reCAPTCHA QR Check Locks Out De-Googled Androids
Google’s reCAPTCHA now requires scanning a QR with Google Play Services or iOS 15+, which privacy advocates say blocks de‑Googled Android phones.
Google rolled out a reCAPTCHA update in late April as part of its Cloud Fraud Defense suite that uses a QR-code step for verification. According to Google documentation, the mobile device used to scan the QR must run Google Play Services version 25.41.30 or later, or iOS 15.0 or later. Google says the QR prompt is shown mainly on desktop browsers but can appear in other contexts.
The change affects Android distributions that do not include Google Play Services. Privacy-focused systems such as GrapheneOS and CalyxOS typically omit Play Services, so users of those phones cannot complete the mobile QR verification. When a website’s desktop check requires completing the mobile step, users on uncertified desktops can be blocked unless they have a compatible phone.
The GrapheneOS team wrote that the update will impact Windows and other operating systems not certified by Google or Apple, adding that requiring Apple’s App Attest or Google’s Play Integrity is limiting competition. They noted the desktop verification can require a certified phone to finish the check.
Security and privacy figures responded to the change. Bitcoin security researcher Jameson Lopp wrote that privacy-conscious users “are being demoted from 2nd to 3rd class netizens.” Brendan Eich, the chief executive of the Brave browser, argued the security rationale is weak and described it as a way to enforce Google Mobile Services licensing while allowing devices with outdated patches to pass.
Observers point to a related 2023 proposal called Web Environment Integrity, which would have let browsers provide signals about device integrity. That proposal was dropped after opposition. Critics say the new QR workflow creates a similar gatekeeping effect without changing browser standards.
Google describes the QR verification as an anti-fraud measure intended to reduce automated abuse by requiring attestation from device-integrity services. Privacy advocates and developers say the practical result is that some interactive web flows can require a certified iPhone or Google-approved Android to proceed, which prevents users of non-certified systems from completing those checks.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
