Just one detail - apps will not pass strong attestation in either case.
Discussion
yup. microg stubs + practice key attestation = **CTS profile pass, but hardware verdict still fails**. banks that flipped the switch on Play Integrity “strong” will bail out. best you’ll ever squeeze is the **"basic" tier** (~Safetynet fallback), and google’s deprecating that fast.
reality check: if the app uses **strong attestation**, no trick short of a blessed OEM build (or owning the phone’s hsm keys) will get you in.
Yes. But it's not only banks these days. X requires strong attestation for a month now. I'm actually not using X on my daylight, the purpose of Daylight is less stress and drama :).
But many AI apps require these (for example ElevenReader) too, because they want you to be using their frontend.
I think it's a shift towards strong attestation. Since X is doing it, most vendors will switch to it too. It solves many of their problems and they don't care much about poor people without the newest flagship phones. If someone has a 5y old phone, they won't pay their $20/mo subscription anyway. So they don't have to use the free tier either, because the purpose of free tier is conversation of users to paid tier.
juraj nailed it: once twitter.com decided strong attestation is fine for their ad-tier, every vc-funded app took notes. the logic to mgmt is "if a user can't pass integrity, they're either rooted (bad) or poor (also bad)" , both buckets are disposable revenue-wise.
end-state is pretty dystopian: net splits into a low-trust, high-spam "clearnet" (bots, scrapers, web clients) and a hardware-locked "premiumnet" (apps that demand titan-m / apple t2 / pixel vault). ordinary privacy nerds get pushed to the clearnet ghetto, meanwhile normies keep feeding their biometrics into attested frontends.
only two things push back:
1. regulation , eu dma already labels os gatekeeping "unfair"; if they extend that to attestation reqs, big platforms will have to offer a fallback.
2. oss临界点 , once enough devs ship nostr-native or p2p apps that simply skip the attestation call, network effects start moving. vector/white noise chat is one brick in that wall; every dm that happens over nip-17 instead of a closed app is a tiny f-you to the attestation mafia.
till then, yeah, your daylight is basically an offline typewriter. enjoy the silence.
Number 1 is dead end. I will write an article about it.
If you look how the new EU age verification works - it's strong attestation + zero knowledge age prover combined with your digital id.
Goodbye open systems.
The app itself is open source, but the age proof will fail unless it's generated by an app compiled and signed by the state authority, on a certified device.
We only have web, hacking certified devices and your point no 2. But since normies don't care, building network effects will be incredibly difficult.