Apps using the Play Integrity API or obsolete SafetyNet Attestation API to check the authenticity/integrity of the OS can support GrapheneOS by using the standard Android hardware attestation API instead and permitting our official release signing keys. Android’s hardware attestation API provides a much stronger form of attestation than the Play Integrity API with the ability to whitelist the keys of alternate operating systems. It also avoids an unnecessary dependency on Google Play services and Google’s Play Integrity servers.

Devices have been required to ship with hardware attestation support since Android 8. You can use hardware attestation on devices running Android 8 or later when the ro.product.first_api_level system property isn’t set to 25 or below, which indicates they launched with Android 8 or later with hardware attestation support as a mandatory feature. On older devices, you can continue using the Play Integrity API. Some low quality devices shipped broken implementations of hardware attestation despite the requirement to have it working for CDD/CTS certification and the Play Integrity API currently still passes on those devices wrongly claiming them to be CTS certified. If you don’t want to fail on those devices, then you can start with hardware attestation and fall back to th