I’ve been looking into the new age verification system that Europe is working on. They’re making an app that’s supposed to protect privacy while checking if someone is old enough for certain services.
The thing that bothers me is how they’re planning to lock it down. The app will use something called remote attestation to make sure everything is legit. But here’s the problem - it only works if your phone runs official Google Android.
Basically you need:
- Android that Google approved
- The app from Google Play Store (so you need a Google account)
- Your device has to pass Google’s security tests
This is really frustrating because there are other Android versions out there that are actually more secure than regular Google Android. But if you’re using one of those, you’re out of luck. The app uses Google Play Integrity instead of the normal Android security checks.
Even though the code is open source and you could technically build it yourself, that won’t help. The verification servers will reject your app because it didn’t come from the Play Store.
Someone already reported this as an issue but the developers haven’t responded yet. It seems weird that a European solution would be so dependent on an American company’s ecosystem.
This Google dependency is becoming standard for official apps, even in Europe. I’ve hit the same wall with banking apps that won’t run on LineageOS or custom ROMs - despite these often being more secure than stock Android. What bugs me most is how this creates a monopoly where Google controls access to government services. The EU keeps fighting tech monopolies while building infrastructure that hands them more power. Makes no sense. Sure, the device integrity argument sounds reasonable from a security angle, but there are other ways to verify devices. Most phones have hardware security modules regardless of which Android they’re running. They’re just taking the lazy route with Google’s existing setup instead of building independent verification. This screws over privacy-conscious users who picked degoogled phones specifically to avoid Google’s data harvesting. It’s backwards - a privacy-focused identity system that forces you into Google’s ecosystem to work.
The irony is wild - Europe builds a digital identity system for sovereignty, then hands the keys to Google. I work in mobile security and this happens constantly. They picked Google Play Integrity because it’s easy, not because there aren’t other options. Samsung Knox, Apple’s systems, even TPM hardware attestation could do the same job without the Google dependency. But building independent attestation costs money and effort. Way easier to ride Google’s coattails than actually build European alternatives. Now Google controls whether EU citizens can access their own government services. Privacy advocates who ditched Google phones to escape surveillance? They’re forced right back in just to participate in civic life. If Europe actually wants digital independence, they need to fund real alternatives instead of taking Silicon Valley shortcuts.
This is classic bureaucratic laziness. They probably had meetings about “digital sovereignty” then copy-pasted Google’s integration because nobody wanted to do actual work. My rooted Pixel runs circles around most stock Android phones security-wise, but apparently that doesn’t matter. What’s next - requiring Chrome for EU websites? The whole thing screams vendor lock-in disguised as security theater.