Google seems to require Google Play Services for passing next-gen reCAPTCHA on Android, denying de-Googled Android phones and creating surveillance issues
Reclaim The Net Rick Findlay
Related Coverage
- Google reCAPTCHA Update Blocks Privacy-Focused Android Users From Sites Cyber Security News · Guru Baran
- GrapheneOS says Google is making life harder for rival operating systems and devices Android Authority · Adamya Sharma
- Privacy advocates slam reCAPTCHA update that they say locks out de-Googled phones Cointelegraph
- Google's new reCAPTCHA has a hidden Play Services requirement we all missed PiunikaWeb · Dwayne Cubbins
- Google's next-gen reCAPTCHA system could spell trouble for de-Googled phones Android Authority · Ryan McNeal
- This raises a significant question about gatekeeping on the web. It's one thing to provide a service, another to mandate specific client-side dependencies that aren't truly open. Developers reliant on reCAPTCHA might need to rethink their options. @_.saumay._ · Saumay Jaiswal
- Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too. @GrapheneOS@grapheneos.social
- This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere. @GrapheneOS@grapheneos.social
- reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that. @GrapheneOS@grapheneos.social
- Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security. @GrapheneOS@grapheneos.social
- Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them. @GrapheneOS@grapheneos.social
- Play Integrity API is highly insecure and it isn't particularly hard to temporarily bypass it. There are frameworks for spoofing the software checks and leaked keys for bypassing hardware attestation can be purchased. However, bypasses are getting harder and are becoming increasingly short lived. @GrapheneOS@grapheneos.social
- Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems: — https://support.google.com/... @GrapheneOS@grapheneos.social
- Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web. @GrapheneOS@grapheneos.social
- The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it. @GrapheneOS@grapheneos.social
- Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition. @GrapheneOS@grapheneos.social
- Hardware Attestation as Monopoly Enabler Hacker News
- The makers of security-first GrapheneOS are putting Google and Apple's tactics on blast Digital Trends · Rachit Agarwal
- Google wants you to scan QR code to prove you're human online Business Today
- Privacy Or Suspicious? Google's New QR Verification Locks Out deGoogled Devices Ubergizmo · Paulo Montenegro
- I revoked Google Play Services' permissions, and here's what actually broke on my Android phone MakeUseOf · Tashreef Shareef
Discussion
-
@grapheneos
@grapheneos
on x
reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required …
-
@intcyberdigest
@intcyberdigest
on x
‼️🚨 ALARMING: Google now treats privacy as suspicious behavior by default. Users of GrapheneOS, CalyxOS, /e/OS, and other deGoogled Android phones are being locked out of millions of websites unless they install the exact Google Play Services software they deliberately removed. […
-
@gro_tsen
Gro-Tsen
on x
🔽 This is highly alarming, so let me try to explain what it's about in a manner understandable to laypeople: ‣ reCAPTCHA is a service to prevent bots from accessing Web sites. You probably know it as “click on all squares containing bicycles”. ... •1/5 https://x.com/...
-
@pirat_nation
@pirat_nation
on x
The result is that millions of websites now treat these privacy phones as risky, so users must either add Google Play Services or stay locked out. This is similar to Google's 2023 Web Environment Integrity idea that wanted websites to check if devices were trustworthy through Go…
-
@cr1337
@cr1337
on x
Google recently announced their Cloud Fraud Defense, the next evolution of reCAPTCHA, a trust platform for the agentic web. However, the implications might be bigger than we think; as somebody on Hacker News pointed out: “So it seems that you will need a modern Android device [im…
-
@grapheneos.org
@grapheneos.org
on bluesky
Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They…
-
@gro-tsen
@gro-tsen
on bluesky
→ This is one of the most evil things Google has done so far, and, of course, it is hidden under a layer of boring technicality ("reCAPTCHA will now be replaced by a challenge to Google Services 😴") meant to ensure that most people won't understand or care. — But you SHOULD car…
-
@nixCraft@mastodon.social
@nixCraft@mastodon.social
on mastodon
Google Broke reCAPTCHA for De-Googled Android Users https://reclaimthenet.org/... Google has tied its next-generation reCAPTCHA system to Google Play Services on Android, meaning anyone running a de-Googled phone will automatically fail verification when the system decides to ch…
-
r/Anticonsumption
r
on reddit
Google Broke reCAPTCHA for De-Googled Android Users
-
r/privacy
r
on reddit
Google Broke reCAPTCHA for De-Googled Android Users