S21 FE users aren't doing well

Despite very reasonable dynamic range when you press it...
https://fdn.gsmarena.com/imgroot/reviews/25/sony-xperia-1-vii/rev13/camera/gsmarena_4204.jpg

... Xperia 1 VII seems to take every opportunity at burning shadows to black, for no good reason
https://fdn.gsmarena.com/imgroot/reviews/25/sony-xperia-1-vii/rev13/camera/gsmarena_1109.jpg

https://www.gsmarena.com/sony_xperia_1_vii-review-2828p5.php

And even Samsung! Do they really (and rightfully) lack a belief in 4x4 CFAs with 2x2 OCL or lawyers said there's a limit to what you can call "optical quality zoom"?

Okay, I think S25U explains it a little. Saying an S5KHP series sensor is capable of "4x optical quality zoom" would be like saying the short tele here is useless. While it isn't. But would anyone else even point that out?

https://imgs.xkcd.com/comics/workflow_2x.png

How ROM devs see users asking for a working proprietary blob instead of half-assed OSS version of it

Funny stuff is happening with Play Integrity API now as the new checks are now default. Basic now seemingly serves as a monopoly enforcement, while app vendors using strong will have to resign from it due to old security patch rejection.

I'll let you know more once I'll go through more real world reports.

Now also by Google!
https://developer.android.com/google/play/integrity/device-recall

You can't use it for fingerprinting because we say so! Just ignore that we're making it 8 times easier by giving you 3 bits for free, and then giving you the option to fingerprint by each bit write date with accuracy of month + year as an extra. Oh, and that only matters if you want to fingerprint everyone. If you want to silently mark the categories of people of interest and have that live through factory reset, this API is specifically designed for it.

And the fun thing: this thing only works when you force users to download your app from GP. Is it another way to entice app vendors into Google-less user exclusion? Again, only then this feature can work.

Now I see, the meanings of new integrity checks are the following:

Basic – device from OEM that paid (for GMS license, which isn't free) and obeys Google (by restricting any undesired features on stock), the state of device isn't crazy compromised but can be anything
Device – device from OEM that paid and obeys Google, the state of device is locked stock with old SPL
Strong – device from OEM that paid and obeys Google, the state of device is locked stock with fresh SPL

In other words, unless your device successfully spoofs being older than Android 13, it's forced to have an attestation keybox to pass basic (and you'll never get one from Google as an OEM if your device is more flexible than they want), just as Google describes the changes themselves. I'm yet to know if it has to be an unrevoked Google keybox, but it's most likely. A friend speculated that the goal of going so hard on it is to eliminate emulators and make sure that physical device farms can get banned through device recall.

But regardless of it, the acknowledged outcome is that a device running uncertified build with Google keybox is superior in Google eyes to a device running uncertified build without Google keybox. They can be exactly as secure or insecure, and yet only one of them will get basic. Even with largest benefit of doubt you could give to Google, they're completely reckless with the tools they're giving to app vendors. They know how exorbitant are the sums you need to start your own OS (based on AOSP or not) and convince the careless app vendors to allow you.

The interesting omission is that app vendors will now have to downgrade their requirements from strong integrity to device integrity, as what applies to A13+ devices is: "security updates in the last year for all partitions of the device, including an Android OS partition patch and a vendor partition patch. This condition might change in the future (👀)." – and that already excludes lots of devices – "Decrease in strong responses (~14.5%)".
Requiring just device integrity will mean in turn that spoofing a system older than A13 will still let you pass without a keybox. Adding a "stronger" verdict tier than meets-strong-integrity (and keep the meaning of original) would allow the few extreme app vendors to avoid allowing too many devices, and let the super extreme ones to lose money if they wish to.

FYI: I believe that forcing strong integrity (compared to device integrity) in 2024 was less impactful than it'd be to keep the strong requirement with current changes.
The first was just exclusion of ~6 year old devices, while now, by doing nothing (and keeping requirement of strong), you'll be excluding ~2 year old devices. Pretty crazy.

And yes, super tldr: device without a keybox won't pass anything, a device with keybox on unlocked bootloader will pass basic. So devices that lose it during unlock or aren't attesting an unlocked state won't pass basic. Staying with hostile app vendors as a custom ROM user will now mean (as requirement of just basic is uncommon, most of the time it's device integrity) either having a leaked keybox, using a theoretical attestation proxy service, spoofing pre-A13 device or having a broken boot chain.

Fairphone 3 has a keybox and passes all green, sad, no bonus traction for legislation

FYI, all-competent HMD forgot to restrict bootloader unlock on HMD Fusion running build 00WW_2_430_SP01 (April 2025) or older, user security is at a great risk 😭 Remember to install the latest patch quickly to prevent yourself from abusing this dangerous vulnerability!

Credit: https://www.tiktok.com/@bondaluv/video/7507221787130891528