We’ve implemented a system for notifying users when apps use the Play Integrity API. This will help users determine which apps are banning using a non-stock OS. Some of these will still work if they only enforce basic integrity rather than requiring a Google certified device running the stock OS.
Using Play Integrity is an incredibly anti-privacy and anti-security practice despite being wrongly portrayed as a security feature. The notification will include a link for leaving a rating and review for the app via sandboxed Play Store to make it very convenient for people to send complaints.
App developers can implement support using standard hardware-based attestation and allowlist the GrapheneOS signing keys if they insist on checking device integrity. There’s a guide for this at https://grapheneos.org/articles/attestation-compatibility-guide. There’s no good excuse for only permitting a device/OS licensing GMS.
Most apps using the Play Integrity API are enforcing the device integrity level. This enforces having a device licensing Google Mobile Services with the stock OS. It has no issue with a device behind on patches by a decade. Strong integrity level checks for the same thing via hardware attestation.
We may also add a way to block the Play Integrity API with a per-app toggle if we determine this helps improve compatibility due to some apps still having a fallback to other approaches. Spoofing device integrity level is possible but increasingly problematic and will get worse.
Is the 2FA a ToTP? Here in the US it seems like most banks use SMS 2FA which is terrible. You say you can still use the 2FA on the web browser so that doesn’t make sense to me why it’s a deal breaker.
The second factor is the app on your phone. It‘s not Totp. When you log in somewhere or make a transaction it will send a notification to the app asking you to confirm.
When you open the bank account you get a letter with a code to register in the app, which authorizes it to receive the notification.
Gotcha. That’s unfortunate