Android dev at a large company - I've been talking with the folks at Graphene about options for attestation without using Google's API and it looks like there's actually a lot I can do for attestation without them, as long as I add their cert chain to a backend service.
It's a bit of a pain because Google just does that for me normally, but we _can_ support it. It's probably only a sprint of effort give or take. But we're deeply undermanned so it's hard to get done.
Why do you need attestation? It seems to always either serve no real purpose (e.g. Bank apps) or be anti-user (DRM) (except for perhaps enterprise managed devices for companies with serious infosec requirements)
Replied below but TLDR (and not fixing myself) is that security requirements of the app are such that a compromised APK or rooted device running modified android could gain privileged access to sensitive information by bypassing/deep faking some auth mechanism. This isn't hypothetical: it's attacks observed in the wild that we've been forced to respond to.
Why do you need attesation? Why do you think Google should own that device and not the user?
You're conflating 2 different concepts. Attestation comes in many shapes and the AOSP version of attestation is based on x.509 cert chains and manufacturer roots. The only part of that owned by Google is the revocation list.
Play Store Attestation makes it all a lot simpler to use as a developer as it handles all the fiddly bits of cert attestation and also does PlayStore based app integrity checks.
Not using attestation isn't an option: we've seen in-the-wild attacks on our service using rooted devices and modified APKs.
We've implemented the lowest LOE attestation, but the more I'm learning about the AOSP standard the more I'm interested in pivoting, at least for Graphene support.