use the standard Android hardware attestation API to verify the device, OS and app instead enforcing licensing Google Mobile Services #390
Description
Android provides a standard hardware attestation API with support for arbitrary roots of trust and alternate operating systems. This provides a higher level of security than the Play Integrity API. Play Integrity API strong integrity level is based on the standard hardware attestation API and is strictly less secure. By using the hardware attestation API, you can permit more secure operating systems like GrapheneOS. Play Integrity API is not truly a security check and permits devices with years of missing security patches. You will only be enforcing Google's business model, not any form of security. You should be defining the security and verification requirements and solely enforcing those, not Google's business model for licensing Google Play.
There's a guide on how to do this at https://grapheneos.org/articles/attestation-compatibility-guide.
The hardware attestation API is available on every device launched with Android 8 or later, which covers all devices receiving security patches. There's no need to the software-based Google Play integrity API device integrity level at this point. Recent devices (Pixel 6 and later) also use remote key provisioning providing per-app keys with regular rotation instead of batch keys for 100k+ devices. This helps avoid devices having their keys revoked due to other devices having their keys leaked. You can choose if you care about checking revocation at all. Compared to the software-based device integrity API that's easily bypassed, hardware attestation based on roots without key revocation checks is still harder to bypass since even with a leaked key it requires more work than bypassing device integrity.
EU Digital Markets Act forbids the approach of solely permitting installing apps from the Play Store and solely permitting devices licensing Google Mobile Services. There isn't a legitimate reason for doing that. Play Integrity API is not a legal approach to this. The hardware attestation API is potentially a legal approach if it is used to check for a secure device and OS rather than solely using it to check for a Google certified device with a Google certified OS. Secure operating systems and devices providing hardware attestation must be permitted to comply with EU law around market competition. Play Integrity API not only enforces the device/OS licensing Google Mobile Services but also checks for installation from the Play Store and logging into a Google account. This is very clearly illegal.
Using the hardware attestation API enables permitting other roots of trust used by hardware not licensing Google Mobile Services along with permitting other operating systems than the stock OS. Any OS implementing verified boot and the expected security model can be permitted. The security requirements for the device and OS should be defined and there should be a process for any hardware or OS to be permitted.