> We understand your concerns and truly appreciate your suggestions. As previously mentioned, this is not something that is enforced by the reference implementation — these are simply recommendations, not requirements, for any wallet implementer. That said, we recognize that this is a sensitive topic, and we may need to revisit it, even at the level of recommendations.
> The README files for both the iOS and Android Wallets have been updated to mention only OWASP MASVS compliance, without referencing any specific APIs.
I understand their position, but I also get the concern, especially around existing implementations like the Italian app. I think it's mostly that they have different priorities than ensuring that the reference implementation is a perfect guideline for member states.
This looks like a good vector for a European Citizen Initiative around removing all technological dependency on non-EU providers.
1. Google and Apple have a much larger ecosystem and are entrenched in their OSes, which means that they have a much better picture of the user than any government app ever will. They also have surveillance mechanisms that government apps are unable or unwilling to implement. This helps detect and prevent fraud (fraud prevention is mostly just mass surveillance used for good).
2. The eIDAS standards enable anonymous assertions about your identity. This lets you prove your age to a website / app without revealing any other information. There needs to be a way to prevent you from generating millions of such assertions using one ID and giving them out online to anybody who wants them, verified or not. The way you do that is by limiting their generation to trusted hardware, using hardware attestation mechanisms. Google and Apple provide those.
3. Pure laziness. It's an issue that <1% of the population cares about (which is hard to notice if you're in the HN bubble). Almost nobody uses a modern, eIDAS capable smartphone without a Google or Apple account. They may have decided that the part of the population who cares about this just isn't worth pandering to (just like some government institutions may decide that vegans aren't a part of the population they're interested in pandering to).
There can be good reasons for a bad thing, and it's important to factor them in when having a discussion.
Anonymity isn’t anonymity if you can’t generate millions of them cheaply.
Either the government secures internet payments themselves, which means spending now to do so, coming up with a plan, ... or they can have Apple/Google do it.
You can smell where this is going, no? This is how the EU is looking to make any kind of internet authentication go through them. By providing companies like telcos with an online identity that says "if a customer clicks 'buy' logged in through eIDAS and they don't pay, EU courts will if needed get the money from their homes, their mothers, sell their dog to make sure you get paid".
Then things like forcing kids off the internet, the always returning porn and copyright regulations rules and so on will follow.
For 99% of smartphone users, you can't get apps onto their phones without Apple and Google signing the app and letting you into their store, and users can't install the app without an Apple/Google account.
Why remove a dependency on Google, when you'll still be 100% dependent on Google?
Anybody working on "Digital ID" has already made peace with the fact that it can be turned off overnight if Trump says so.
Yes not many use it but if you cut this path off then people will never get there.
Its the same as with bicycle paths. Initially - those make no sense, leading from nowhere to nowhere. Give it a few years, and a usable network emerges.
Right now there is serious money and brainpower being poured into sovereign cloud tech. Thanks to the gift of open source and standards, its actually not impossible to create modern systems with zero US dependency.
I fear, though, that as with everything else Microsoft Excel will be the hardest dependency to deal with.
It's not necessary to provide the functionality and enforces the dependency onto he potentially hostile actor (case in point: Microsoft disabling email account of Chief Prosecutor of ICC because US requested so).
It stifles innovation in the future and hurts GrapheneOS right now.
Let me turn the question back at you: why do you think adding unnecessary dependency is better than not adding it?
Does it serve users, governments, service?
Does it anything good for the interested parties or does it only serve Apple, Goggle and the US government?
Let's not act like things have always been this bad and thus we should just accept it as the norm, because they haven't, the noose is actively tightening as time goes on.
Plus, the net difference is that this gives Google and Apple the ability to kill the ability of individuals to make payments (and tax them) ... do you want that?
(And I would say, compared to having European banks tax them, the answer is not so obvious)
The real issue is, of course, that this moves the burden of keeping phones secure onto Google and Apple, who are very willing to take on that burden in trade for a percentage of all consumer payment traffic in Germany. It's yet another choice between "spend money now to build a government department to secure payments ... or have Apple/Google do that for you". And they're choosing to save a little bit of money in the short term in trade for what is effectively a new tax.
Sure, their researchers are great, but Google itself claims that several years old phones running Oreo are safe and secure. They also extended the time for vendors to bring patches to the new vulnerabilities, they themselves slowed down - compare timeframe between patches released by GrapheneOS and patches released by Google - the latest GOS release provides patches for vulnerabilities that will be fixed by Google in.... October 2026: https://grapheneos.org/releases#2026040300
I do get that that's not exactly impressive. It isn't.