Google Broke reCAPTCHA for De-Googled Android Users
Google quietly tied its next-gen reCAPTCHA to Play Services v25.41.30+, locking out GrapheneOS and custom-ROM users who hit a challenge—while iOS users pass with no extra software required.
What Matters
- The new QR-code challenge flow requires Play Services running in the background communicating with Google servers; failing it is the default for de-Googled Android.
- Google announced this as Google Cloud Fraud Defense at Cloud Next on April 23, framing it as an AI-agent trust platform.
- The Play Services dependency was silently present since at least October 2025 (Internet Archive snapshot at v25.39.30), seven months before public notice.
- iOS 16.4+ completes the same verification without installing anything; the Android-only lockout signals ecosystem control over security.
- Web developers implementing this reCAPTCHA are effectively blocking privacy-conscious Android users from their sites.
- [HN: @coppsilgold] The mechanism is remote attestation: burned-in EK → Google-signed AIK in secure enclave → attestation, making device identity technically linkable with Google server collusion.
- [HN: @cornholio] Framed as a competitive move: lock competitor AI agents out of Play-Services-gated properties while your own agents retain access.
