It seems Google is hell-bent on removing anything from Android that makes the platform stand apart from iOS. One of the features of Android and the Play Store that users of rooted and/or de-Googled phones will be familiar with is SafetyNet Attestation, something that Android applications can use to check, among other things, if the device it’s running on is rooted or not, and take any action from there based on that information. Notoriously, some banking applications on Android will refuse to work on rooted and/or de-Googled devices because of this.
Earlier this year, at Google I/O, the company unveiled the successor of SafetyNet Attestation, called the Google Play Integrity API, and it comes with a whole lot more functionality for developers to control what their application can do on devices based on the status of the device and the application binary in question. Play Integrity will let the developer’s application know if its binary has been tampered with, if Google Play Protect is enabled, if the Android device it’s running on is “genuine”, and a whole lot more.
Based on that information, the application could decide to warn users when they’re about to do something sensitive that their device is rooted, or it could just throw up its hands entirely and refuse to function at all – and there’s really not much the user can do about this. A new capability of the Play Integrity API is that developers can now also determine where it came from – i.e., if it was sideloaded or installed through a non-Play application store – and then throw up a dialog allowing the user to switch to the version from the Play Store instead. Doing so will delete the original binary and all its data, and replace it with the Play Store version.
The problem here is that the only other option is to cancel, and not have the application load at all.
As you can see, the remediation dialog tells you to “get this app from Play” in order to continue using it. There’s an option to close the dialog, but there’s no way to bypass it entirely. If you close the dialog, a response is sent to the app that lets the developer know so they can decide whether to continue blocking access.
↫ Mishaal Rahman at Android Authority
Several applications appear to already be using this new capability, and while it won’t mean much for people running Google’s, Samsung’s, or any other “blessed by Google” version of Android on unrooted devices, people running, say, /e/OS, GrapheneOS, LineageOS, or any other de-Googled and/or rooted device is going to be having a very bad time if more and more applications adopt this capability. If you’re running a device without Play Services, relying solely on the vast and varied library of applications from F-Droid, for instance, while also sideloading a few applications only available in the Play Store, you could very well be running into problems.
We’ll have to see just how widespread this capability becomes, but I can already foresee this becoming yet another major headache for anyone trying to use a smartphone that isn’t from blessed by Apple or Google. Personally, I’m lucky in that Swedish banking and ID applications worked on de-Googled Android phones, but with the expanding reach of the Play Integrity API, as well as possible “let’s enable this by default” shenanigans by Google, I’m definitely worried about this remaining so in the future.