Volkswagen started blocking GrapheneOS users

Original Article ↗ Hacker News Discussion ↗

VW app blocking on GrapheneOS / custom ROMs

  • VW’s app recently stopped working on GrapheneOS and other non–Play Protect–certified Android variants, despite having worked previously.
  • Users say there are no actual compatibility or security issues; VW newly relies on Google’s Play Integrity / attestation to block non‑certified systems.
  • Some argue VW deliberately went out of its way to exclude custom ROMs and community API use, not just “failed to support” them.
  • Others respond that companies are not obliged to support niche platforms and must manage liability and test surface; they see this as a rational, if user‑hostile, risk decision.

Google Play Integrity, attestation, and competition

  • Many view Play Integrity and similar attestation as anti‑competitive: it allows Google and app vendors to exclude otherwise compatible systems, enforce GMS licensing, and block sandboxed Play or microG.
  • Critics stress that attestation does little against real malware but is powerful for lock‑in and KYC‑style control.
  • GrapheneOS supporters note it has high app compatibility, locked bootloaders, its own (pinned) attestation tools, and is working with regulators to challenge Play Integrity.
  • There is internal debate: some see any remote attestation as inherently dangerous to user freedom; others distinguish between abuse (e.g. VW, banks) and legitimate security uses.

Cars, connectivity, and right to repair / “CarOS”

  • Many are frustrated that car features (remote start, climate control, charging data) are tied to proprietary apps and VW servers, with APIs recently hardened or shut down.
  • Some call this a right‑to‑repair / data‑access issue and want mandated open APIs or the ability to run custom “CarOS” or at least local access to vehicle data.
  • Counterarguments: safety‑critical systems, regulation, and emissions control make fully user‑replaceable car OSes unrealistic and potentially dangerous.
  • There is broad resentment of “enshittified” connected cars: intrusive driver‑assist nags, mandatory modems, subscriptions, data collection, and fragile cloud‑dependent features.

Policy, regulation, and future of attested devices

  • EU data/consumer laws and right‑to‑repair are mentioned as possible levers to require access to vehicle data and curb lock‑in.
  • Others worry about a broader trend: governments mandating attested OSes for banking, ID, and maybe VPN‑restricted internet, which could marginalize Linux and custom ROMs entirely.
  • A minority argues that, under such regimes, some Linux/alt‑OS vendor will inevitably seek government‑approved signed images, trading user freedom for continued access.

User reactions and market behavior

  • Several commenters say this incident is enough to cross VW (and sometimes other brands) off their buying list, preferring simpler or older cars, or vendors perceived as more open.
  • Others think the affected user base is so small that market pressure alone is unlikely to move large automakers or Google.