Oh I agree a system, if implemented, should not depend on a tie to Apple or Google, however, I'm not aware that detailed implementation guidance has been produced as yet which would require that tie, although I could have missed that.
I'd hope that a system as implemented is as technologically neutral as possible.
Good on you for avoiding the smartphone tie on banking though, it's getting increasingly hard for decent MFA not to tie to it in some way or another, and travel's a right pain without the smartphone apps.
They haven't specifically said anything, but they have directly compared the ID to phone based payment card systems, which on the google side do rely strictly on a google-blessed android build[0][1][2].
It's also incredibly popular in the security industry (I know, I work in it) to claim that every possible app in existence must:
* Obfuscate
* Do root detection and refuse to work
* Detect attempts to attach a debugger, and refuse to work
* Detect running from a VM, and refuse to work
* Do certificate pinning (although as an industry we've stopped recommending this bullshit practice, although we still insist on it for some things)
* Prevent screenshots from being taken
* Force you to re-authenticate using biometric ID every time you look away from the app
* and... break at the slightest hint of a non-standard build of android
So I don't have high hopes, because the company I work for does work for the UK government, will likely be picked to review this app, and inevitably all that shit is what we'll recommend (although I hope I won't be working here by then because I'm just sick and tired of cargo cult / checkbox security).
[0]: Not because of any specific feature, but solely based on signing keys.
[1]: I believe specifically you have to license GMS integrate them into the build, which e.g. GrapheneOS does not do.
[2]: And no, GOS's sandboxed google services don't fix this problem, Google Pay will still refuse to work.
I agree that reliance on non-UK based companies (Apple/Google) is a problem, but to me that's not specific to digital ID. We already have age verification relying on mobile apps, via the online safety act, just not ones implemented or managed by the UK gov, instead managed by non-UK corps with the data going offshore
For me having ones managed by the UK gov filling those functions would be preferable to the current situation, and that's not to say I want more privacy intrusions but to say I'd rather have more UK control over the data people have to give up for various services and functions.
Whilst more tech/privacy/security focused people will opt-out of that as much as possible, the realistic fact is that probably 95%+ of the UK population don't care about concerns around Apple/Google, they just want the functionality provided, so for that group it would be better if the apps were run from the UK, ideally by an org not motivated by making more money from them every quarter :)
The fact that 95+% of the population is unaware of the problems with this doesn't make it okay. There are lots of things 95% of the population don't know or think about which we don't just throw our arms up and ignore.
Moreover, age verification is trivial to circumvent or opt out of. The only way to opt out if this thing will likely be to leave the country. Which certainly increasingly seems like a good idea to me.
I'd hope that a system as implemented is as technologically neutral as possible.
Good on you for avoiding the smartphone tie on banking though, it's getting increasingly hard for decent MFA not to tie to it in some way or another, and travel's a right pain without the smartphone apps.