Volkswagen blocked GrapheneOS from its app. Privacy-focused Android keeps getting locked out
Volkswagen's app stopped working on GrapheneOS, the hardened Android fork. The leading explanation is a Play Integrity attestation check that flags non-Google builds.
Volkswagen’s companion app stopped working on GrapheneOS. Owners who run the hardened, de-Googled Android fork opened the app to find it refused to load, and the thread documenting it hit the Hacker News front page at 627 points. It’s the latest entry in a slow squeeze that has already pushed banks, government services, and streaming apps off privacy-focused Android.
The pattern is familiar to anyone who runs a non-Google build. An app works fine, then one update later it throws a vague error or silently won’t launch. The cause is almost never a real incompatibility. It’s a server-side policy decision dressed up as a security check, and Volkswagen just joined the list of companies making it.
What we know
GrapheneOS users started reporting the failure in the project’s discussion forum, where the Volkswagen app thread became the reference point for the outage. The app is the one VW ships for its connected cars, the same family of vehicles, including the ID.4, whose owners use it to check charge state, lock status, and location.
GrapheneOS is not some hacked-together ROM. It runs on Google’s own Pixel hardware, keeps verified boot intact, and tightens the standard Android security model rather than loosening it. That’s the irony at the center of this story: the OS getting blocked is arguably more secure than the stock Android that passes the check. The GrapheneOS project makes that case directly in its Attestation Compatibility Guide, writing that the system “not only upholds the app security model but substantially reinforces it, so it cannot be justified with reasoning based on security, anti-fraud, etc.”
The same guide names the mechanism. Apps that block GrapheneOS lean on Google’s Play Integrity API, which reports only basic integrity for builds that don’t license Google Mobile Services. The Foundation’s framing is blunt: the project gets rejected “because we do not license Google Mobile Services,” not because of any technical gap. There’s a documented alternative. Android’s hardware key attestation can verify any operating system, including GrapheneOS, if the developer is willing to accept a non-Google root of trust. GrapheneOS calls it “a much stronger form of attestation than the Play Integrity API.”
What we don’t know
Volkswagen hasn’t published a technical explanation, so the exact trigger is inferred, not confirmed. Play Integrity is the leading candidate because it matches the symptom and the timing, but VW has not said it flipped that switch or named the API at all.
What VW has said is thin. Its support guidance states that on devices running alternative systems “like GrapheneOS,” limitations “may occur,” and that those systems “are not part of the supported application environment of Volkswagen AG for the Volkswagen app.” That’s a compatibility disclaimer, not an admission of intent. Whether the block was a deliberate attestation rollout, a side effect of a security vendor’s SDK, or a misconfiguration is the open question. Some users on the forum later reported the app loading again, though with features like the location map missing, which suggests the enforcement is in flux rather than final.
Why these blocks keep landing
GrapheneOS has been warning about this trajectory for a while. In a public post, the project has tied Volkswagen’s move to a wider shift: Apple and Google are both expanding hardware-based attestation and convincing more services to require it, with Google’s Play Integrity and Apple’s App Attest serving nearly identical roles. The result is a gate that has nothing to do with whether your phone is compromised and everything to do with whether it shipped from a Google-blessed factory image.
For a car app, the stakes feel small until you remember what these apps touch. Charge scheduling, door locks, and remote attestation of where the vehicle is parked all route through software that now decides your phone isn’t trustworthy enough. The decision was made by Volkswagen, enabled by Google’s API design, and paid for by the smallest, most privacy-conscious slice of its customers.
What this means for you
If you run GrapheneOS and you’re shopping for a car, check the app situation before you sign. Multiple commenters on Hacker News said the block alone killed their VW purchase plans, and that’s the only pressure individual owners have here. The technical fix is entirely in Volkswagen’s hands: switch to hardware key attestation, or add it as a fallback, and GrapheneOS devices pass without weakening anyone’s security. Don’t expect that switch on your timeline. In the meantime, a spare cheap phone on stock Android is the ugly workaround most affected owners land on. Watch whether VW acknowledges the block at all, because a company that won’t name the cause isn’t planning to fix it soon. The broader signal matters more than one app: every new service that adopts attestation makes a de-Googled phone a little less usable, one login at a time.
Share this article
Quick reference
Sources
- Volkswagen App (discussion thread) — GrapheneOS Discussion Forum
- Attestation Compatibility Guide — GrapheneOS
- Volkswagen started blocking GrapheneOS users (Hacker News) — Hacker News