I'm curious if GrapheneOS or other custom Android builds would be able to avoid these restrictions reasonably.
Obviously this is going to impact the supply of apps, since the market share of custom Android is smaller than even the market share of people willing to sideload or use an alternative store on a mainstream Android phone. Many developers might quit the game.
The problem with custom ROMs is that many government, banking, and similar apps don't run on them without workarounds. Some of those apps also consider this as a TOS violation as well.
When Microsoft first proposed a remote attestation scheme for PCs under the name Palladium, it was widely seen as a nightmare scenario. Even the mainstream press was critical[0]. There was barely a whimper when Google introduced Safetynet a decade later.
It wasn't OK in 2003. It wasn't OK in 2014. It isn't OK now. I'm just not sure what anybody can do about it.
There are many third-party money apps that login to your online banking that are a violation of ToS. That doesn't stop people using them. In fact, when they get really big, they can be legitimised by banks. For example, to get my mortgage, I had to use a third party service that logs in to my online banking account and ingests all my transactions to show that I saved for my deposit legitimately.
Then I won't run those apps. Seriously. I know not everyone has this option, but it's been my experience that a lot of processes do in fact have workarounds when you show them the cryptic error their poorly behaved app throws.
GrapheneOS has offical support for hardware attestation[0].
It does require the developer to make minor adjustments, and most banks are simply too risk averse to agree to doing that (I would know, used to be a senior android app dev at a bank).
I don’t use any utility apps (identity, banking, services etc) on my phone and stick to the desktop web. And don’t use services that do require me to have a Google or apple account and phone. (Spoiler: I do)
I hope my tiny datapoint shows up in some aggregated stats somewhere.
The alternative is just Apple; if Google loses enough users they might reconsider. Essentially the only real advantage Android had over Apple was being a more free platform/ecosystem; if they're going to do away with that, then they should be shown that this means they'll lose a lot of users.
GrapheneOS is a beautiful stop-gap, but there are real bona-fide Linux smartphones out there. To be clear, there are not many, the hardware often isn't great, the software often isn't great. PinePhone and Librem come to mind.
Cell carriers will just start requiring the attestation as well. And eventually, even an internet connection will - wifi routers will have to attest to ISP equipment, etc.
The final phase is "AI" monitoring everything you do on your devices. Eventually it won't just be passive, either, but likely active: able to change books you read and audio you listen to on-the-fly without your consent. It will be argued that this ok because the program is "objective".
At this point, I would stop using commercial cell carriers and ISP-provided equipment altogether, even if that means setting up mesh networks with an underground community. User control or bust.
I've been keeping an eye on FuriLabs (Furiphone). They maintain FuriOS - Debian with an Android kernel. Has a container for running Android apps. Price is reasonable though I don't know how it'll be affected by tariffs in the US. It's tempting.
Pretty sure Bunnie named it “precursor” because the plan is to make the actual phone (with a cellular modem) next. If I had the cash to support him and buy a Precursor I would.
Android is decades ahead of that in security, functionality, utility, devex, and design. It's a fools errand to try and modernize that, over building on top of AOSP.
BTW, all the GrapheneOS, etc. are still Android phones.