A bold accusation from the privacy-focused mobile operating system GrapheneOS is sending shockwaves through the tech world. The project is calling out Google and Apple directly, claiming their device verification tools are quietly building walls around the internet itself. And the scariest part? It may already be happening on your phone.
What GrapheneOS Is Actually Saying
GrapheneOS posted a detailed thread on X, accusing Google and Apple of slowly making apps and the web work only on their approved devices. The project claims Google and Apple are increasingly using device verification systems to lock users into their own hardware and software, pointing to tools like Google’s Play Integrity API, Apple’s App Attest, and Google’s reCAPTCHA systems as the main culprits.
More apps and websites are starting to check whether you are using a trusted phone and approved software before letting you in. According to GrapheneOS, that could give Google and Apple absolute control over which devices work properly online.
GrapheneOS argues these systems are framed as security features, but they actually strengthen Google and Apple’s control over apps and web access. That framing is exactly what makes this accusation so serious. When something is labeled a “security measure,” it becomes much harder to push back against.
The Play Integrity Problem Nobody Is Talking About
GrapheneOS mostly focuses on Google’s Play Integrity API, which Android apps use to check whether a device is genuine, secure, and running certified software. Banking apps often use these checks to block rooted phones or devices running modified versions of Android. GrapheneOS says the system also blocks legitimate alternatives, including its own OS.
This is not a minor inconvenience. Unlocking a bootloader causes devices to fail the more stringent Play Integrity checks, locking users out of many dining, medical, gaming, banking, and payment apps, as these types of apps often utilize the API’s stricter evaluations.
“Google’s Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit.”
Google’s updated Play Integrity API is making it significantly harder for users with rooted phones or custom ROMs to access certain applications due to enhanced security verifications. The update, now rolling out by default as of May 2025, enforces stricter hardware-backed security signals for integrity verdicts on devices running Android 13 or later.
In practice, non-official operating systems such as LineageOS fail the hardware attestation and thus prevent users from using apps that require the API. Some consider this a monopolistic practice that deters the entrance of competing mobile operating systems in the market.
reCAPTCHA: The Tool That Could Control the Web
The argument gets even bigger when GrapheneOS turns its attention to reCAPTCHA. Most people think of it as just the little “I’m not a robot” box they tick before submitting a form. The reality, GrapheneOS says, is far more troubling.
Google’s systems require users to verify themselves using a certified Android or iOS device. In some situations, users may have to scan a QR code with their phone to prove they are a real person before accessing a site or service. GrapheneOS says this could eventually affect users on desktop platforms like Windows or Linux, too.
Current media coverage for reCAPTCHA Mobile Verification misunderstands it and its true impact. This system is bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, and other platforms by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases.
Here is what that means in plain terms:
- On Android: Apps check Play Integrity to confirm you’re using Google-certified software
- On Apple devices: App Attest and Privacy Pass perform the same function
- On desktop: reCAPTCHA Mobile Verification may require you to scan a QR code with a certified phone just to prove you’re human
- The result: Anyone without an approved iOS or Android device could eventually lose access to large chunks of the web
“Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web,” GrapheneOS wrote.
Governments Are Making It Worse, Not Better
If the tech giants alone were pushing these systems, regulators might step in. But GrapheneOS points out a troubling twist: governments themselves are joining in.
Governments are increasingly mandating the use of Apple’s App Attest and Google’s Play Integrity for not only their own services but also commercial services. The EU is leading the charge in making these requirements for digital payments, ID, and age verification. Many EU government apps already require them.
This is where the situation goes from concerning to deeply alarming. When public institutions require citizens to use privately controlled verification tools just to access government services, the line between tech regulation and tech capture starts to blur.
GrapheneOS did succeed in convincing the EU to back down from requiring Google Play Integrity for their digital wallet and age verification systems. However, the project failed to convince them to require supporting alternatives, meaning many of the apps will likely only allow Google Mobile Services devices running the stock OS.
“Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they’re directly participating in locking out competition via their own services,” GrapheneOS said.
The tech community has noted this represents a “boiling the frog” approach to device lockdown, where each individual step seems reasonable but the cumulative effect could be a fundamental shift in device autonomy and user control.
What This Means for Your Digital Freedom
Apps using the Play Integrity API can support GrapheneOS by using the standard Android hardware attestation API and permitting its official release signing keys. Android’s hardware attestation API actually provides a much stronger form of attestation than the Play Integrity API, with the ability to whitelist the keys of alternate operating systems.
In other words, there is a better technical solution available. GrapheneOS argues the choice to not use it is deliberate.
Google’s Android 16 release is raising further alarm bells among third-party operating system developers, with GrapheneOS warning that the update introduces significant architectural changes that make porting privacy-focused operating systems dramatically more difficult. These changes mark a decisive shift in how Google handles the Android ecosystem and reflect an apparent move to consolidate Pixel as a first-party platform.
The potential for device attestation requirements, the exclusion of users with non-certified devices, and the centralization of trust in a single platform raise legitimate concerns about privacy, autonomy, and the future of the open web.
Google and Apple have not publicly responded to the issues raised by GrapheneOS so far. That silence, given the scale of the accusation, speaks volumes on its own.
GrapheneOS is not just fighting for its own survival here. It is raising a question that affects every smartphone user in the world: do you truly own your device, or are you just renting access to an ecosystem someone else controls? The walls are being built one API at a time, and most people won’t even notice until the door is already shut. What do you think about Google and Apple’s growing control over devices and apps? Drop your thoughts in the comments below.
