google Play Integrity is that, as the thread states, that Google lets devices pass that are full of known security holes, whereas they do not allow what is very likely to be the most secure mobile OS. This shows that they only use it as a method to shut out competitors and to control Android device manufacturers to pre-install Google software like Chrome (otherwise their devices do not get certified and won't pass Play Integrity).

IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care. Worse, the EU, despite their talk of sovereignty adds Play Integrity-based to their own age verification reference app.

I recommend every EU citizen, also if you do not use GrapheneOS, to file a DMA complaint about this anti-competitive behavior:

https://digital-markets-act.ec.europa.eu/contact-us-eu-citiz...

Also, every time this comes up, @ the relevant EU bodies, commissioners and your government's representative on Mastodon, etc.

> Am I understanding correctly that [...]

What I took away from the thread is that they're against services forcing attestation in general, and also pointing out that Play Integrity isn't about security, but rather about control, because Google could trivially make it work with GrapheneOS (which is more secure than any other Android OS on the market) but they won't.

It's impossible to say. But as a reminder from Cory's first talk on enshittification... When Google and Facebook were small, they would argue for open protocols and competition. Facebook would reverse engineer MySpace's protocols to allow people to migrate away. Once FAANG became dominant, they went the opposite direction to built monopolistic practices.

GrapheneOS is still small and appears honest. Despite them being in the right in this fight and them deserving our support... We gotta keep them honest in the long run!

I don't think there's any way to tell if a small company will keep their values if they succeed in getting enough market share.

It's a different thing if banking/government apps require a device certified for security, and a different thing if this certification certifies that the user's device has Google spyware preinstalled with elevated privileges..

Google doesn't certify devices basing on security, so that kind of attestation should have no place in banking/government apps, otherwise it just enforces the duopoly

There's a thread awhile back where there were VERY angry at someone trying to setup their own attestation project database (essentially a list of known Android builds and their signatures).

They want apps to add their signing hashes manually just for them and don't want to join projects that would aggregate and act as a database or certificate authority.