Android has not been really open for a long time now.
- Many APIs have been moved to Google Play Services (which is not open source), and many apps have come to rely on them. You can emulate it partially but not fully, see second point below.
- Some features like device attestation / SafetyNet fail on non-"official" devices, for example many banking or government ID apps refuse to work on open source os like GrapheneOS
Android dev at a large company - I've been talking with the folks at Graphene about options for attestation without using Google's API and it looks like there's actually a lot I can do for attestation without them, as long as I add their cert chain to a backend service.
It's a bit of a pain because Google just does that for me normally, but we _can_ support it. It's probably only a sprint of effort give or take. But we're deeply undermanned so it's hard to get done.
Why do you need attestation? It seems to always either serve no real purpose (e.g. Bank apps) or be anti-user (DRM) (except for perhaps enterprise managed devices for companies with serious infosec requirements)
Replied below but TLDR (and not fixing myself) is that security requirements of the app are such that a compromised APK or rooted device running modified android could gain privileged access to sensitive information by bypassing/deep faking some auth mechanism. This isn't hypothetical: it's attacks observed in the wild that we've been forced to respond to.
Why do you need attesation? Why do you think Google should own that device and not the user?
You're conflating 2 different concepts. Attestation comes in many shapes and the AOSP version of attestation is based on x.509 cert chains and manufacturer roots. The only part of that owned by Google is the revocation list.
Play Store Attestation makes it all a lot simpler to use as a developer as it handles all the fiddly bits of cert attestation and also does PlayStore based app integrity checks.
Not using attestation isn't an option: we've seen in-the-wild attacks on our service using rooted devices and modified APKs.
We've implemented the lowest LOE attestation, but the more I'm learning about the AOSP standard the more I'm interested in pivoting, at least for Graphene support.