European Consortium Wants Open-Source Alternative To Google Play Integrity
Source: Slashdot
Introduction
An anonymous reader quotes a report from Heise: Pay securely with an Android smartphone, completely without Google services. This is the plan being developed by a newly founded industry consortium led by the German Volla Systeme GmbH. It aims to create an open‑source alternative to Google Play Integrity, the proprietary interface that decides on Android smartphones with Google Play services whether banking, government, or wallet apps are allowed to run.
Background
Obstacles and tips for paying with an Android smartphone without official Google services were highlighted by c’t in a comprehensive article. The European industry consortium now wants to address some of the problems mentioned.
Consortium Members
The group includes:
- Volla Systeme GmbH (Germany)
- Murena – developer of the hardened custom ROM /e/OS
- Iode (France)
- Apostrophy (Dot) (Switzerland)
Additional interest has been expressed by a European manufacturer, a leading Asian manufacturer, and European foundations such as the German UBports Foundation. Developers and publishers of government apps from Scandinavia are also examining the new procedure as “first movers”.
Unified Attestation
The consortium is developing a so‑called UnifiedAttestation for Google‑free mobile operating systems, primarily based on the Android Open‑Source Project (AOSP).
What it replaces
Google provides app developers with an interface called Play Integrity, which checks whether an app is running on a device that meets specific security requirements. This primarily affects applications in “sensitive areas such as identity verification, banking, or digital wallets—including apps from governments and public administrations”.
Criticism of the current system
The consortium argues that certification is exclusively offered for Google’s proprietary “Stock Android” and not for Android versions without Google services (e.g., /e/OS or similar custom ROMs). Because the check is tightly coupled with Google services and data centers, a structural dependency arises, creating a de‑facto exclusion criterion for alternative operating systems. This leads to a “security paradox”: the trustworthiness check is performed by the very entity whose ecosystem the alternatives aim to avoid.
Core components
- Operating system service – apps can call this service to verify whether the device’s OS meets required security standards.
- Decentralized validation service – verifies the OS certificate on a device without relying on a single central authority.
- Open test suite – used to evaluate and certify that a particular operating system works securely on a specific device model.
Statements from the Consortium
“We don’t want to centralize trust, but organize it transparently and publicly verifiable. When companies check competitors’ products, we can strengthen that trust,” says Dr. Jorg Wurzer, CEO of Volla Systeme GmbH and initiator of the consortium.
The goal is to increase digital sovereignty and break free from the control of any single U.S. company.