Rant blog

You think you hate Google enough...

But you don't! Google has tied its next-generation reCAPTCHA system to Google Play Services (GPS) on Android. If you’re running GrapheneOS or any other de-Googled ROM without GPS, you’ll automatically fail verification when the system decides to challenge you - not just see more puzzles, but be completely locked out.

reCAPTCHA becomes reCRAPTCHA

How the new system works:

Can you fake being an iPhone on GrapheneOS?

Short answer: Probably not reliably. Here’s why:

reCAPTCHA doesn’t just check your user agent string. As noted in security research on this topic, Google cross-verifies JavaScript behaviour, DOM internals, and other browser characteristics. To successfully spoof an iPhone, you’d need to:

Unless you’re essentially running Safari/WebKit (which you can’t on Android), reCAPTCHA can detect the mismatch between what you claim to be and how your browser actually behaves.

Better alternatives for GrapheneOS users:

  1. Use a secondary device with Play Services when you hit a reCAPTCHA challenge
  2. Set up a separate Profile on GrapheneOS that has GPS running in - swap into that profile when needed
  3. Avoid sites using the new reCAPTCHA v3/Enterprise (though this is hard to detect)
  4. Use a different browser with different fingerprinting characteristics (some users report Firefox Focus or Tor Browser sometimes getting different treatment)
  5. Contact site administrators and ask them to use alternative CAPTCHA solutions like hCaptcha or Cloudflare Turnstile

This has been quietly in place for about seven months and represents a hard dependency that makes de-Googled phones second-class citizens on the web.