Comment by well_ackshually
9 hours ago
Depending on the level of security you ask for Play Integrity, it can be:
* is this device rooted, is it an unsigned build ?
* Device is signed, but is it part of the blessed signing keys ? is play services untampered with ?
* Additional checks over the lifetime of the device.
You could fully trust the results of Play Integrity on device, but you can also send the returned token to your server, and your server then contacts play integrity to validate that token. So unless you know how to spoof those encrypted tokens, you won't go very far.
https://developer.android.com/google/play/integrity/overview
So basically an alternative OS can offer a service like Play Integrity and the only problem is that those banks hard-code a dependence on Google's Play Integrity and Google has a monopoly for that service?
This is something that could be addressed at least in the EU by mandating banks to allow alternative services or not use this service at all.
Yep. You can even run your own play integrity-like backend.
>This is something that could be addressed at least in the EU by mandating banks to allow alternative services or not use this service at all.
The EU mandates banks to be interoperable, and to guarantee the security of users. You can solve that issue by going through an alternative app that doesn't use play integrity and is PSD2 compliant so other banks let you call their APIs. It usually requires you to be a bank, and as a bank, you're really risk averse. So you use play integrity.