Google’s Play Integrity API is not a security feature but rather it pretends to be one. Both Apple and Google are failing to protect their users against real world commercial exploit tools. Banning using one of the only options people have for better protection is anti-security.

We’re aware of multiple commercial exploit tools being successfully used against even the most secure Apple and Android devices. We’ve repeatedly filed Android issues and proposals attempting to get Google to block these tools as we’ve been much more successfully doing ourselves.

Even a fully up-to-date Pixel does a very poor job defending users from attackers compared to GrapheneOS. However, the Play Integrity API permits far less secure devices from other vendors. It even permits being very out-of-date on the basic Android Security Bulletin patches.

Android Security Bulletin patches are the bare minimum High and Critical severity Android patches backported to older releases. Play Integrity currently has no requirement to ship these. A device with no patches for the past 8 years passes, but a hardened device is disallowed.

Google is phasing in a basic requirement for a device to have the incomplete security backports from 1 year ago for what they call their strong integrity level. Few apps use the strong integrity level and we expect most of those will stop using it once this requirement is added.

Requiring that a device has the High and Critical security patches from 1 year ago and earlier is not a serious security requirement. It’s Google pretending it has something to do with security in order to mask that it exists to enforce their anti-competitive, illegal practices.

United States v. Google LLC (2020) recently determined Google is engaging in illegal anti-competitive behavior. Android and the Play Store may be forcefully split off from Google as a remedy. Play Integrity API is even more egregious behavior than what they looked at in the case.

Google’s Android partner management team (the team coordinating anti-competitive behavior) blocked us getting full partner access despite our major contributions to overall Android security. They subsequently revoked our security partner access given to us by their security team.

Google’s security team has repeatedly tried to get us full partner access and has tried to start a process where we could be certified, although the current certification system is unacceptable. We will not give Google veto power over our privacy/security features or updates.

Play Integrity API is an egregious and incredibly aggressive anti-competitive behavior by Google. Their GMS licensing has been repeatedly found to be anti-competitive and illegal. Despite that, they’ve developed a system they’re heavily encouraging apps to adopt for enforcing it.

The clear real purpose of the Play Integrity API is to degrade Android app compatibility for any device or OS that’s not partnered with Google as part of their illegal licensing system for GMS that’s used to enforce their monopolies on search, ads, Android app payments, etc.

We’re already in regular contact with the EU Commission about the Play Integrity API. Google continues heavily promoting it to app developers and gradual adoption is greatly harming competition in the mobile space. Android app compatibility is crucial to any non-iPhone mobile OS.