That page seems to be saying the opposite: hardware attestation would support GrapheneOS, whereas the Play Integrity API would not.
Anecdotally, both of the banking apps I use 'just work', and I haven't encountered any app that doesn't work. The closest thing was the Disney parks app a few years ago which would crash on launch until I disabled the hardened malloc feature for it.
I see "... and permitting our official release signing keys" there, which means you are swapping Google Android for GrapheneOS Android, and you can't use bogwog Android if you wanted to.
There is a list of apps banning GrapheneOS keys here, including govt apps, ticket apps, and McDonalds for some reason:
> you are swapping Google Android for GrapheneOS Android
No? You're adding support for Graphene's keys, not replacing Google's. Obviously, the main barrier is convincing developers of these apps to add support for Graphene's keys. However, this is only a problem for apps that opted to implement the Play Integrity API at all, which doesn't seem to be very common. All the recent monopoly rulings against Google may be deterring devs from implementing this obviously anti-competitive feature, and that's not to mention Google's new responsibility to offer the Play store app catalog to competing stores, thanks to the Epic case.
> The injunction issued last year by U.S. District Judge James Donato requires Google to allow users to download rival app stores within its Play store and make Play's app catalog available to competitors. Those provisions do not take effect until July 2026.
My point was that this situation doesn't allow for Software Freedom, since you the user cannot control the OS, its an unmodifiable blob unless you are either someone with a blessed key (like Google, or GrapheneOS devs), or are willing and able to to go without the apps that use the attestation APIs, or have one locked down device for attestation apps and a separate one that you can actually control. Probably the only way to deal with that is make attestation to third parties illegal, I assume governments and banks would get exempted from such laws though.
Android has a hardware attestation API that is compatible with GrapheneOS (if the app accepts GOS's keys), but nobody uses it. Everyone uses the Play Integrity API; GrapheneOS can't pass the "strong" (hardware-backed) level of Play Integrity, though it passes the weaker ones.
The Dutch electronic identification app, DigiD, uses the Android-native attestation API.
Also good to make a distinction between the different things you can do in an attestation procedure: bootloader/boot integrity checks, attest a specific key, and ID (imei etc) attestation.
That page seems to be saying the opposite: hardware attestation would support GrapheneOS, whereas the Play Integrity API would not.
Anecdotally, both of the banking apps I use 'just work', and I haven't encountered any app that doesn't work. The closest thing was the Disney parks app a few years ago which would crash on launch until I disabled the hardened malloc feature for it.