Google Considers Certification for Custom ROMs Amid Play Integrity Issues

Challenges for Custom ROM Users

Android’s open-source nature presents a unique dichotomy for users and developers alike. While it allows for the exploration of apps beyond the confines of the Play Store and the experimentation with custom ROMs, it simultaneously poses challenges for developers focused on security. They face uncertainty regarding the authenticity of the operating systems and applications their software interacts with. This concern has led to the creation of frameworks like Play Integrity, an API designed to ensure that applications are only executed on “genuine” Android devices.

As more applications begin to implement Play Integrity checks, users within the custom ROM community are encountering significant obstacles. The implications of these checks are not new; earlier this year, Google leveraged the API to restrict RCS messaging capabilities on custom ROMs, ostensibly to thwart spam. Recently, the multi-factor authentication app Authy has begun enforcing Play Integrity checks, resulting in reports of operational failures on GrapheneOS.

In response to these challenges, GrapheneOS’s community manager engaged in a dialogue on X with Google’s Shawn Willden, who oversees Android’s hardware-backed security subsystems. Willden’s candid remarks highlighted the dilemma posed by Play Integrity, stating, If it’s not an official OS, we have to assume it’s bad.

However, this does not signify the end of custom ROMs or the possibility of apps utilizing Play Integrity running on unofficial Android builds. Willden indicated that some members of his team, along with certain Google executives, are open to the concept of developing a certification process for third-party ROMs that would allow them to pass Android’s Compatibility Test Suite. The primary hurdle appears to be a lack of widespread interest; the number of users adopting custom ROMs is insufficient to justify the investment required to establish such a program.

This pragmatic approach from Google reflects the reality that the majority of Android users prioritize a seamless experience on mainstream devices with widely accepted software. It raises the question of whether community efforts should pivot towards collaborating with third-party developers to create applications that do not rely on Play Integrity checks. The conversation surrounding this topic is rich and multifaceted, and for those intrigued, the full thread on X offers a comprehensive examination of the existing system’s shortcomings, including the inadequacies in enforcing checks on users running outdated software.

Got a tip? Talk to us! Email our staff at news@androidauthority.com. You can stay anonymous or get credit for the info, it’s your choice.

How to login to Authy?

To log in to Authy, follow these steps: 1. Download and install the Authy app on your device from the App Store or Google Play. 2. Open the app and enter your phone number. 3. You'll receive a verification code via SMS or call; enter this code in the app. 4. Once verified, you can set up a master password for added security. You can now start adding accounts to Authy.

How to sync Authy between devices?

To sync Authy between devices, ensure Multi-Device is enabled: 1. Open Authy on your primary device. 2. Go to Settings > Devices. 3. Enable the 'Allow Multi-device' option. 4. Install Authy on your new device. 5. Enter the same phone number used on your primary device. 6. You'll receive a verification code; enter it in the app. Your accounts will sync automatically.