[g-b-r]

I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".

I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.

For people using a Google account it probably won't make a huge difference, in terms of data collected.

If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.

Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.

But there's a good chance that it will be extremely hard to sidestep, despite that.

[lxgr]

> they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone

But anything your phone can possibly do in software can be spoofed, so how would that help?

[palata]

> I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".

Doesn't Play Integrity use hardware attestation, but specifically checking the Google keys?

If you use the Play Services on GrapheneOS, you still don't pass Play Integrity because your system is signed by GrapheneOS and not by Google.

[g-b-r]

No, Play Integrity is a set of numerous features, and the developers decide which one to use, and how to react to what the api reports.

Hardware attestation is one feature, but it's still not used a lot.

The most common feature is the check that your Google account really downloaded the app you're using (and that the app wasn't modified); which requires using a Google account, of course. This is what the "pairip" that's been plaguing the store for a year does (it's being added by a ton of apps because adding it only requires enabling a preference in the Play Console).