ketchalegend
← Back

Google reCAPTCHA Now Requires Remote Attestation – Blocks De-Googled Android Users

Google's updated reCAPTCHA now requires hardware attestation, blocking users of custom ROMs and de-Googled Android devices from completing captchas on thousands of sites.

If you've switched to a de-Googled Android ROM like GrapheneOS or LineageOS without Google Play Services, you may have recently found yourself locked out of countless websites. Google's reCAPTCHA, the ubiquitous "I'm not a robot" checkbox, now demands something far more invasive than clicking crosswalks: it requires remote hardware attestation. Your device must prove it's an unmodified, Google-certified phone—and that's a dealbreaker for anyone who values privacy.

Google's Play Integrity Attestation Blocks Custom ROMs

A report on ReclaimTheNet (referenced in a Hacker News thread with 462 points) indicates Google quietly updated reCAPTCHA to enforce Play Integrity attestation on Android devices. The change targets users running custom ROMs without Google Play Services—often called "de-Googled" Androids. When such a device attempts to solve a reCAPTCHA, it's met with an error or endless loop, effectively blocking access to the site.

The new system uses full hardware attestation. The device's Trusted Execution Environment (TEE) generates a proof signed by an attestation key that Google's servers verify. Crucially, this proof can be linked back to the device's unique endorsement key (EK), making it a persistent identifier for tracking users across sites.

Privacy Implications of Hardware-Backed Trust

The HN discussion reveals deep concerns. One commenter noted:

Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers... an attestation can be trivially traced to your device's EK.

Another web developer added:

Eww. Ok, so, I've used reCAPTCHA on sites I maintain at work, just on forms to prevent excessive bot spam submissions. No way do I want to subject users to this BS. Does anyone have recommendations for other decent captchas that could be used instead?

This move undermines user privacy and locks out privacy-conscious users. It's a structural shift: to prove you're human, you must prove you're using an unmodified, licensed device. That's surveillance disguised as security.

The change affects more than Android custom ROM users. It also impacts users of "Google-less" Android emulators for testing, people who replace their device's OS for accessibility reasons, and anyone who simply doesn't want Google Play Services running in the background. Since reCAPTCHA is embedded on millions of sites, the reach is enormous.

Alternatives for Site Owners

If your site uses reCAPTCHA, now is the time to reconsider. Your users may be silently blocked without your knowledge. Here are practical alternatives:

  • Self-hosted captchas: hCaptcha is privacy-focused and doesn't use attestation. MTCaptcha offers similar protection without hardware checks. Both integrate with a simple snippet swap.
  • Proof-of-work challenges: For low-traffic sites, a computational puzzle like Hashcash deters bots without third-party dependencies.
  • Rate limiting and honeypots: Often, a well-configured rate limiter and hidden field honeypot are enough. No captcha required.
  • Cloudflare Turnstile: Cloudflare's privacy-first captcha alternative works without attestation. It's free for small sites.

Example of a simple honeypot in HTML:

<form action="/submit" method="post">
  <input type="text" name="name" required>
  <input type="email" name="email" required>
  <!-- Honeypot: hidden from users, but bots fill it -->
  <input type="text" name="website" style="display:none;" autocomplete="off">
  <button type="submit">Submit</button>
</form>

On the server side, check if the honeypot field is non-empty. If it is, silently reject the submission.

Also consider removing captchas entirely if your form is low-risk. The trade-off between user friction and bot prevention may not be worth it.

Should You Care?

If you're a privacy-minded user running a de-Googled Android, yes—this directly impacts your browsing experience. If you're a site owner relying on reCAPTCHA, you should care because you're unknowingly penalizing a segment of your audience and ceding control to Google's attestation system. For everyone else, this is a canary in the coal mine: the web's infrastructure is increasingly demanding hardware-backed identity, and that trend won't stop at captchas. The time to push back is now—by choosing alternatives and advocating for open, attestation-free web standards.