So the point of this is to make it harder to write third-party clients? This reeks of DRM. And how can Google actually know whether to sign the attestation without more usage of evil technologies like SafetyNet?