A new European project called UnifiedAttestation is setting out to solve one of the biggest headaches for Android enthusiasts on custom ROMs—banking, finance, and government apps that simply refuse to run. The open-source initiative proposes an alternative attestation system to Google’s Play Integrity checks, aiming to let privacy-focused and de-Googled devices prove they’re trustworthy without relying on Google services.

What Problem UnifiedAttestation Tries To Solve

Most financial and identity apps on Android use device attestation to combat fraud, enforce compliance, and protect sensitive data. Google’s Play Integrity API (the successor to SafetyNet Attestation) has become the de facto gatekeeper, verifying that a device is genuine, the bootloader is locked, and the OS hasn’t been tampered with. If you run a custom ROM or a Google-free fork, that check typically fails—and your bank app won’t even open.

UnifiedAttestation proposes an open protocol so apps can get a yes-or-no integrity signal without Play Services. As reported by German outlet Heise, the effort targets exactly those users who stick to verified, community-maintained ROMs yet are locked out because the hardware-backed attestation chain belongs to Google’s ecosystem.

Who Is Behind It And How The System Would Work

The project is backed by European smartphone maker Volla, along with Murena (the company behind /e/OS) and the team behind iodé OS. The code is slated to be released under the Apache 2.0 license, which should make it easy for ROM maintainers and app developers to adopt. Volla says developers can add support with “just a few lines of code,” lowering the barrier for trial runs in beta channels or regional pilots.

Instead of a single vendor curating device trust, participating OS teams plan a peer-review model: consortium members would mutually verify and certify operating systems and device builds. In practice, that means an app could validate that a device is running a recognized ROM and that core security properties—such as verified boot state and integrity signals—meet policy requirements, without invoking Google’s attestation services.

There is a crucial caveat: apps must explicitly support UnifiedAttestation. Nothing changes unless your bank, fintech, or government service opts in. That dependency on developer adoption has sunk many technical alternatives before, but the group hopes a simple SDK, clear documentation, and permissive licensing will nudge early adopters.

Why Banks Care About Attestation On Android

Financial apps aren’t being picky for sport. Attestation helps enforce strong device hygiene—locked bootloaders, verified system images, and hardware-backed key storage—which in turn reduces the risk of credential theft and tampered environments. In regions governed by strict rules and audit trails, such as Europe’s payments sector under PSD2, proving device integrity is part of risk management, not a nice-to-have.

The scale matters too. Android dominates global smartphone usage, with StatCounter placing its share at roughly 70% worldwide, so the choice of attestation framework can decide whether millions of users are locked out. Today, many popular banks, payment apps, and public service portals rely on Google’s checks because they are widely deployed and relatively hard to bypass, especially at the stronger tiers of hardware-backed verification.

Security Community Pushback And Open Questions

Not everyone welcomes a replacement authority. The team behind GrapheneOS criticized the initiative on Mastodon, arguing that vendor-driven allowlists risk replicating the same gatekeeping they seek to avoid. Their position is blunt: rather than swapping one arbiter for another, policymakers should rein in mandatory app gatekeeping by any single company, whether that is Google or a consortium of OEMs and ROM vendors.

This critique highlights a genuine tension. A shared attestation layer could open doors for custom ROM users, but it also creates governance questions: Who gets to certify which devices and ROM flavors, how are disputes resolved, and what prevents a drift toward walled gardens? Without transparent criteria, formal audits, and privacy protections, developer trust—especially from banks and governments—will be hard to win.

What It Means For Custom ROM Users And Developers

If it succeeds, UnifiedAttestation could give users of LineageOS-style builds, de-Googled phones, and niche privacy devices a legitimate path back into critical apps. The near-term reality, however, is incremental: pilot integrations, selected device support, and cautious trial runs by smaller fintechs before large banks follow. Expect rollouts to hinge on clear documentation, third-party audits, and measurable fraud outcomes.

For developers, the ask is modest but nontrivial: add another integrity provider, define policy thresholds that map to their risk models, and monitor for regressions. For ROM maintainers, the work involves consistent build reproducibility, verifiable release pipelines, and public attestations that can stand up to scrutiny.

The bottom line is pragmatic optimism. A credible, open, and transparent attestation option would give users more choice without asking banks to lower their guard. UnifiedAttestation has momentum and notable backers, but its real test will be whether major apps decide it is trustworthy enough to switch on.