Play Integrity and Android's hardware attestation API (Revolut)
- /e/ version: 2.5-t
- Device model(s): samsung a52q
- Developer mode enabled: yes
- Device rooted: no
- Trackers blocker enabled: yes
Summary
Revolut has introduced the new Play Integrity API, a check that recognize only devices with stock ROM/certification as legitimate. This should become standard from 2025.
"Android's hardware attestation API" seems a possible solution that needs to be implemented by Revolut; see "solutions" section.
The problem
Steps to reproduce
- Install Revolut
- Open it
- Start the login, even if you do not have an account
What is the current behavior?
Revolut immediately recognizes eOS (dev version) as not supported
What is the expected correct behavior?
No login issue and a fully working app
Solutions
there are no solutions now, others are working on it; eOS could start figuring what to do:
Android's hardware attestation API
GrapheneOS has already raised the issue as stated on mastodon and wrote Attestation compatibility guide for (app/Revolut's) developers that use "Android's hardware attestation API" to check the device. This methods is stated as safer and requires eOS devices signatures.
However, if Revolut developers wants to implement hardware attestation, eOS should be ready:
- Does eOS already provides support for hardware attestation? (it seems default since Android 8)
- Where are eOS devices' signatures?
- Is there anything that breaks the GrapheneOS method if applied on eOS?
alternatives ?
What other alternatives does eOS have to let apps check it is safe?