From my perspective it is Google’s Fault for making and marketing Play Integrity API as a Security API.
As pointed out by someone who I had a agree to disagree conversation. This is indeed Google’s fault. If google was honest or implemented in a way where it does support custom ROMs this wouldn’t be a problem but they intentionally don’t, Unless they have fixed it, Play Integrity API apparently passes even with an 8 year old EOL Phone or something which is crazy when GOS is really more secure.
I do not in any way Blame revolut in this situation, They just took Google’s word without realizing the implications as such.
Malice or ill-intent isn’t required for an act to be illegal. Using the Play Integrity API artificially prevents other platforms like GrapheneOS, which maintain Android app compatibility, from fairly competing with Google’s certified Android. That is the textbook definition of anti-competitive.
I think you give Revolut too little credit, they aren’t stupid, they have competent cyber-sec people who should understand that Play Integrity is pure bs.
So does hardware attestation. And Play Integrity is easily bypassed to run in an emulator or wherever you want since you can pretend to be an old insecure device.
Play integrity API will require devices to have had at least one update in the last year FYI
It sucks that it prevents GrapheneOS users to run apps, but it’s no longer a security theater
Customer support is usually clueless about this, that’s why they tend to mistake it that way. (what they could’ve done is obviously escalate from customer support to technical customer
support). The agent on the other line probably really had no idea about it until it was said correctly. It happens and if I was in their case would probably be at the same conclusion if I was that clueless. As I said before it wasn’t escalated to Technical which they should have so that seems as expected.
I also wish they gave the timestamps to confirm but they did not so.
Edit 2: If you want to treat it as playing devil’s advocate here that’s fine by me
Unfortunately (and as of the time I tried it before which I think is like 1-2 years ago)
The web app is super basic it can’t be a replacement of the app
I’m not sure how one update in a year has any bearing on the security of the device. The only way to run a remotely secure version of Android is to be on the latest Android version. There is no LTS branch, and only patches for the most severe vulnerabilities are ever backported. A device running Android 13 with a security update from the past year is not and should not be considered secure.
Regardless, the security argument falls apart completely because if Google / app developers actually cared about security, they would allow GrapheneOS to pass their checks.
I could see my transactions through the web app, but I couldn’t find a way to actually send money to a friend or to a bank account. I could however use the virtual card details for filling online payment forms, but that is not the primary use of Revolut in my case.
You need to confirmcnnection from Android app to login into their webapp. And yup, very, barebone.
Do you have a source for that? Becauss I will assume Play Integrity relies on some encrypted key to verify the authenticity of the OS, otherwise it would be totally useless
