Isn't Android a realistic alternative? Certainly it has its own problems, but the ability to 'side-load' whatever app I want far out weights those, at least for me.
Android's becoming more of a walled garden as well. More and more stuff depends on the opaque blob that is Google Play Services and an increasing number of apps (even games ffs!) only want to run when SafetyNet says the device is save.
The SafetyNet stuff is somewhat understandable for banking apps but it means rooting, Xposed modules and custom Android builds is out of the question, taking away a lot of freedom.
It's a choice of developers, not Android's failure. I suspect that game developers are trying to protect from piracy. I doubt that they implemented those checks just for fun.
I haven't looked into this at all, but isn't the point of Xposed to hook into APIs and fake the result? Or otherwise modifying apps? Isn't there a module that just fakes SafetyNet? Probably not, or this wouldn't be a problem, just curious if anyone knows why not?
Yes, there's modules to fake SafetyNet but Google's really invested in it and it is kind of a losing battle on the side of the Xposed module writers[1][2]. (tl;dr It's quite a hassle to get a workaround on your phone and it's pretty trivial for Google to update SafetyNet.)
Xposed is a bit like torrents, jailbreaking, etc. A lot of people use it to pirate stuff or to cheat in games but there's also genuinly useful usage like:
• why does my banking app not allow me to take a screenshot?
• root permissons for Greenify and Amplify so I can make my battery last for days
• better privacy management than what Google only recently implemented
I don't know about SafetyNet specifically, but it could be that it has to authenticate itself to the apps that call its APIs.
E.g., I guess it could be code-signed and that the apps that use it have to check the signature. That uses a private key that "FakeSafetyNet" couldn't duplicate (well, assuming the SafetyNet people could keep it a secrect). It also incorporates a hash of the binary being signed so that FakeSafetyNet couldn't get away with just swiping the signature from SafetyNet to present as its own (the binary hash of FakeSafetyNet wouldn't match the signature).
I'm running a CopperheadOS that I built myself with microG added, and I've found it implements enough of the Google services (including push and SafetyNet) that everything I care about works well, including banking apps. YMMV.
