50.9k sats \ 0 replies \ @final 14 Jun 2023 freebie \ on: Bounty - Detect GrapheneOS in Kotlin tech
This wont likely be insightful either, I have not developed an Android app but GrapheneOS developers have commented on it a couple of times, like previous comments you're probably better off trying to make a workaround that doesn't call the Android Auto API's on their own?
There are some methods here but they all have some disadvantages:
  1. The safest method is you could use Play Integrity API to do hardware-based attestation. This can detect what is a stock Android on an OEM and aftermarket operating system like GrapheneOS as they don't choose to spoof these checks. GrapheneOS passes MEETS_BASIC_INTEGRITY but not MEETS_DEVICE_INTEGRITY hence why Google Pay and some banking apps does not work. Maybe it's worth trying? https://developer.android.com/google/play/integrity/verdict#device-integrity-field
You can also add GrapheneOS' keys to the app for that: https://grapheneos.org/articles/attestation-compatibility-guide
They also want to try and pass device integrity checks in the future, however.
  1. Apps can access list of installed apps on the profile if they are installed and the app is given the QUERY_ALL_PACKAGES permission, which Google docs call high-risk and has a lot of guidelines on how to use. I don't even think an app like yours could meet the strict requirements anyhow, seems to be just for podcasts?
If you somehow did meet requirements, maybe if you have an OS system app like app.attestation.auditor (GrapheneOS' Auditor system app) detected you can turn that feature off? GrapheneOS' Auditor for other devices uses the App IP app.attestation.auditor.play so conflicts wouldn't be an issue.
Hope you get some luck with this. GrapheneOS also has a matrix channel to talk to, maybe their development channel would be a good place to ask further questions?
write
preview