GrapheneOS argues that the hardware attestation chain roots to Google's single key, meaning a hardened OS with verified boot and same-day patches fails integrity checks while a stock device months behind on patches passes. They demonstrate the technical alternative via their own attestation.app, proving security verification doesn't require a single vendor's blessing.
The 1,750-point score and 579 comments signal broad developer recognition that Play Integrity's tiered system (BASIC, DEVICE_INTEGRITY, STRONG_INTEGRITY) progressively locks out alternative operating systems from banking and payment apps. The concern is structural: as more apps require DEVICE_INTEGRITY, Google's attestation root key becomes a de facto gatekeeper for participation in mobile commerce.
GrapheneOS built attestation.app as a working proof-of-concept that performs hardware-backed verification without relying on Google's certificate chain. This demonstrates that the security properties apps actually need — verified boot, OS integrity, patch level — can be attested through alternative trust paths, undermining the argument that Google's monopoly on attestation is a technical necessity.
GrapheneOS — the security-focused Android fork that runs on Google Pixel hardware — published a detailed critique of how hardware attestation functions as a monopoly enforcement mechanism. The post, which hit 1,750 points on Hacker News, argues that the hardware attestation infrastructure built into every Android device doesn't actually measure security. It measures vendor compliance.
The technical claim is specific and verifiable: during manufacturing, a unique cryptographic key pair is burned into each device's secure element (the Titan M2 chip on Pixels, ARM TrustZone on others). This key chains through intermediate certificates to a single root of trust — Google's attestation root key. When an app calls the Play Integrity API, the device generates a signed statement about its bootloader state, OS version, and critically, whether the OS appears on Google's approved list. A GrapheneOS device with verified boot, a hardened memory allocator, and same-day security patches fails this check. A stock Samsung device running firmware three months behind passes.
This isn't a theoretical complaint. GrapheneOS has built its own independent attestation system (attestation.app) that performs hardware-backed verification without Google's key chain, demonstrating that the technical capability exists to attest security properties without requiring a single vendor's blessing.
The 1,750-point HN score signals something beyond the usual privacy-community grievance cycle. Developers are recognizing that hardware attestation has quietly become infrastructure — and infrastructure controlled by a single company has a name: a chokepoint.
Google's Play Integrity API now operates at three tiers: BASIC (software signals), DEVICE_INTEGRITY (hardware-backed), and STRONG_INTEGRITY (full hardware attestation with recent security patch). Each tier narrows the funnel. DEVICE_INTEGRITY is what most banking and payment apps check, and GrapheneOS has managed to pass this tier through its sandboxed Google Play compatibility layer — but this required extensive reverse engineering, and Google could revoke it with a server-side flag change at any time.
The structural problem is the key provisioning model. Device manufacturers sign Mobile Application Distribution Agreements (MADA) with Google that include attestation key provisioning. There is no alternative root of trust. Unlike the TLS certificate ecosystem — where Let's Encrypt, DigiCert, and dozens of other CAs can independently issue certificates — the Android attestation ecosystem has exactly one certificate authority. If Google doesn't recognize your OS, attestation fails, banking apps refuse to run, and your device becomes a second-class citizen in the mobile economy.
This matters for developers because the same pattern is expanding. Google's abandoned Web Environment Integrity proposal (withdrawn in late 2023 after widespread backlash) attempted to bring this exact model to the browser. The proposal was killed, but the Android-side implementation it was modeled on continues to grow. Every app that adds a Play Integrity check is another brick in a wall that only Google holds the keys to.
The counter-argument deserves its strongest form: attestation exists because fraud is real. Banking apps face credential theft, screen overlay attacks, and accessibility-service abuse on rooted or modified devices. Attesting to a known, tested software stack is a legitimate fraud-prevention measure. The question isn't whether attestation is useful — it's whether a single vendor should control the entire attestation chain for 3+ billion devices.
If you ship a mobile app that calls Play Integrity (or is considering it), understand what you're actually buying. You're not getting a security guarantee — you're getting a vendor-compliance guarantee. A device that fails STRONG_INTEGRITY may be running a more secure OS than one that passes. Your threat model should reflect this distinction.
Practically, here's what to evaluate:
If you're implementing device checks: Use BASIC integrity for fraud signals rather than DEVICE_INTEGRITY or STRONG_INTEGRITY unless you have a specific, documented threat that requires hardware attestation. Each tier you escalate excludes more legitimate users — not just GrapheneOS's ~tens of thousands of users, but also users on older devices, corporate-managed devices with custom ROMs, and devices in regions where OEMs skip Google certification.
If you're building for the EU market: The Digital Markets Act designates Google as a gatekeeper, and the attestation monopoly is precisely the kind of self-preferencing the DMA targets. Enforcement actions are moving slowly but directionally. Apps that hard-require Google's attestation chain may face compliance questions in EU markets as DMA enforcement matures. Building fallback authentication paths now is cheaper than retrofitting them under regulatory pressure.
If you're in the security tooling space: The gap between "what attestation checks" and "what attestation should check" is a product opportunity. GrapheneOS's independent attestation service proves the model works. An open attestation framework with multiple roots of trust — analogous to the WebPKI model for TLS — would preserve the fraud-prevention benefits while eliminating the single-vendor chokepoint. The FIDO Alliance's work on WebAuthn attestation already supports multiple attestation CAs; extending this model to device integrity is technically feasible.
Hardware attestation isn't going away — the fraud-prevention value is real, and the hardware infrastructure is already in billions of devices. The question is governance. The TLS ecosystem went through a similar evolution: from a handful of CAs with unchecked power to Certificate Transparency logs, multi-stakeholder oversight, and automated issuance via ACME. Android attestation is roughly where TLS was in 2010 — technically functional, structurally concentrated, and overdue for a governance reckoning. The 1,750 HN upvotes suggest the developer community is starting to notice the lock on the door. Whether it takes regulatory action (DMA), market pressure (enterprise customers demanding OS-agnostic attestation), or an open-source alternative reaching critical mass, the single-root model has an expiration date. The only question is how much app-level lock-in accumulates before it arrives.
Requiring authorized silicon (and software) isn't even the biggest problem here.They do not use zero knowledge proof systems or blind signatures. So every time you use your device to attest you leave behind something (the attestation packet) that can be used to link the action to your device. T
In 1999, Intel received an absolutely massive amount of opposition when they decided to include a software-readable serial number in their CPUs, so much that they reversed the decision.Then the "security" and Trusted Computing authoritarians continued pushing for TPMs and related tech, and
This is a really good thread on why this technology is becoming a problem for "open" anything. The argument "we can create our own separate web" is fine until all of your services are behind the web that locks you into owning a Google approved or Apple approved mobile device.
This is tyranny: making people powerless, afraid of each other, and submissive, per Aristotle's understanding.[1] The technological means are new, to be sure, but the social strategy is as old as civilization.Mark my words. General purpose computing and private, direct communication are things
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
The superhuman efforts that folks on HN make to find technical workarounds and solutions is wonderful to see, but we must realize that this is not a technical problem. It's a social and legislative one. It can't be fought on technical grounds. The push back has to be via putting pressure o