this post was submitted on 28 May 2025

256 points (98.9% liked)

Technology

70711 readers

3625 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

L4s@hackingne.ws

256

Google Play’s latest security change may break many Android apps for some power users. The Play Integrity API uses hardware-backed signals that are trickier for rooted devices and custom ROMs to pass. (www.androidauthority.com)

submitted 1 week ago by abobla@lemm.ee to c/technology@lemmy.world

49 comments fedilink hide all child comments

top 49 comments

sorted by: hot top controversial new old

[–] idunnololz@lemmy.world 19 points 6 days ago* (last edited 6 days ago) (1 children)

Time to get downvoted to oblivion.

I see a lot of people questioning why Google would do this and the answer is pretty simple.

Google created a tool a long, long time ago which was meant to make sure traffic from a device was "legit". This tool is 100% optional and app developers can use it if they would like. However, the tool was easy to bypass, so over the years Google has been making the tool harder and harder to bypass.

This article is just sharing news that Google is once again making this tool harder to bypass.

So why is Google doing this? They are doing this because they don't want their tool to be bypassable. Their tool is worthless if it can be bypassed.

The tool in question here is the Play Integrity API (previously known as the SafetyNet Attestation API). This is a tool that is offered to app developers that app developers can take advantage of if they want. The selling point of the tool is if you have operation in your app that is critical, you can try to prevent some abuse by verifying that the app is running on a "trusted build of Android" and that the app itself has not been modified from the original. That's all the tool does.

This isn't a new API. This isn't something Google is trying to force app developers to use. No. From Google's point of view, they are just making sure their tool does it's job properly.

As for why companies might choose to use this tool, a big reason is because Android is a huge target for fraud. Apple has locked all their stuff down so it is much harder to commit fraud on iOS (not impossible though). Although Apple offers something similar, there is generally less fraud coming from iOS devices vs Android. It's the double-edged sword of having a more open platform.

Companies are obviously not going to be happy to be the target of fraud so they have to weigh their options. Either they block a small percentage of their users that are possibly legit by implementing Play Integrity API or they risk losing a % of their income to fraud.

Now you can disagree with the tool's job, I'm not trying to argue whether the tool is good or bad. That is extremely subjective, but hopefully this answers why Google is making this change.

[–] Mubelotix@jlai.lu 3 points 6 days ago

Yeah except that bot farms already use hardware that will pass the checks, unlike regular harmless users who will get hurt by this. Google comes after the good guys

[–] Arcane2077@sh.itjust.works 4 points 5 days ago

RIP banking apps and Mc Donalds on GrapheneOS

[–] RacerX@lemm.ee 12 points 6 days ago (2 children)

If I don't have Play Integrity spoofed, my iPhone friends get an error when they try to RCS message me. This pretty much breaks communication for me.

[–] chaospatterns@lemmy.world 9 points 6 days ago

This is the future of the Big Tech Internet if we're not careful. Attestation to be able to use communications and other websites.

[–] kalpol@lemm.ee 1 points 5 days ago

I have zero problems with this on Lineage. ?? No spoofing either, just Lineage.

[–] Ulrich@feddit.org 12 points 6 days ago (1 children)

It doesn't make it "tricky", it makes it impossible.

[–] Zwuzelmaus@feddit.org 0 points 6 days ago

Troja has been impossible to conquer. Until.

[–] termaxima@programming.dev 11 points 6 days ago (1 children)

This better not break GrapheneOS right when I was planning to switch to Android, or I swear I’m buying a dumb phone and Google can kiss my business goodbye forever.

[–] PushButton@lemmy.world 7 points 6 days ago

If you don't need any Google malware, you aren't at risk.

GrapheneOS comes without them by default.

[–] Antaeus@lemmy.world 4 points 6 days ago

The reason I felt forced to iOS. No more choice. No more GrapheneOS or CalyxOS for me. Or at least that would make my life very difficult. National ID authentication, banking apps had stopped working.

GG Google. Destroy what made Android.

[–] bitwolf@sh.itjust.works 1 points 6 days ago

Wasn't this on Pixels already?

[–] ExLisper@lemmy.curiana.net 0 points 6 days ago

If they break custom roms my next phone will have iOS, not stock Android on it.

[–] the_riviera_kid@lemmy.world 127 points 1 week ago (7 children)

This trend of being actively hostile toward your user base is so confusing to me.

[–] Ulrich@feddit.org 7 points 6 days ago

It would be confusing if everyone didn't simply tolerate it.

[–] muusemuuse@lemm.ee 3 points 6 days ago

It’s so confusing it only makes sense to business majors. /s

[–] floofloof@lemmy.ca 61 points 1 week ago (2 children)

They project that they'll make more money by forcing people to accept surveillance so they can run their apps, even if they lose a few users and app developers by doing so.

[–] Ulrich@feddit.org 5 points 6 days ago

Is users stop using custom ROMs, Google loses nothing.

[–] the_riviera_kid@lemmy.world 16 points 1 week ago* (last edited 1 week ago) (2 children)

I've always been of the opinion that apps are almost always useless because there is usually a way to do it through a web browser and if there isn't I don't need it. And its usually better because then I have more control (in firefox anyway).

For example the youtube app is entirely unuseable but if I open firefox and use ublock and no script then suddenly I can actually use the website.

[–] termaxima@programming.dev 6 points 6 days ago

uBlock + NoScript + SponsorSkip + DeArrow + Untrap

I hate that I have to use 5 extensions to make the site usable, but this is still better than the alternate front ends (specifically because they don’t have recommended videos)

[–] Ledericas@lemm.ee 1 points 6 days ago

i use firefox forks for mobile, op12r-

[–] Zoldyck@lemmy.world 20 points 1 week ago (1 children)

One of the reasons to always cheer on (new) competitors and why we should give new companies a fair chance to establish something

[–] taladar@sh.itjust.works 15 points 1 week ago

The problem is that systems like this have strong network effects working in favor of the established options, nobody develops for platforms without users, nobody wants to use a platform without apps, development has more resources (existing libraries, tutorials, reference documentation,...) on existing platforms,...

[–] WanderingThoughts@europe.pub 18 points 1 week ago

That´s standard enshittification. They know they´ve got users locked in without any alternative.

[–] Zak@lemmy.world 15 points 1 week ago (1 children)

Their goal is to ensure OEMs only bundle Google-approved Android for which Google charges licensing fees and which funnels users into Google services. If a phone won't run your banking app, you probably won't buy it.

[–] termaxima@programming.dev -1 points 6 days ago (2 children)

I would totally buy a phone that doesn’t run my banking app. What do people even do in there ? The only thing I use it for is my balance and purchase history 😆

[–] 6nk06@sh.itjust.works 5 points 6 days ago (1 children)

What do people even do in there ?

In France some banks illegally force users to use the banking application to approve online transactions as a security feature.

They could implement OTP as an alternative but they don't because they are lazy.

[–] SomethingBurger@jlai.lu 1 points 5 days ago (1 children)

Which ones? I've been on Boursorama, CA and SG, and they all provide SMS 2FA if you don't want to use the app.

[–] 6nk06@sh.itjust.works 1 points 5 days ago

It depends which local branch. CA and the Caisse d'Epargne lied to me about it. BoursoBank is good though.

[–] Zak@lemmy.world 4 points 6 days ago

Mobile check deposit is a moderately important use case in the USA. It would be possible to do that via the web, but banks usually don't.

Regardless, any apps refusing to run will annoy users, and they would likely blame the one brand of phone where that happens instead of the app developer or Google who actually deserve the blame.

[–] phoenixz@lemmy.ca 12 points 1 week ago

Their user base is not who you think they are. The people you think are users are just assets, it's okay to be hostile to your assets

[–] Zwuzelmaus@feddit.org 54 points 1 week ago (1 children)

Google’s updated Play Integrity API

How can these people talk about "integrity" when they break real existing phones?

I call this the opposite of integrity.

[+] tinned_tomatoes@feddit.uk -44 points 1 week ago* (last edited 1 week ago) (4 children)

Bit hyperbolic, don't you think? Rooted/Custom ROM users are so tiny, and they typically use security vulnerabilities to obtain root access. It's not exactly surprising that Google closes those vulnerabilities when it can.

Google can't exactly make root access and custom ROMs easier to use in 2025. It isn't 2010 anymore - as soon as rooting becomes easy again, and people are bypassing security measures you know the big orgs, copyright holders and children's apps will complain to the media and suddenly Google has a shitstorm to deal with.

Just wait until they find another vulnerability, lol.

[–] Zak@lemmy.world 44 points 1 week ago (1 children)

Many devices, including Google's own Pixel devices have user-unlockable bootloaders. No security vulnerabilities are involved in the process of gaining root access or installing a third-party Android distribution on those devices.

What's going on here isn't patching a vulnerability, but tightening remote attestation, a means by which a device can prove to a third party app that it is not modified. They're selling it as "integrity" or proof that a device is "genuine", but I see it as an invasion of user privacy.

Google can’t exactly make root access and custom ROMs easier to use in 2025.

Sure they can. They're in a much stronger position to dictate terms to app developers than they were in 2010 when it was not yet clear there would be an Android/iOS duopoly.

They don't want to though, because their remote attestation scheme means they can force OEMs to only bundle Google-approved Android builds that steer people to use Google services that make money for Google, and charge those OEMs licensing fees. A phone that doesn't pass attestation isn't commercially viable because enough important apps (often banking apps) use it.

[–] Zwuzelmaus@feddit.org 13 points 1 week ago

Or is it rather your definition of security or vulnerability that is questionable.

[–] kittenzrulz123@lemmy.blahaj.zone 13 points 1 week ago

Many people use LineageOS and GraphineOS for security, privacy, and features that base Android simply doesn't ship.

[–] 0x0 1 points 1 week ago

The fuck did you just call me? Ill have you know im actually HUGE

[–] lambalicious@lemmy.sdf.org 24 points 1 week ago

on devices running Android 13 or later.

Sounds easy then: stay on the latest Lineage that does not incorporate A13.

While I wouldn’t say Google is actively hostile towards these power users,

Author is obviously sold out. Are they even trustable?

[–] kokesh@lemmy.world 14 points 1 week ago (2 children)

Seriously, what is wrong with Google?

[–] chaospatterns@lemmy.world 3 points 6 days ago

Google is doing this because they have incentives to do so. They want to block malicious actors like attack their platforms.

Other companies want to lock down their own apps because they don't think users should be permitted to do anything other than use their apps exactly as they want.

I don't like it as a user, but I also see the reason why companies want this by being on the security side of software.

[–] WanderingThoughts@europe.pub 16 points 1 week ago

Too big and entrenched

[–] impotentwashbowl@lemmy.dbzer0.com 9 points 1 week ago

I ain't clicking on an android authority article. Does anyone know if/how this would effect Graphene?

[–] Cris_Color@lemmy.world 6 points 1 week ago (1 children)

This seems like it'll break things like revanced, which honestly makes me sad mostly for Duolingo :(

Really hope folks find a way of spoofing this too. I'm hoping to switch to a custom ROM in the future and this doesn't bode super well

[–] Dreaming_Novaling@lemmy.zip 6 points 1 week ago (1 children)

At this point I'm leaving a paper trail in my comments. Sigh, I'll keep it short and sweet.

If you're using ReVanced to hack and get through Duolingo, then I think you should just drop the service. There are countless free resources out there that do a better job, and aren't predatory or make you hate learning. Duolingo is good for beginners and about a month or two of learning. Please let that app go, especially since the CEO thinks AI is a suitable replacement for the education system...

[–] Cris_Color@lemmy.world 2 points 6 days ago

At some point I will but I'm not currently ready to make that transition. My friend and I are using Duolingo together and the social aspect plus the familiarity of the structure have been really helpful

They walked back the ai thing (at least that's my understanding about it, I think there was a statement about it, not that that means much) but it's very clear it wont be something that's likely to work for me long term

But for the time being the structure that it provides and its format has helped me build a routine and actually stay pretty consistent, and I don't think I'm at a place yet where I can transition away from it

But I have checked out the Foss options and there were some neat supplemental tools on f-droid, and at some point I'll go through the play store and try out direct alternatives

[–] toastmeister@lemmy.ca 3 points 1 week ago

Is there an alternative to Google Play, because I'm assuming it wouldn't matter as much if we had that.

[–] throwawayacc0430@sh.itjust.works 1 points 1 week ago

Does this mean that Pirating Android games isn't gonna work very well in the future?

Welp, I guess I still have Unciv and pirated Ebooks to pass the time 🤷‍♂️