Mountain ViewBanking, transit, and government apps now reject users of alternative operating systems like GrapheneOS.
Google’s Play Integrity API requires chip-level stock-OS certification, blocking users who don’t run manufacturer software.
GrapheneOS published the affected app list; no bank has offered an exemption.
Sources: Hacker News
WHAT ATTESTATION ACTUALLY IS
Modern phones contain a dedicated security chip — Titan M on Pixels, Secure Enclave on iPhones — that holds a private key burned in at the factory. When an app asks 'is this a real phone running stock software?', the chip signs a statement Google can verify. The user cannot extract or forge the key.
THE PLAY INTEGRITY API
Google's Play Integrity API gives any app three verdicts about the device: MEETS_DEVICE_INTEGRITY (real hardware), MEETS_BASIC_INTEGRITY (passes weaker checks), and MEETS_STRONG_INTEGRITY (hardware-backed, certified OS). Banks increasingly require the strongest tier, which only stock Google-certified Android can produce.
WHY GRAPHENEOS FAILS
GrapheneOS is a security-hardened Android fork that runs on Pixel hardware — the same Titan M chip, the same boot verification. But because Google's certification list only includes manufacturer-signed OS builds, the attestation comes back unrecognized. The phone is more secure than stock; the API reports it as untrusted.
THE TIVOIZATION PRECEDENT
In 2006, TiVo shipped Linux-based DVRs that refused to run modified kernels — the source was open, but the hardware enforced signed binaries. Richard Stallman coined 'tivoization' for this pattern. GPLv3 was rewritten specifically to forbid it. Mobile attestation is tivoization at planetary scale: the OS may be open, but the chip won't vouch for your build.
THE DUOPOLY CHOKEPOINT
Globally, two companies — Google and Apple — control attestation for ~99% of smartphones. There is no third root of trust a bank can verify against. Once regulators or insurers mandate attested devices for financial access, the duopoly becomes the de facto licensing authority for participation in the digital economy.
THE SECURITY PARADOX
Attestation was built to stop fraud — rooted phones running modified banking apps, malware intercepting OTPs. But the same mechanism punishes the most security-conscious users: those who run hardened forks, disable Google services, or audit their own software. The threat model that justified the lock excludes the people most capable of evaluating it.