By ByteBot
GrapheneOS is objectively more secure than stock Android. It has hardened memory allocation, enhanced exploit protection, and stricter sandboxing. Security researchers use it. Privacy advocates recommend it. Yet walk into any bank with GrapheneOS on your phone, and their app will lock you out. The reason? It fails Google’s hardware attestation check — not because it’s insecure, but because Google didn’t certify it. This is the tell: hardware attestation isn’t about security. It’s about control. And it’s becoming the most powerful monopoly tool in Big Tech’s arsenal.
The Certification Scam: When More Secure Means Blocked
To understand why Google would block its most secure users, you need to understand what device attestation actually checks. When an app uses Google’s Play Integrity API, it gets two pieces of information: basicIntegrity and ctsProfileMatch. The first checks if your device is actually secure — no malware, no compromised bootloader. GrapheneOS passes this with flying colors because it is secure. The second checks if Google certified your operating system. GrapheneOS fails this because Google didn’t certify it.
Banking apps reject GrapheneOS based on the certification check, not the security check. They’re not asking “is this device secure?” They’re asking “did Google approve this?” The distinction matters. A lot.
GrapheneOS’s attestation guide lays out the technical details, but the practical impact is brutal. Banking apps are the “single largest compatibility headache” for GrapheneOS users. Apps that worked last month suddenly fail after updates. The community maintains a compatibility list just to track which banks haven’t blocked them yet. Security-conscious users are being punished for making secure choices.
Hardware-Level Lock-in: Why This Time Is Different
This isn’t just another monopoly tactic — it’s enforcement at the hardware level. Hardware attestation works by burning cryptographic keys into your device’s silicon. Your phone generates a proof that it’s running “approved” software and sends it to a server. If the proof fails, you’re locked out. No workaround. No appeals process. Just a denial.
Google and Apple control roughly 90% of smartphones in the EU. Between them, they decide what software is “approved.” Microsoft’s Pluton chip is spreading the same model to PCs — chip-to-cloud control baked into your CPU. When the EU builds its Digital Identity Wallet on this infrastructure, it creates a dependency on US corporations. As one Hacker News commenter put it: “With a single flip of the switch, the president of the USA can shut down our EU Digital Identity Wallet.”
That’s not hyperbole. It’s the structural reality of centralized attestation.
Beyond Banking: The Expanding Lockout
The scope extends far beyond banking apps. Cyclists can’t register for club rides because reCAPTCHA creates infinite verification loops. Event signups require Facebook logins, which require attestation. Streaming services block rooted devices. The gatekeeping is spreading.
Google tried to take it further. In 2023, they proposed Web Environment Integrity — essentially DRM for the entire web. Websites would verify your browser was “authentic” before serving content. Alternative browsers would be blocked. Mozilla called it “harmful to the openness of the Web ecosystem.” Vivaldi called it “simply dangerous.” The backlash forced Google to abandon it by November 2023.
But they didn’t give up. They just moved it to Android WebViews. And now there’s an IETF draft proposing hardware attestation for email. The pattern is clear: mobile apps → web browsers → email → everything. Each retreat is tactical. The strategy remains unchanged.
The Anti-Competitive Cartel
And it’s getting worse. Big Tech isn’t just pushing attestation individually — they’re coordinating. The GrapheneOS Foundation warned that “Unified Attestation” represents “an anti-competitive cartel turning a decentralized decision into a centralized one.” Instead of neutral third parties certifying device security, companies are forming a coalition to rubber-stamp each other’s products “regardless of the level of insecurity.”
Android’s hardware attestation API could support alternate operating systems. It has the technical capability to whitelist alternate OS signing keys. But apps don’t use it because Google’s Play Integrity API is easier and doesn’t require whitelisting competitors. The capability exists. The incentive to use it doesn’t.
Security Is the Pretext, Control Is the Goal
There’s a reason Google calls this “security” instead of “control.” The GrapheneOS case exposes the lie. More secure gets blocked. Google-certified gets approved. The check isn’t “is this safe?” It’s “is this ours?”
But Web Environment Integrity proved resistance can work. When the community pushed back hard enough, Google backed down. Developers can demand that apps use Android’s standard hardware attestation API instead of Google’s proprietary Play Integrity. Users can pressure banks to support legitimately secure platforms instead of just certified ones. Regulators can recognize this for what it is: anti-competitive behavior that consolidates platform power.
The stakes are simple: the right to run your own software on your own hardware. If attestation becomes universal, that right disappears. The good news? It’s not universal yet. And every time Big Tech tries to expand it — to browsers, to email, to whatever comes next — we get to decide whether to accept it.
We shouldn’t.
