We’ve implemented a system for notifying users when apps use the Play Integrity API. This will help users determine which apps are banning using a non-stock OS. Some of these will still work if they only enforce basic integrity rather than requiring a Google certified device running the stock OS.

Using Play Integrity is an incredibly anti-privacy and anti-security practice despite being wrongly portrayed as a security feature. The notification will include a link for leaving a rating and review for the app via sandboxed Play Store to make it very convenient for people to send complaints.

App developers can implement support using standard hardware-based attestation and allowlist the GrapheneOS signing keys if they insist on checking device integrity. There’s a guide for this at https://grapheneos.org/articles/attestation-compatibility-guide. There’s no good excuse for only permitting a device/OS licensing GMS.

Most apps using the Play Integrity API are enforcing the device integrity level. This enforces having a device licensing Google Mobile Services with the stock OS. It has no issue with a device behind on patches by a decade. Strong integrity level checks for the same thing via hardware attestation.

We may also add a way to block the Play Integrity API with a per-app toggle if we determine this helps improve compatibility due to some apps still having a fallback to other approaches. Spoofing device integrity level is possible but increasingly problematic and will get worse.