[Discussion] Google Pay Magisk Discussion Thread

Search This thread

pndwal

Senior Member
Same here. I'd cleared cache and data many times before with no result, but this time I cleared them , rebooted, and it added the card back it. Haven't tried it yet but looks promising. Maybe someone at Google had second thoughts !
For what it's worth, even some non-rooted/bootloader locked users have been having some problems as of late. Maybe some growing pains on Google's part...

Yup... Thanks...

I suspected Google had been playing with PI deviceIntegrity at the server end... Seems they've also reverted something now also... I expect more fiddling / issues will arrise too...

Nb. The AP article, while no doubt an accurate reflection of user experiences, esp. issues had with un-modded devices, may be a little misleading...

Google has already deprecated S/N which is why they're migrating to PI already and are urging banks etc to do the same...

The article says "Google, however, has made plans to deprecate the SafetyNet Attestation API by 2024"...

Actually, Devs need to move to PI before a June 2023 'Migration deadline'...

The June 2024 date is simply the 'Full turndown' date when S/N API will fail for older app versions. These older apps will actually fail in June 2023 if Devs have failed to issue PI compliant versions (in addition) by this time...

https://developer.android.com/training/safetynet/deprecation-timeline

👀 PW
 

Lughnasadh

Senior Member
Mar 23, 2015
4,343
4,855
Google Nexus 5
Huawei Nexus 6P
Yup... Thanks...

I suspected Google had been playing with PI deviceIntegrity at the server end... Seems they've also reverted something now also... I expect more fiddling / issues will arrise too...

Nb. The AP article, while no doubt an accurate reflection of user experiences, esp. issues had with un-modded devices, may be a little misleading...

Google has already deprecated S/N which is why they're migrating to PI already and are urging banks etc to do the same...

The article says "Google, however, has made plans to deprecate the SafetyNet Attestation API by 2024"...

Actually, Devs need to move to PI before a June 2023 'Migration deadline'...

The June 2024 date is simply the 'Full turndown' date when S/N API will fail for older app versions. These older apps will actually fail in June 2023 if Devs have failed to issue PI compliant versions (in addition) by this time...

https://developer.android.com/training/safetynet/deprecation-timeline

👀 PW
Yeah, AP doesn't always get into the nitty gritty 🙃
 
  • Like
Reactions: pndwal

73sydney

Senior Member
Google Play Service data wipe:

Just a gentle reminder to any Watch 4/5 owners out there that a Google Play Services clearing will sever the Watch connection, requiring a Watch reset...so factor that into your equation folks

As always, for most things deficient on Watch, blame Samsung
 
I want to say thank you to Lord Sithek for trying to help and providing many links to threads about the issue and workarounds... I am not the only one who hates entering a code. Many have done it for Android 7, and some for 8 and 9. It seems 10 and 11 have blocked most workarounds, which is sad.

Also thanks to PW. We have different views, but the discussion is valid and fun. I have taken the guards off of all my saws and have not lost a finger yet. I have also changed hundreds of lights, outlets, and switches and seldom resort to flipping any breakers. I understand the need for security, please also understand some peoples need for instant access when security is not needed.

73sydney... It is not wrong of me to ask and request that a new workaround be developed. Just cause you like entering the same code 1000's of times in your life doesn't mean I have to. I love it when kids play on my lawn. I hate when companies dictate how I get to use my own devices.
Right! I hate when I'm the tool for the tool 👎
 

zagreous

New member
Oct 2, 2022
3
2
So similarly to others, last week integrity checker suddenly reported my phone no longer MEETS_DEVICE_INTEGRITY. As others have reported it went back to normal after a few days and I get two green checkmarks in PI checker. Since then I can't add my card to gpay. The setup goes well until the part where it normally prompts me to put in the code sent via SMS. The app tells me it can't add the card right now and to contact my bank. Customer support told me to wait and try again in 24 hrs, which didn't help. Has anyone else experienced this? And is it related to PI and/or magisk?
 

pndwal

Senior Member
So similarly to others, last week integrity checker suddenly reported my phone no longer MEETS_DEVICE_INTEGRITY. As others have reported it went back to normal after a few days and I get two green checkmarks in PI checker. Since then I can't add my card to gpay. The setup goes well until the part where it normally prompts me to put in the code sent via SMS. The app tells me it can't add the card right now and to contact my bank. Customer support told me to wait and try again in 24 hrs, which didn't help. Has anyone else experienced this? And is it related to PI and/or magisk?
https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87400949

See this also; scroll down to Related Issues:

https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87481637

👍 PW
 
  • Like
Reactions: dobi3

batboy00

New member
Nov 28, 2013
4
5
So similarly to others, last week integrity checker suddenly reported my phone no longer MEETS_DEVICE_INTEGRITY. As others have reported it went back to normal after a few days and I get two green checkmarks in PI checker. Since then I can't add my card to gpay. The setup goes well until the part where it normally prompts me to put in the code sent via SMS. The app tells me it can't add the card right now and to contact my bank. Customer support told me to wait and try again in 24 hrs, which didn't help. Has anyone else experienced this? And is it related to PI and/or magisk?
I have the same problem. Apparently, if the bank customer service informed me well, Google sends a sort of "recommendation" back to the bank when trying to add a card. Some banks take it into consideration, some don't. So maybe on devices that don't have a strong identity or something similar, Google can inform the bank about this detail. After that, it's the bank decision to allow the card to be added or not. From this point of view I don't think you can do anything. Or try to change your bank :)
 

pndwal

Senior Member
I have the same problem. Apparently, if the bank customer service informed me well, Google sends a sort of "recommendation" back to the bank when trying to add a card. Some banks take it into consideration, some don't. So maybe on devices that don't have a strong identity or something similar, Google can inform the bank about this detail. After that, it's the bank decision to allow the card to be added or not. From this point of view I don't think you can do anything. Or try to change your bank :)
Guess that's possible... Anyone blocked from their bank but still able to add cards for another w/ Contactless setup displaying 'Device meets security requirements'?

My experience (more than once) and that of several others has been that Contactless setup displayed 'Device does not mean security requirements' message even when deviceIntegrity verdict passed, and solution was simply to wipe Play Services data and either wipe G Pay/Wallet data and reboot or uninstall it, reboot and reinstall... PW
 

zagreous

New member
Oct 2, 2022
3
2
Guess that's possible... Anyone blocked from their bank but still able to add cards for another w/ Contactless setup displaying 'Device meets security requirements'?

My experience (more than once) and that of several others has been that Contactless setup displayed 'Device does not mean security requirements' message even when deviceIntegrity verdict passed, and solution was simply to wipe Play Services data and either wipe G Pay/Wallet data and reboot or uninstall it, reboot and reinstall... PW
Gpay displays that I pass security and I've wiped data/uninstalled many times. It's probably as @batboy00 says and my bank just had enough of my messing around.
 

pndwal

Senior Member
Gpay displays that I pass security and I've wiped data/uninstalled many times. It's probably as @batboy00 says and my bank just had enough of my messing around.
Mmm...

Bank should be able to tell you if something looks wrong at their end however...

In my case (first one) I persisted since I had also called my bank and was told everything was fine for contactless payments at their end... Had Contactless setup 'Your phone does not meet the security requirements' message that time, and uninstall, wipes and reboot was the cure...

With my latest episode, Wallet Contactless setup still said 'Your phone meets security requirements', but on trying to re-add cards I got 'You cannot use contactless on this device as it does NOT meet security requirements' as mentioned... However after simply clearing Wallet data and rebooting Wallet updated and cards re-appeared again...

I'm still skeptical your bank will have blacklisted your device; I suspect possible a bank glitch or a possible wait/delay after such a failure as your bank indicated... I'd be trying again...

However if you have deviceIntegrity passing and have fully uninstalled G Pay/Wallet, cleared Play Services, rebooted and set up Wallet again, I guess after giving it a bit more time you can only try setting up a different card/bank... 🙃 PW
 

73sydney

Senior Member
Gpay displays that I pass security and I've wiped data/uninstalled many times. It's probably as @batboy00 says and my bank just had enough of my messing around.

not saying its this, but just for sharing...

but back in my pixel days, about 3 years ago, when i was routinely testing (flashing) 2-4 ROM's a week, i did have a GPay failure that rendered contactless broken. Contacted bank...nope no issue there. Contacted Google via web...yup my account had gotten garbled by too many GPay setup requests from my bank :) Took them 24 hours to turn around on that one

aka when (too much) ROM flashing goes wrong

only time it wasnt something i could fix with a wipe
 
  • Like
Reactions: pndwal and BillGoss

zagreous

New member
Oct 2, 2022
3
2
not saying its this, but just for sharing...

but back in my pixel days, about 3 years ago, when i was routinely testing (flashing) 2-4 ROM's a week, i did have a GPay failure that rendered contactless broken. Contacted bank...nope no issue there. Contacted Google via web...yup my account had gotten garbled by too many GPay setup requests from my bank :) Took them 24 hours to turn around on that one

aka when (too much) ROM flashing goes wrong

only time it wasnt something i could fix with a wipe
Well I went and made a new bank account added the new card to gpay and it works fine. Still can't set up the old card... seems like my device is on some sort of blacklist with the old bank.

P.S.: No idea if this is caused by magisk, root, Xposed or whatever so apologies if my original question doesn't belong in this forum.
 
  • Like
Reactions: pndwal and 73sydney

73sydney

Senior Member
GPay Magisk Module Update:

As people seem to still be installing it, without reading the warning in my sig, in the thread, or in the README on my github repo, ive made the decision to remove the repo. As most long term people know ive been trying to wean people off it (including begging the world to "please let it die") for some time now, i myself havent used it in nearly 2 years.

I've explained (at length) previously why it has stopped being suitable here:


I had up till today kept it available for those rare few edge cases where against all odds it has seemed to be the only "fix" for a handful of people a year. I fear its now at a point where its truly a distraction and sending people off on a tangent that they neednt be on. This was prompted by an issue created on my github just now, and i decided it was high time it went...

So it is going bye byes....after somewhere north of 38,000 downloads (not counting forks and Androidacy stealing it and trying to monetize it)...

As always, thanks go to @BostonDan for his original method that led to my repurposing his hard work almost like it was my own, and to all the contributors over the years (@braveheartleo @Didgeridoohan (aka The Man) @Zackptg5 @Skittles9823 @jcmm11 @osm0sis), and for @pndwal who largely offered support for it almost singlehandedly for most of the time it was up....

tombstone.png
 
Last edited:

73sydney

Senior Member
Lol, when I read this in red letters, I initially thought that you pushed an update of your module which simply removes its functionality and leaves it as a placebo for those people who still think that they need it. 😂

But it's fine that you let it die and I really like the tombstone. 😇

Considering people had been ignoring everything else i wrote about it for over a year now, including "you prolly dont need it" (and mods say i cant be subtle) which when that didnt stop them moved to "you shouldnt use it", i was half tempted to remove any functional code and leave it in place much as you thought, but then i thought of the sheer amount of work that would leave @pndwal when he'd inevitably have to respond (before i did, because he always beat me to it) to posts about "why isnt it working?". Despite him being a world class pedant and residing up a clock tower, i do have some sympathy towards him....hence i felt that no one could ignore the tombstone....
 

73sydney

Senior Member
Got a PM this morning:

Could You send me link to this fix? There is no file on GitHub anymore.

linked to above headstone post

And then this, which is where currently people should be looking for the correct method:


Update: i set the repo back to public, stripped of anything pretty much just the info in the announcement post above. Changed all remaining text to past tense to hopefully hammer it home.

Im most happy about the changelog :)
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    I could be wrong, but for most people, the "solid base" of Magisk modules (assuming stock ROM with root) is just USNF Displax mod. If other modules or modifications are installed then more elaborate hiding measures might be necessary but in general the modded USNF alone is sufficient to pass basic and device integrity.
    FWIW, USNF (now w/ @Displax' mods) is the defacto replacement for basic MagiskHide functions that provided an environment attestation API (SafetyNet) bypass...

    MagiskHide also provided proper 'root' hiding from apps but always remained basic as John has tired of / lost interest in bypassing app's increasingly sophisticated custom root trace detection methods for some years now.

    This has meant that more sophisticated root hiding has been the province of solutions like
    'Servicely' (to disable services with isolatedProcess enabled that can 'easily bypass MagiskHide), vv's Unshare and later Canyie's MomoHider Magisk modules in combination with Magisks own hidelist.

    XPosed modules like Hide My Applist were also added to the list of hiding solutions as Devs have found ways to (arguably) abuse ability to detect apps they deem indicators of execution environment compromise despite Google's efforts to limit this 'improper' use of permissions like QUERY_ALL_PACKAGES...

    With Zygisk-generation Magisk (24+), even basic root trace hiding has been 'sunsetted' in Magisk itself... As John said:
    • It's not a secret that specifically designed modules can indeed utilize the DenyList feature for "hiding" purposes
    • DenyList, however, is only meant to "revert all Magisk changes". It will not attempt to manipulate any other signals on the device
    • Since Magisk already provides root permissions, modules don't actually need to rely on DenyList for hiding. They can do everything themselves
    • There are already modules out there that directly manipulates root detecting processes / system services to workaround HW KA

    So newer efforts to provide root hiding have had to re-implement proper methods (not simply reverting Magisk modifications in processes which actually breaks much hiding). This means that solutions like Shamiko, while 'hijacking' denylist for convenience, are actually re-imlementing denylist as a hidelist. In this sense at least Shamiko is now supplying the 'solid base' hiding once provided by MagiskHide (but it's not needed for passing SafetyNet or Play Integrity attestations as you said)...

    Of course other 'base' hiding is also supplied by Shamiko, eg xhook hiding for LSPosed and other modules was previously integrated in Riru as Riruhide but many were unaware of its existence. With 24+ Magisk there is no such integrated hiding but Shamiko is hiding (most?) traces of xhook/Zygisk now...

    Being a Canyie initiative, Shamiko adds the unshare (isolated process) and other hiding done by her MomoHider as well as tmp mount and more hiding for further traces now detected by banks... PW
    5
    Sorry, i guess i quote it mostly as a solid base for everything after...
    I could be wrong, but for most people, the "solid base" of Magisk modules (assuming stock ROM with root) is just USNF Displax mod. If other modules or modifications are installed then more elaborate hiding measures might be necessary but in general the modded USNF alone is sufficient to pass basic and device integrity.
    4
    For the majority of people Magisk 25.2 with Universal SafetyNet Fix (Mod/Mod2) by Displax, and Shamiko (Deny List NOT Force enabled) is enough to pass Integrity test (along with clearing data for Play Store and Play Services)
    Shamiko isn't even required in most cases I believe. Play Integrity does not detect Zygisk and in fact has no way to do so.
    4
    doesn't work sir, installation failed, your system API of 29 is less than the minimum api of 30? what, any solution? Magisk 25.2, rog phone 2 stock rom android 10, coz i got detected on ruru, Libc and Syscall file detection, the HMA is detected, i already use HMA beta 3.0.5, plz helb

    As promised, linking you to the newly completed HMA guide:

    4
    doesn't work sir, installation failed, your system API of 29 is less than the minimum api of 30? what, any solution? Magisk 25.2, rog phone 2 stock rom android 10, coz i got detected on ruru, Libc and Syscall file detection, the HMA is detected, i already use HMA beta 3.0.5, plz helb

    It does say Android 11+ API 30+ on the github page

    The module cant modify a file that doesnt exist :)

    Sorry but theres no equivalent function for Android -11

    I am working on a Hide My Applist guide (with pictures) at the moment, that may help. Once i have that up, ill tag you and you can follow and see if you have it setup correctly and then also let us know what youre being detected on under those categories

    For the majority of people Magisk 25.2 with Universal SafetyNet Fix (Mod/Mod2) by Displax, and Shamiko (Deny List NOT Force enabled) is enough to pass Integrity test (along with clearing data for Play Store and Play Services)
  • 61
    The new Google Play services update caused this.

    Temporary workaround:

    1. Disable Google Pay/Find My Device as Device Administrators in Settings > Security & location > Device Administrators.

    2. Search "Google Play services" in the Settings search bar.

    3. Press the three dots and press "Uninstall previous updates".

    4. Download this update - https://www.apkmirror.com/apk/google-inc/google-play-services/google-play-services-14-7-99-release/
    Pick your needed edition (arm or arm64, etc.), download it and install it.

    5. Disable Background data access for Google Play Services and Google Play in their respective App Info pages.

    6. Download Google Pay from the Play Store.

    7. Set up your cards. Enjoy!

    Never EVER update Google Play services manually, until a Magisk update is available that bypasses the upgraded SafetyNet. Note that Google Play services is responsible for adding/verifying the card, not the Google Pay app! Hence why there seems to be an overlay when adding a card/verifying an existing one.

    Tested Google Pay versions:

    2.79.x-2.83.235070858 - working

    Tested Google Play services versions:

    14.7.99, 16.0.86 - working with Magisk 18.1

    14.8.49-16.x- working with Magisk 18.2 Canary
    32
    This thread is inspired by the PoGo Magisk discussion thread. It's meant to keep the clutter of "Google Pay doesn't work" posts out of the main Magisk threads.

    Please use this to discuss issues with Google Pay and possible solutions.


    There's a working solution here:
    https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517


    For general tips on first getting SafetyNet to pass fully, check here:
    https://www.didgeridoohan.com/magisk/MagiskHide#hn_SafetyNet
    29
    Ok. I tried this and it worked on gms 17.1.22, allowing one to add cards and pay in store. Warning YMMV, but this is the process I did to get this working. One caveat is that Google pay does not register the "recent transactions" on the Google pay app. Another caveat is that I suspect users will have to reverse some step if gms is updated and then reapply, but this still needs to be confirmed

    Without further ado, here is my process:

    1) download a SQL database editor. I used

    https://play.google.com/store/apps/details?id=com.tomminosoftware.sqliteeditor&hl=en_US

    2) download a terminal emulator program. I used terminus but any terminal emulator should work.

    3) make sure Google pay is forced close, if it is open.

    4) open SQL editor. Navigate to /data/data/com.google.android.gms/databases

    5) open dg.db

    6) change any value that lists "attest" in the name (first column) to 0 in the third column. Mine was showing a value of 10 in the third column for each of these values. (Column c for sqlite databse editor I used)

    7) open the terminal emulator.

    8) get root access (su)

    9) cd /data/data/com.google.android.gms/databases

    10) type: chmod 440 dg.db
    This makes dg.db read only (for owner and group, and no access for world.)

    11) reboot

    I suspect when gms is updated, one will have to go back to steps 10 and 11 and chmod 660 dg.db to allow new keys to be written to the database, and then go back and redo all these steps to reset the attestation values back to 0.

    If there is still an error, verify in sqlite database editor that all attest release keys values in dg.db are 0 when dg.db is read only (owner and group).

    Again, YMMV but this worked for me, so I give it back to the community now.

    Edit: recent activities did show up soon afterwards for the payment method.

    Cheers,
    B.D.
    27
    The app is finally public! (thanks Google for taking a week to approve this 🤦)
    I made it beta testing since I haven't tested it on much devices. If you find any problem, please open an issue here and I'll take a look at them once I return from vacation.


    Source code:

    If you are curious, the possible outcomes I've seen are:
    • 3 ticks (unrooted samsung)
    • tick/tick/x (unrooted redmi note 4 with unlocked bootloader)
    • x/tick/x (my rooted a11 op7t)
    23
    UPDATE 1/8/2022
    This app is officially discontinued in favor of a new app I published on Play Store. Read more here:

    ====================
    ORIGINAL MESSAGE:

    I just made this simple app which tells you if your device passes the new Play Integrity API (which is presumably what Google Pay and Play Store use to detect root now). If you don't trust random apks from the internet feel free not to use this. I'll upload the source code at a later time since it's very junk now (probably on github).
    You can use it to play around and see if you manage to get it to pass without having to mess with Google Pay. There are screenshots of the 2 possible outputs (pass screenshot is from an online emulator).
    Also I didn't test it much since I don't have many devices that can pass. Hope it works fine 🤞

    Hope this helps someone find a solution :)

    EDIT:
    Here is a quote from Google of what exactly "Does not meet device integrity" mean:
    The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is not running on a physical device (such as an emulator that does not pass Google Play integrity checks).
    ...
    If you are having problems with your testing device meeting device integrity, make sure the factory ROM is installed (for example, by resetting the device) and that the bootloader is locked.