The American tech giant is targeting the open-source community and privacy-conscious internet users with new guidelines.

(be aware and just for the expectation management: the original article is written in german. I used Deepl Pro for the translation and edited some paragraphs).

For several years, I have used a Pixel Smartphone running GrapheneOS — a privacy-focused, alternative Android operating system without pre-installed Google services.

I made this choice for several reasons: to break free from the Apple-Google duopoly, and above all, to make it harder that»state trojans» can be deployed on my phone. These are spyware tools that exploit security vulnerabilities in operating systems like those from Google or Apple, and can even read end-to-end encrypted messages. GrapheneOS is not entirely immune against such attacks — but thanks to its multi-layered security architecture, no successful spyware attack has been documented to date.

In short: GrapheneOS meets many best practices in IT security.

For a privacy-conscious user without a dedicated IT background, things have worked out well for me. I get my most important apps from the Google Play Store, which runs in an isolated sandbox environment. Yet the underlying operating system is neither data-hungry nor controlled by a tech giant I have little reason to trust.

I have, in effect, combined the best of both worlds on a single device.

As a journalist, I am also not exempt from Swiss surveillance laws. GrapheneOS allows me to offer sources the highest technically achievable level of protection — which matters for building trust with potential whistleblowers.

Over the past year, however, I experienced less convenience. The TicketCorner app — essential for attending cultural events in Switzerland — is no longer available on alternative operating systems. I had to rely on a second phone last year just to attend Eurovision Song Contest events in my own country. When asked for an explanation, the company told me they need to «distinguish users from bots and prevent abuse.» The Swiss Post offered the same not reasonable justification for its (removed) Swiss ID app.

This year, banking apps shows the same picture. One app recently notified me that future versions would be unavailable on my «modified operating system» — the jargon is called: «custom OS.» Such warnings make you feel you did something wrong. When I contacted the bank, the spokesperson told me: «We have not officially supported alternative operating systems to date. With ongoing tightening of security checks, their use will no longer be possible ,» adding that my alternative OS was «therefore not secure enough.»

But these decisions have nothing to do with IT Security. On the opposite: This is a pure business decision by Google — and the banks, Swiss Post, and TicketCorner are not actually required to implement in the way they have chosen to.

A brief technical explainer: Google discontinued its old «SafetyNet» security check in 2025 and replaced it with a new system called «Play Integrity.» Apps in the Google Play Store that previously relied on SafetyNet were required to migrate to the new system, or their security checks would stop functioning.

Through Play Integrity, app developers can ask Google to verify various characteristics of a user’s device. Not all of these checks are relevant to the functionality of a given app. The strictest tier — «device verification» — is designed to confirm that an app is running in what Google defines as a «secure environment,» meaning exclusively on certified Android.

GrapheneOS is not Google-certified and is therefore classified as «unsafe.» By any objective IT security standard, this is absurd. Google is abusing its market position: by offering this device verification option, it effectively pushes even more users toward stock Android.

There are further concerns: Whether Switzerland’s forthcoming government e-ID — due for launch on 1 December 2026 — will be accessible on alternative operating systems like GrapheneOS is not clear yet. The Federal Office of Justice declined to comment. It is equally troubling that the Agov Access app — required in Switzerland for digital interactions with authorities such as filing tax returns — is currently unavailable on GrapheneOS, ostensibly for «security reasons.» (The Federal Chancellery, responding to my inquiry, did say it intends to change this though.) Both the Agov Access app and the e-ID are two of the components of Switzerland’s public digital infrastructure. It would be a serious failure of the state if it strenghten deliberately the zwo big tech companies.

Meanwhile, Google intends to require all app developers — whether publishing on the Play Store or on alternative marketplaces such as F-Droid — to verify their identities by September 2026, submitting names and credentials. Officially, the stated aim is to combat fraud and spam. In practice, it gives Google sweeping control over who can and cannot publish software on its platforms.

As the respected IT blog Kuketz notes: «In future, it will no longer be the quality of the code that determines whether an app can be installed, but solely Google’s verification of the developer. If that verification is absent, the system blocks installation — even if the app is free, open-source, and technically flawless.»

For the global digital civil society is clear: this is an abuse of power by a Big Tech monopolist. An open letter and accompanying campaign invite citizens to write directly to competition authorities in their own countries; the campaign website provides template letters and the relevant contacts.

The topic is also being discussed in Bern.

Switzerland’s Competition Commission (WEKO) has received 150 letters of complaint and is now in contact with EU authorities. Switzerland has not adopted the EU’s Digital Markets Act, which is designed to prevent large technology companies from exploiting their market dominance — for example, by favoring their own products or imposing unreasonable conditions on competitors. Nevertheless, WEKO believes the new Google policy may constitute a breach of Article 7 of the Cartel Act, and has confirmed that an investigation is underway.

So probably once again: only European regulators — significant fines and rigorous enforcement of competition law — will ultimately be able to stop Google from this very harmful practice.

Original article here: https://www.republik.ch/2026/05/11/ctrl-wie-google-seine-macht-missbraucht-einmal-mehr