[rjh29]

It seems that won't affect Play Integrity for now. But I wonder if we'll eventually see rooted (GrapheneOS etc.) phones installing patches to banking apps to fool them into thinking they're legit. Hacked Nintendo Switches already do something similar.

[dns_snek]

In case there's a misunderstanding, GrapheneOS doesn't provide root access, and fooling apps won't be possible as the platform keeps moving towards stronger hardware attestation.

However banks can use the hardware attestation API instead of Play Integrity API to allow alternative distributions like GrapheneOS [1]. All of my financial apps happen to work on GrapheneOS.

[1] https://grapheneos.org/articles/attestation-compatibility-gu...

[rjh29]

Thanks, I was confused. I thought you needed to root the phone to install GrapheneOS, but it seems you only need to unlock the bootloader.

[05]

That's available right now as Frida plugins etc. The problem is that remote attestation is done on the server and bank backend API would be able to call Google Play API to check the attestation and deny access. Nothing you can patch on the app side could change that.