A consortium consisting of multiple interested parties including Murena, i.e. /e/ OS, iodéOS, and Volla, is working on an open source alternative to the Google Play Integrity API, which is to be offered on smartphones that are not running a Google-certified Stock ROM.

For those who do not know, the Google Play Integrity API is Google’s official security and anti-abuse framework that lets Android apps verify that they are running on a genuine, i.e. unmodified device, installed from Google Play, and not being tampered with.

Sadly, this framework tends to discriminate against Custom ROMs, i.e. operating systems that are not running Google’s apps and services, no matter their actual device security state.

Full Google Play Integrity is tied to the ROM being certified by Google, and running Google apps and services - many banking and government apps make use of it right now.

The consortium around UnifedAttestation wants the new framework to rest on three foundations:

it will be part of the operating system, apps can add support for it with a few lines of code

operation of the validation service will be decentral

an open test suite for checking and certifying operating systems on specific devices

The whole thing will be open source, developed under the Apache 2.0 license.

Developers of Scandinavian government apps have already indicated interest, considering the project a first mover for Europe.

Personal comment: I think it’s good that there is now validation service for government & banking apps that is not tied to Google’s infrastructure, and more crucially does not require Google’s apps and the Play Services to be installed.