Google Play Integrity API and Apple App Attest use hardware attestation to lock users into approved devices and OSes, framed as security but functioning as duopoly enforcement.
Key Takeaways
Play Integrity bans GrapheneOS despite permitting unpatched 10-year-old devices, exposing the security framing as pretextual.
reCAPTCHA Mobile Verification extends this to desktop via QR scan from a certified smartphone, threatening to gate broad web access on iOS or Google-certified Android ownership.
Apple’s Privacy Pass and Google’s planned web attestation bring the same lock-in to browsers, not just native apps.
EU governments are accelerating adoption by mandating Play Integrity and App Attest for digital payments, ID, and age verification, directly reinforcing the duopoly.
Android’s hardware attestation API technically supports alternate roots of trust; Google simply chooses not to allow GrapheneOS through Play Integrity, making this a policy choice, not a technical limit.
Hacker News Comment Review
Consensus: this is a legislative and social problem, not a technical one. Technical bypasses exist (spoofing frameworks, leaked TEE keys, even hardware fault injection on memory buses) but are increasingly short-lived and unscalable.
Disagreement on TPMs: commenters separated TPM hardware from attestation policy. The hardware itself is not the problem; the issue is third-party gatekeeping over what the TPM will attest to, and who controls acceptable-use policy.
Practical harm is already concrete: commenters report being looped out of reCAPTCHA on desktop Linux for ordinary civic tasks like registering for a bicycle club ride, illustrating that edge-case lock-out is already mainstream.
Notable Comments
@coppsilgold: Attestation packets can link actions to a specific device; without zero-knowledge or blind signatures, each attestation is a durable, linkable record.
@Retr0id: Strong-integrity Play Integrity can be bypassed via DRAM fault injection with a sewing needle, but BGA-mounted memory raises the bar significantly.
@miohtama: EU Digital Identity Wallet (EUDI) mandates Google or Apple hardware attestation, directly contradicting stated EU digital sovereignty goals.
