You can install Google Play Services as a sandboxed app on GrapheneOS. That's not the issue. I believe the issue is that Google will use hardware attestation to check if the OS you're running it on is Google-approved.
this post was submitted on 10 May 2026
1291 points (98.3% liked)
Privacy
48556 readers
183 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 6 years ago
MODERATORS
The Recaptcha QR code verification does work on GrapheneOS for now and there is a standard select the swuares fallback. Recaptcha is also entirely optional for a website and they can easily pick any competitor like hCaptcha if they want.
Sites need to stop using recaptcha. It's an unnecessary barrier to using a site and I often refuse out of principle.
websites need to stick to hcaptcha or turnslide
Need to break up these monopolies. Really the root of all bad about capitalism.
The "root of bad" is capitalism itself, the logic of the system tends to create monopolies over time, as demonstrated in the game 'Monopoly'
load more comments
(25 replies)
Break up the billionaires while you're at it. Their sickness will boil the seas away to nothing
For a decade or two now, it's been pretty much assumed that everyone has an internet-connected, camera-equipped, browser-capable device in their pocket. Restaurants, banks, hospitals, employers and even government offices use QR codes and websites to get you to their menus, forms or services.
If ID is being tied to my mobile spy device, then I need my mobile spy device to be a right and not a luxury. $40-50 for a few years of validity, internet access provided at no cost, even if slow. I can have my luxury phone be where I'm 'anonymous', but I want the government to subsidize the mobile spy device if it's a mandatory expense. Even cheap phones cost a lot of money.
To be clear, I don't want ID tied to my phone, but it's gotten harder to exist without one, so it should be something we have access to with minimal friction.
Add food, water and shelter to that list, but you can't ask for them without a web browser.
This is really bad even just from the perspective of user behavior. Training people to scan QR codes from anything that looks like a captcha box is HORRIBLE for security.
"Thanks for scanning the code, just one more step! Please input your phone number, and type in the code you receive."
Boom, account stolen.
It's almost like they don't really care about your security...
load more comments
(3 replies)
I wont visit a website if they require my identity. Other options out there.
Most goonings sites don't use recaptcha
eww recaptcha,spyware piece of shit.
If google requires me to permit other companies to leech all my personal data to be able to use anything on the Internet at all, I say we label Google, Microsoft, Apple as criminal organizations
I'm sorry, bit there have to be limits.
I. DO. NOT. WANT. TO. USE. ANYTHING. GOOGLE.
OR APPLE. OR MICROSOFT.
FUCK ALL THESE OLIGARCH COMPANIES INTO THE GROUND
I do not want my private data leeches and sold every day, I don't even get paid for it
load more comments
(2 replies)
well, I guess i will stop using those websites from my /e/os fairphone
What they are doing is way worse tban what you understood.
These QR codes will show on your Desktop PC and you will need an Android phone or an iOS device with a logged in Google QR code app to get past it.
so they are not only tracking you, but they are trying to reconnect your records across multiple devices.
And through the VPN
load more comments
(2 replies)
I wouldn't scan shit from a website. Random QR codes are a security risk. Just won't visit that website.
load more comments
(2 replies)
load more comments
(6 replies)
load more comments
(3 replies)
I doubt OP cares, but I use GrapheneOS with Google Play services. It's still better than regular Android. Don't give up because you can't get 100%
load more comments
(2 replies)
That would only make me install Graphene even harder if I wasn't already writing from a phone with it
This. Time to stand up to Google and completely boycott the surveillance tech that the US is deploying.
load more comments
(1 replies)
Which websites does this actually affect? I use GrapheneOS and I've yet to be affected by this, granted I don't use many mainstream services.
i haven't seen this qr code thing yet, but recaptcha itself i see on many sites including archive.today
load more comments
(5 replies)
This is just ID verification in another guise. The second I see one of these, I'll stop using the website I see it on.
Let's hope the EU prevents this from happening. We should be able to access every site we wish without Google's permission.
load more comments
(9 replies)
To anyone not switching because of this-- in my experience this is something I can work around. On most websites my captchas still work. I have had a few that dont work, and I just close the website and move on. It hasn't happened on any websites that are very important for me to visit. Usually its a store and they really me to install their stupid app. Nope.
load more comments
(1 replies)
Fuck em. If websites use this, I don't need to see their shit or patronize their business. Google can eat a dick.
i have one myself, and I can tell you that grapheneos won't be affected by this. the real damage is to people using things like dumb phones or BSD, even windows computers are effectively locked out of the internet.
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition.
The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it.
Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web.
Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems:
er/16609652
Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web.
Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more.
Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive.
Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out.
Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it.
It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source.
Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that.
This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere.
Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.
load more comments
(2 replies)
Eventually privacy minded people like us will have to start creating and visiting sites on the dark web.
load more comments
(6 replies)
Not noticed it and fuck those websites. Happy to boycott.
I should be good with sandboxed Google play.
But wtf we’ll need a phone to solve captchas now? What happens if you don’t have one?
load more comments
(2 replies)
Most of the time, my phone's browser is disabled. It keeps me from using my phone too much. I understand not everyone is in a position where they can do that though.
Or even want that...
After reading a bunch of books about our relationship with technology, I concluded it's probably best that I greatly reduce my reliance on my phone. A big part of how I accomplish that is just by using my laptop for things that I can't cut out entirely, like banking, email, web browsing, etc.
i never switched to preferring my phone over my laptop, so my laptop has always remained my primary means of interacting with people (ie text messages & phone calls) and social media and it's taught me that it disconnects you in strange ways from the zeitgeist of today world in ways that are so subtle that they're easy to miss and they add up over time.
I uninstalled Tik Tok almost 2 years ago and have heavily restricted my other social media usage since. Programming.dev (and the extended Lemmyverse) is the biggest cheat I permit myself. I do still waste more time scrolling than I want, but through it, I've been exposed to things that I feel make my life richer. And it is a lot less soul-crushing than commercial platforms that are jam packed with AI slop and are designed to be addicting.
That said, with I no longer have a way to keep up with trends and my main source of news is my wife, who is still plugged into TikTok. And honestly, I think I'm better off that way. I have way more time to read (and engage in other long-form content) and spend with my kids. I'm exposed to way less propaganda and outrage content. Looking back on days with 9+ hours spent on TikTok, it feels like I was part of a hive mind. I like being an individual again.
tiktok is especially interesting when you use it on a laptop compared to a phone; a lot of the features like reposting videos and following people don't always work so i have to implement work arounds to do both and it sometimes feels like going back to 1995 since my workarounds involve text messages. lol
view more: next ›