How’s this?
Dear Sir or Madam,
I am writing to formally raise concern over the growing reliance on Google’s Play Integrity framework by app developers, especially financial institutions, to restrict access to their services solely to users of Google-certified Android systems or Apple iOS. This practice has the effect of excluding users of lawful, secure, and privacy-respecting alternative operating systems such as SailfishOS, /e/OS, or unbundled AOSP variants, affecting mainly European vendors. These systems are technically capable of running the relevant applications but are denied access because they are excluded from Google’s proprietary certification checks.
This approach reinforces Google’s gatekeeper position in the mobile ecosystem and appears incompatible with its obligations under the Digital Markets Act (DMA). In particular, it raises questions under Article 5(2), which prohibits gatekeepers from conditioning access to one core platform service on the use of another; Article 6(7), which requires gatekeepers to ensure interoperability with third-party software and services; and Article 6(12), which concerns fair and non-discriminatory access to core platform functionalities. Google currently provides no public or neutral pathway for alternative operating systems to access Play Integrity APIs, effectively allowing it to control which platforms users and developers can choose.
Claims that this restriction is necessary for security are not technically convincing. The majority of mobile banking fraud results from phishing, identity theft, or social engineering, none of which are prevented by operating system attestation. By conflating certification with security, service providers implement a simplistic and exclusionary model that denies access to users making legitimate, privacy-conscious choices. This reliance on Play Integrity is not only disproportionate but functionally ineffective.
This exclusion has tangible consequences: some services, such as banking apps, no longer offer web access or platform-neutral alternatives. As a result, users are locked into specific vendor-controlled ecosystems and deprived of effective access to essential digital services. As a long-term user of SailfishOS, this is the first time I have had to carry additional phones around to access the services I need.
I respectfully request that your office investigate whether this dependency on Google’s proprietary attestation systems is compliant with the DMA, and whether Google and the developers who rely on these restrictions are acting in a fair, proportionate, and non-discriminatory manner. I would also welcome clarification on whether regulators consider this type of exclusionary design a breach of interoperability principles or digital consumer rights.
Thank you for your attention to this matter.