[DISCUSSION] Play Integrity API

Search This thread
By:
Advanced…
zgfg

zgfg

Senior Member
Oct 10, 2016
8,517
6,241
Xiaomi Mi 11 Lite 5G
zagreous said:
This is what my apps return, maybe you can find smthn useful, if you have the time of course.
Click to expand...
Click to collapse
In the Play Integrity and SafetyNet, observe the button View JSON

Click on that, read what it says and provide their screenshots (if not visible at once, scroll till the end of JSONs and post the screenshots showing complete JSON responses)

Btw, do you maybe have a custom ROM without Google Play Services?

Also, make sure that the phone is connected to Internet

Google Play Services (GMS) is required and GMS must be able to connect to the Google servers
 
Last edited:
Z

zagreous

Member
Oct 2, 2022
6
3
zgfg said:
In the Play Integrity and SafetyNet, observe the button View JSON

Click on that, read what it says and provide their screenshots (if not visible at once, scroll till the end of JSONs and post the screenshots showing complete JSON responses)

Btw, do you maybe have a custom ROM without Google Play Services?

Also, make sure that the phone is connected to Internet

Google Play Services (GMS) is required and GMS must be able to connect to the Google servers
Click to expand...
Click to collapse
Lol I just ran tb checker so I could provide the json and suddenly i get 2 green ticks (basic and device integrity). Idk how that happened, since I just restarted my phone (again). Thank you for your time though.
 
  • Like
Reactions: zgfg
anshul3.sharma

anshul3.sharma

New member
Jan 17, 2023
1
0
While requesting integrityToken using
"integrityManager
.requestIntegrityToken(
IntegrityTokenRequest.builder().setNonce(encodedNonce).setCloudProjectNumber(projectId).build());"

It is working for dev build variant, but for prod build flavor it is giving me below error


com.google.android.play.core.integrity.IntegrityServiceException: -1: Integrity API error (-1): Integrity API is not available.

The Play Store version might be old, or the application is not allowlisted to use this API.

Recommended actions:

1) Make sure that an app is allowlisted to use the API.

2) Ask the user to update Play Store.

(https://developer.android.com/googl...del/IntegrityErrorCode.html#API_NOT_AVAILABLE).

Can anyone please help here
 
V0latyle

V0latyle

Forum Moderator
Staff member
Feb 20, 2011
5,855
1
9,170
The Heartland of America
Google Pixel 5
Google Pixel 5a
@pndwal I've updated the OP yet again to reflect what we discussed about Android 8 devices.

The basics as I understand them:
  • Pre 8.0 devices are not capable of hardware backed attestation; so Play Integrity defaults to basic; should pass both BASIC and DEVICE_INTEGRITY in most cases even with an unlocked bootloader although the latter may require other alterations such as MHPC
  • Android 8.0+ devices default to hardware backed attestation, meaning that all 3 verdicts will only pass on a locked bootloader and OEM firmware
  • USNF mod forces basic attestation method for rooted 8.0+ devices, so they're basically in the same camp as the pre 8.0 devices
  • No apps are currently known to require STRONG_INTEGRITY
 
  • Like
Reactions: ipdev, pndwal and zgfg
I

iamthecarley

Member
Sep 18, 2016
23
4
AT&T Samsung Galaxy S4
Motorola Atrix 4G
V0latyle said:
Play Integrity API

What is Play Integrity?
Play Integrity has replaced SafetyNet for the most part, with a deadline of June 2024, when Google's SafetyNet servers will go offline. Apps that continue to exclusively depend on SafetyNet will no longer work once this happens. Most developers have already migrated to Play Integrity.

Is Play Integrity the same as Play Protect?
No. Play Integrity provides users with the ability to verify device compatibility and security, much like SafetyNet did. Play Protect is a part of the Play Store that ensures that your device is certified, and helps to protect against malware. In this context, "certified" refers to whether or not your device has passed Android compatibility testing. This is also used for part of the Play Integrity checks. More information here


My device passes SafetyNet but I can't use Google Pay/other apps.
Don't rely on SafetyNet as a good assessment of your device's compatibility and security. It is possible to pass SafetyNet, but fail Play Integrity.
Rooted Pixel 5 on stock firmware: USNF 2.3.1 shows SafetyNet Pass using YASNAC, but device fails Play Integrity DEVICE_INTEGRITY check.

How do I know if my device is passing Play Integrity checks?
To check Play Integrity status, you can use this app:
play.google.com

Play Integrity API Checker - Apps on Google Play

Get info about your Device Integrity through the Play Intergrity API
play.google.com play.google.com
Github

If you're a nerd and you want to check key attestation, use this:
play.google.com

Key Attestation Demo - Apps on Google Play

Demo for Key Attestation feature of the Android system.
play.google.com play.google.com
Github

What causes a device to fail Play Integrity checks?
It depends on your Android version and device state. If you're on an old version of Android prior to 8.0, even an unmodified device will only pass BASIC_INTEGRITY and DEVICE_INTEGRITY, because they are not capable of hardware backed attestation methods. Android 8.0+ devices that are not modified or unlocked should pass all 3; Android 8.0+ devices with unlocked bootloaders will fail all 3, because the unlocked bootloader state means hardware backed attestation is not possible.

What do I do if my device is failing all 3 checks?
You can use the Universal SafetyNet Fix Magisk module 2.4.0 or higher, which forces basic attestation similar to pre Android 8. If you're on rooted OEM firmware, this should be sufficient for most apps including Google Pay. Custom ROMs and Chinese OEMs may have to use fingerprint altering methods to pass. It is not possible to pass STRONG integrity on an unlocked bootloader...unless it's"broken", like an ASUS ROG. Fortunately, this isn't a big deal, as no app developers are known to require that verdict.

Now, details on what Play Integrity is and how it works...


SafetyNet has been discontinued in favor of the new Play Integrity, which uses stronger methods to verify the security of a device. This is why many rooted users have been unable to use security sensitive apps, such as banking and DRM. There is a workaround for this.

But first, details on the new API.
The three elements in Play Integrity are:
  • MEETS_DEVICE_INTEGRITY: Corresponds to SafetyNet ctsProfileMatch. The app is running on an Android device powered by Google Play services. The device passes system integrity checks and meets Android compatibility requirements. (Device profile matches that of a device that has passed Compatibility Test Suite) A device that fails this will appear as Uncertified in Play Store.
  • MEETS_BASIC_INTEGRITY: Corresponds to SafetyNet basicIntegrity. The app is running on a device that passes basic system integrity checks. The device may not meet Android compatibility requirements and may not be approved to run Google Play services. For example, the device may be running an unrecognized version of Android, may have an unlocked bootloader, or may not have been certified by the manufacturer. Most devices should pass this, even if they're rooted.
  • MEETS_STRONG_INTEGRITY: Corresponds to SafetyNet HARDWARE_BACKED attestation. The app is running on an Android device powered by Google Play services and has a strong guarantee of system integrity such as a hardware-backed proof of boot integrity. The device passes system integrity checks and meets Android compatibility requirements. An unlocked bootloader will ALWAYS fail this label because boot integrity cannot be verified, meaning that hardware backed attestation methods cannot be used.
This table shows the relationship between SafetyNet and Play Integrity responses:
View attachment 5732079

The most fundamental change is that Play Integrity, by default, uses hardware methods to verify BASIC and DEVICE integrity, which is why simply having an unlocked bootloader will cause the device to fail all 3 results. However, Play Integrity also uses hardware methods (if available) to verify device security state in addition to the aforementioned checks. This is STRONG integrity, which relies on hardware-backed key attestation as well as Verified Boot to verify that a device has not been tampered with and MEETS_STRONG_INTEGRITY. It is not possible to pass STRONG integrity on an unlocked and/or modified device, or a pre Android 8 device. (Notable exception being devices with broken keystores such as ASUS ROG)

It is worth noting that SafetyNet always provided the means for developers to force hardware backed evaluation types; none did, including Google. The same seems to still be true; most app developers require DEVICE verdict, "secure" apps require BASIC and DEVICE, but none are known to require STRONG

So this all sounds rather depressing. What do we do?
Fortunately, we have the ability to force a basic attestation method that prevents the use of hardware checks, meaning it is possible to partially pass. Universal SafetyNet Fix 2.4.0 does this:
(Response from Play Integrity Checker on my rooted Pixel 5 with Universal SafetyNet Fix MOD by Displax)
View attachment 5751415
You can find that module here:
github.com

Releases · kdrag0n/safetynet-fix

Google SafetyNet attestation workarounds for Magisk - kdrag0n/safetynet-fix
github.com github.com


As far as how this is going to affect us in the future, it's up to the app developers to decide what results they want. In most cases, all they care about is BASIC and DEVICE. But if they really want to ensure that they're running on a trusted platform, they can require STRONG attestation, which cannot be spoofed or bypassed. BASIC and DEVICE can, because they use the same mechanisms that SafetyNet did. The million dollar question is whether they ever will.


For those interested in the timeline:
View attachment 5732061

For more information, please read the discussion in this thread.
Click to expand...
Click to collapse
Thank you SO much for not only giving solution(s), but for explaining each bullet point in such depth and detail. This is extremely helpful in giving not only the "what" but also the "how" and "why" - much appreciated.
 
  • Like
Reactions: V0latyle
P

pndwal

Senior Member
Jun 23, 2016
5,859
6,485
Sydney
Redmi Note 8
Xiaomi Redmi Note 8 (2021)
V0latyle said:
@pndwal I've updated the OP yet again to reflect what we discussed about Android 8 devices.

The basics as I understand them:
  • Pre 8.0 devices are not capable of hardware backed attestation; so Play Integrity defaults to basic; should pass both BASIC and DEVICE_INTEGRITY in most cases even with an unlocked bootloader although the latter may require other alterations such as MHPC
Click to expand...
Click to collapse
Actually for unlocked/rooted devices both basicIntegrity and deviceIntegrity will require hiding root from droidguard (attestation) gms process as a minimum for passing verdicts and many will need changes to sensitive prop values also. Old MagiskHide did this. Or users can add droidguard (attestation) gms process in denylist (w/ or w/o Shamiko or other hiding) and use MHPC to adjust sensitive prop values (does this even with nothing configured by user). Or just run USNF (From v2.3.1: Restored support for Android 7... Actually I think he means A7 and older per commit: magisk: Allow limited installation on Android 7 and older … "In general, users on such old versions of Android don't need to bypass
hardware-backed attestation... so allow them to install the module without the Zygisk part.") to fix sensitive props... Users may still need to hide root from droidguard (attestation) gms process manually in this case as Zygisk parts won't load... I'm not sure...
V0latyle said:
  • Android 8.0+ devices default to hardware backed attestation, meaning that all 3 verdicts will only pass on a locked bootloader and OEM firmware
Click to expand...
Click to collapse
All 3 together, yes... 2 can pass /unlocked bootloader... (... The pedant in me is showing. 🤪)
V0latyle said:
  • USNF mod forces basic attestation method for rooted 8.0+ devices, so they're basically in the same camp as the pre 8.0 devices
  • No apps are currently known to require STRONG_INTEGRITY
Click to expand...
Click to collapse
Yup...

FWIW I'm working on a simplified explanation for Google's progressive employment of hardware-backed attestation, USNF's evolving bypass and fallback methods and clarification of common misunderstandings for USNF discussion thread... It's taking a while as I have limited time ATM with long days (also very flakey internet w/ vodafail and patchy WiFi in small-town Taree)... 🤠 PW
 
  • Like
Reactions: ipdev and V0latyle
D

DartGerion

Member
Dec 8, 2018
37
6
32
OnePlus 7
Samsung Galaxy Tab S6
Hi, guys!
Apologize for errors in writing, English is not my first language. For me the Gpay was working until today. I've checked the API integrity and receive the UNEVALUATED results with all integrity red. I've attached the denylist and magisk modules. Right now my USNF mod is 2.3.1 v2.0 (i know there is newest one, i've tried it with same results). Can you, please, help me identify the culprit. MOMO detects only wrong partition, so i think it's just the bootloader unlock. My phone is Oneplus 7T Pro, running stock OOS11, unlocked BL.
 

Attachments

  • 327315597_1249244225662414_5745703968113189087_n.jpg
    327315597_1249244225662414_5745703968113189087_n.jpg
    72 KB · Views: 37
  • 327207885_668622104948475_7136240826985508058_n.jpg
    327207885_668622104948475_7136240826985508058_n.jpg
    94.4 KB · Views: 36
  • 327266010_931316484901477_2211225302576516786_n.jpg
    327266010_931316484901477_2211225302576516786_n.jpg
    72.4 KB · Views: 42
  • 327210660_652779099867476_5172096209894483835_n.jpg
    327210660_652779099867476_5172096209894483835_n.jpg
    124.2 KB · Views: 37
  • Like
Reactions: oliversum
21prods

21prods

Senior Member
Sep 2, 2013
101
33
OnePlus 8T
Google Pixel 6a
Hello to all.
I've got a phone with LOS installed on it. For some time I've been using 'ih8sn' to enable Google Pay, but recently it began to state that my phone is no longer secure.
Since then, I've seen that the problem comes from the change from Safetynet attestation to Play Integrity.
Is there any way to pass Play Integrity without magisk in a custom ROM? I'm happy without rooting my phone and 'ih8sn' was perfect for me (up until a couple of days, at least).
Thanks in advance
 
V0latyle

V0latyle

Forum Moderator
Staff member
Feb 20, 2011
5,855
1
9,170
The Heartland of America
Google Pixel 5
Google Pixel 5a
21prods said:
Hello to all.
I've got a phone with LOS installed on it. For some time I've been using 'ih8sn' to enable Google Pay, but recently it began to state that my phone is no longer secure.
Since then, I've seen that the problem comes from the change from Safetynet attestation to Play Integrity.
Is there any way to pass Play Integrity without magisk in a custom ROM? I'm happy without rooting my phone and 'ih8sn' was perfect for me (up until a couple of days, at least).
Thanks in advance
Click to expand...
Click to collapse
Yes...if the fixes in USNF are implemented in that ROM
 
  • Like
Reactions: 21prods
P

pndwal

Senior Member
Jun 23, 2016
5,859
6,485
Sydney
Redmi Note 8
Xiaomi Redmi Note 8 (2021)
21prods said:
So, not much to do for the time being, at least from my side, as I don't have any knowledge to do that and I very much doubt Lineage will ever do it.
Thanks for the clarification
Click to expand...
Click to collapse
Official LOS will never do it... Many unofficial builds do however... But a number of users of ROMs w/ integrated SNF are reporting similar intermittent Play Integrity failures to what those using latest USNF are reporting ATM... PW
 
  • Like
Reactions: ipdev and 21prods
V0latyle

V0latyle

Forum Moderator
Staff member
Feb 20, 2011
5,855
1
9,170
The Heartland of America
Google Pixel 5
Google Pixel 5a
Arcline said:
What do you guys think about KernelSU in connection to play integrity?
Click to expand...
Click to collapse
What about it? @pndwal can provide more insight than I can but I don't think this would make any real difference to our current situation. We are already able to "hide" root, so having root built into the kernel won't make much difference from a detection standpoint, at least not yet. Furthermore, the issue with hardware backed attestation is the "link" between the system's cryptographic authentication and the hardware keystore; an unlocked bootloader breaks this link, and circumventing this would require not just one but two major breakthroughs - you'd have to reverse engineer the bootloader to the point where you could provide a "fake" guarantee of root of trust, and you'd have to decrypt the aforementioned link.

Basically, think of it this way: The kernel and system are sitting at one end of a encrypted "pipe"; the hardware keystore is at the other end. If the bootloader is unlocked, the pipe's integrity cannot be guaranteed, and the system knows this. So, you'd not only have to figure out a way to fool everything into thinking the pipe is secure, but you'd also have to figure out how to successfully "tap" the pipe by breaking the encryption.
 
  • Like
Reactions: ipdev
P

pndwal

Senior Member
Jun 23, 2016
5,859
6,485
Sydney
Redmi Note 8
Xiaomi Redmi Note 8 (2021)
Arcline said:
What do you guys think about KernelSU in connection to play integrity?
Click to expand...
Click to collapse
V0latyle said:
What about it? @pndwal can provide more insight than I can but I don't think this would make any real difference to our current situation...
Click to expand...
Click to collapse
I'm not up to speed with this... Just read this (interesting read):
https://www.xda-developers.com/kernelsu-gki-root/

I can't see why the challenges with respect to bypassing Play Integrity detections or hiding root / modified OS environments in general would be any easier or much different with the KernelSU approach either however...

Looks like an interesting Magisk alternative with similar potential for systemless modules etc by @weishu in much the same way as @weishu's VirtualXposed and Taichi are interesting alternatives to mainstream LSPosed... I imagine LSP support for Magisk (which is also adapting for GKI etc) may be the telling factor in development progress and uptake level differences between these two root alternatives for some considerable time, but I'm not a betting man... PW
 
  • Like
Reactions: V0latyle
O

oliversum

Senior Member
Jan 12, 2009
109
2
DartGerion said:
Hi, guys!
Apologize for errors in writing, English is not my first language. For me the Gpay was working until today. I've checked the API integrity and receive the UNEVALUATED results with all integrity red. I've attached the denylist and magisk modules. Right now my USNF mod is 2.3.1 v2.0 (i know there is newest one, i've tried it with same results). Can you, please, help me identify the culprit. MOMO detects only wrong partition, so i think it's just the bootloader unlock. My phone is Oneplus 7T Pro, running stock OOS11, unlocked BL.
Click to expand...
Click to collapse
Same here, but I'm using Universal SafetyNet Fix v.2.4.0 and Zygisk - LSPosed v.1.8.6 (6712).
 
O

oliversum

Senior Member
Jan 12, 2009
109
2
DartGerion said:
Read back a bit, maybe those tips might help you.
Click to expand...
Click to collapse
Thanks for your reply!
Yes, I did, but so far I didn't find a solution...

Interestingly enough: Right after a restart I get "meets_basic_integrity", but not device nor strong integrity.
A few seconds later I don't even reach "meets_basic_integrity" anymore.
 

Attachments

  • Screenshot_20230202-112057_Play Integrity API Checker.jpg
    Screenshot_20230202-112057_Play Integrity API Checker.jpg
    75.9 KB · Views: 13
  • Screenshot_20230202-111911_Play Integrity API Checker.jpg
    Screenshot_20230202-111911_Play Integrity API Checker.jpg
    76.5 KB · Views: 14
  • Screenshot_20230202-111913_Play Integrity API Checker.jpg
    Screenshot_20230202-111913_Play Integrity API Checker.jpg
    126 KB · Views: 14
  • Screenshot_20230202-112059_Play Integrity API Checker.jpg
    Screenshot_20230202-112059_Play Integrity API Checker.jpg
    91.8 KB · Views: 14
P

pndwal

Senior Member
Jun 23, 2016
5,859
6,485
Sydney
Redmi Note 8
Xiaomi Redmi Note 8 (2021)
  • Like
Reactions: oliversum
L

LaiKash

Member
Sep 24, 2019
5
1
Do we know why in ASUS ROG Phone 3 the keystore is broken? I'm interested on it and why exactly it can pass the STRONG hardware verification.
 
You must log in or register to reply here.

Similar threads

T
  • Sticky
Magisk General Support / Discussion
Replies
55K
Views
6M
P
pndwal
Heisenberg
[Discussion] PokeMon Go Magisk Discussion Thread
Replies
5K
Views
635K
djkrish5610
djkrish5610
Didgeridoohan
[Discussion] Google Pay Magisk Discussion Thread
Replies
3K
Views
520K
P
pndwal
ipdev
  • Sticky
[Discussion] Magisk - The Age of Zygisk.
Replies
3K
Views
343K
J
J.Michael
m0yP
  • Locked
[Module] [Discontinued] iYTBP for Magisk - Ad-Free YouTube with Background Play
Replies
1K
Views
294K
MikeChannon
MikeChannon

Top Liked Posts

24 Hours 30 Days All time
  • There are no posts matching your filters.
  • 4
    P
    pndwal
    deusfaux said:
    Ah I've read 'Shamiko' several times but haven't been introduced yet, seemingly never having an incentive to use it so I'll look into that and what it does
    Click to expand...
    Click to collapse
    It's proper hideing, AKA new MagiskHide...

    Denylist is really not proper hiding, but does revert/prevent Magisk/root modifications running in processes...

    Denylist is really for / useful to Devs, pen-testers, security researchers etc... It's based on original hidecode, but completely repurposed and not targeted to Magisk for daily use, especially as it prevents Zygisk or Riru injection into processes in the list which is why solutions like USNF must now integrate proper hiding of root from gms as we also need code injection for more than one of its functions to work...

    So unlike old MagiskHide, DenyList is limited for hiding Magisk root from gms and also it won't spoof expected signals so sensitive props aren't reset... Further, it doesn't add newer root trace hiding as banks etc discover and perfect techniques, eg traces of Zygisk, isolated processes, app zygotes, changes in init.rc etc...

    These functions are all handled by Shamiko for modders' daily use and successor to @canyie's MomoHider...

    🤠 PW
    View
    2
    P
    pndwal
    LaiKash said:
    Device and Strong integrity is failing for me in all my Rog3 devices (with Shamiko but without the Universal Safetynet Fix). Do you or @shoey63) have the same behaviour?
    Click to expand...
    Click to collapse
    I don't have that device... Google has now (sadly) clearly revoked keys for strongIntegrity on Rog 3 since chain of trust is broken...

    @shoey63 disclosed this change here:

    https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-4-0.4217823/post-88127511

    Next, @Displax put his finger on the real cause... I commented here:
    https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-4-0.4217823/post-88127829

    ... There's no reason you shouldn't be passing deviceIntegrity (with @Displax modded USNF or other means to hide root from GMS etc) however... 😬 PW
    View
    2
    P
    pndwal
    V0latyle said:
    Does GMS/GPS actually detect root, though?
    Click to expand...
    Click to collapse
    It certainly does... And at the base-level basicIntegrity!

    That's why toggling MagiskHide used to add the attestation/droidguard (previously known as the SafetyNet) process (com.google.android.gms.unstable) in hidelist... If you manually removed it S/N would fail (even with MagiskHide still on)... And John originally recommended @Chainfire's suhide for SuperSU when Magisk users 'borrowed' that, and later included suhide for Magisk compatible phh root (superuser) developed by @phhusson before introducing MagiskHide for native MagiskSU when Magisk users moved to new integrated root...

    Later, DriodGuard began checking for Magisk specifically, checking for properties like init.svc.magisk_service, persist.magisk.hide and more... (Of course John took this as a compliment... It also checks for Pegasus and the like.) Here's an original 3rd party SafetyNet Fix that addressed these detections, later implemented by John:
    https://forum.xda-developers.com/t/...017-07-17-on-magisk-v13.3637801/post-73055995
    Johns comment:
    https://forum.xda-developers.com/t/magisk-the-magic-mask-for-android.3473445/post-73079059

    Now, of course, we use USNF, although Denylist hiding is enough for pre keymaster 3 compliant devices along with a sensitive prop resetting solution...

    V0latyle said:
    Does USNF do the actual "blocking" and "hiding" then?
    Click to expand...
    Click to collapse
    Yes, since denylist breaks USNF...

    Of course we're only discussing hiding needed to conceal root from gms here... Don't confuse this with hiding root from apps in general; USNF has no facility for this; that's the domain of proper root-hiding modules like Shamiko.

    🤠 PW
    View
    2
    P
    pndwal
    V0latyle said:
    Ah. I don't, personally...have never needed to, and I'm a bit wary of the fact that there doesn't seem to be any official source aside from the LSposed git repo, which as far as I've found doesn't have specific instructions on how to use it...
    Click to expand...
    Click to collapse
    Yup, it is closed source... Reasons given here:
    https://github.com/canyie/Riru-MomoHider#deprecation-notice

    Usage can be found by extracting readme.md from module.zip, as with many (most?) Magisk modules. 🙂 PW
    View
    2
    zgfg
    zgfg
    pndwal said:
    Usage can be found by extracting readme.md from module.zip, as with many (most?) Magisk modules. 🙂 PW
    Click to expand...
    Click to collapse
    Btw, Readme zipped in the module is usually the same README.md that's displayed on the GitHub
    View
  • 21
    V0latyle
    V0latyle
    Play Integrity API

    What is Play Integrity?
    Play Integrity is an API that is used by applications to determine device compatibility and security state. It has replaced SafetyNet for the most part, with a deadline of June 2024, when Google's SafetyNet servers will go offline. Apps that continue to exclusively depend on SafetyNet will no longer work once this happens. Most developers have already migrated to Play Integrity.

    How is Play Integrity different from SafetyNet?
    In many ways, it's very similar. It uses many of the same checks as SafetyNet, but the responses have been made a bit simpler.

    Is Play Integrity the same as Play Protect?
    No. Play Integrity provides users with the ability to verify device compatibility and security, much like SafetyNet did. Play Protect is a part of the Play Store that ensures that your device is certified, and helps to protect against malware. In this context, "certified" refers to whether or not your device has passed Android compatibility testing. This is also used for part of the Play Integrity checks. More information here.

    Why does this matter?
    Like SafetyNet, apps use this API to determine a device's compatibility and security state. Failing verdicts may limit your ability to use those apps.

    My device passes SafetyNet but I can't use Google Pay/other apps.
    Don't rely on SafetyNet as a good assessment of your device's compatibility and security. It is possible to pass SafetyNet, but fail Play Integrity.
    Rooted Pixel 5 on stock firmware: USNF 2.3.1 shows SafetyNet Pass using YASNAC, but device fails Play Integrity DEVICE_INTEGRITY check.

    How do I know if my device is passing Play Integrity checks?
    To check Play Integrity status, you can do so through the Play Store.
    Tap the Profile icon in the upper right, go to Settings > About > Tap Play Store version 8 times. This unlocks developer mode in the Play Store.
    Now go to Settings > General > Developer options > Check integrity.
    If you prefer a clear visual indicator, you can use this app:

    Play Integrity API Checker - Apps on Google Play

    Get info about your Device Integrity through...
    play.google.com play.google.com
    Github

    If you're a nerd and you want to check key attestation, use this:

    Key Attestation Demo - Apps on Google Play

    Demo for Key Attestation feature of the...
    play.google.com play.google.com
    Github

    What causes a device to fail Play Integrity checks?
    It depends on your Android version and device state:
    • Locked bootloader with stock firmware running Android 7.1.2 or older will only pass BASIC and DEVICE. STRONG will never pass.
    • Locked bootloader with stock firmware running Android 8.0 or newer should pass all 3
    • Unlocked bootloader with stock firmware will fail STRONG and BASIC, possibly DEVICE. STRONG will never pass.
    • Unlocked bootloader with custom firmware will fail all 3. STRONG will never pass.
    If you're on an old version of Android prior to 8.0, even an unmodified device will only pass BASIC_INTEGRITY and DEVICE_INTEGRITY, because they are not capable of hardware backed attestation methods. Android 8.0+ devices that are not modified or unlocked should pass all 3; Android 8.0+ devices with unlocked bootloaders will fail all 3, because the unlocked bootloader state means hardware backed attestation is not possible.

    What do the verdicts mean?
    The three elements in Play Integrity are:​
    • MEETS_DEVICE_INTEGRITY: Corresponds to SafetyNet ctsProfileMatch. The app is running on an Android device powered by Google Play services. The device passes system integrity checks and meets Android compatibility requirements. (Device profile matches that of a device that has passed Compatibility Test Suite) A device that fails this will appear as Uncertified in Play Store.
    • MEETS_BASIC_INTEGRITY: Corresponds to SafetyNet basicIntegrity. The app is running on a device that passes basic system integrity checks. The device may not meet Android compatibility requirements and may not be approved to run Google Play services. For example, the device may be running an unrecognized version of Android, may have an unlocked bootloader, or may not have been certified by the manufacturer. Most devices should pass this, even if they're rooted.
    • MEETS_STRONG_INTEGRITY: Corresponds to SafetyNet HARDWARE_BACKED evaluationType. The app is running on an Android device powered by Google Play services and has a strong guarantee of system integrity such as a hardware-backed proof of boot integrity. The device passes system integrity checks and meets Android compatibility requirements. An unlocked bootloader will ALWAYS fail this label because boot integrity cannot be verified, meaning that hardware backed attestation methods cannot be used.
    This table shows the relationship between SafetyNet and Play Integrity responses:
    1665499433643.png

    What can I do to fix it?
    Again, this depends on your device state.
    Do I need to pass STRONG integrity?
    This is ultimately up to the individual app developer, but to my knowledge, none - not even Google - are requiring a STRONG verdict for any of their apps. Can this change? Yes. Will it? There's no way of knowing - especially because developers have always been able to require hardware backed attestation since the release of Android 8.0.



    Technical details:
    The most fundamental change is this: Play Integrity, by default, uses hardware methods to verify BASIC and DEVICE integrity, but also uses the same hardware methods as proof of boot and system integrity. What this means is that Play Integrity uses stronger (and unbreakable!) methods as "proof" of the BASIC and DEVICE verdicts, and uses the availability of these hardware backed methods to determine the STRONG_INTEGRITY verdict.

    These hardware methods include hardware-backed key attestation as well as Verified Boot to verify that a device has not been tampered with. It is not possible to pass STRONG integrity on an unlocked and/or modified device, or a pre Android 8 device. (Notable exception being devices with broken keystores such as ASUS ROG)

    Fortunately, we have the ability to force a basic attestation method that prevents the use of hardware checks, meaning it is possible to partially pass. Universal SafetyNet Fix 2.4.0 does this:
    (Response from Play Integrity Checker on my rooted Pixel 5 with Universal SafetyNet Fix MOD by Displax)
    1667488774837.png


    As far as how this is going to affect us in the future, it's up to the app developers to decide what results they want. In most cases, all they care about is BASIC and DEVICE. But if they really want to ensure that they're running on a trusted platform, they can require STRONG attestation, which cannot be spoofed or bypassed. BASIC and DEVICE can, because they use the same mechanisms that SafetyNet did. The million dollar question is whether they ever will.

    It is worth noting that SafetyNet always provided the means for developers to force hardware backed evaluation types; none did, including Google. The same seems to still be true; most app developers require DEVICE verdict, "secure" apps require BASIC and DEVICE, but none are known to require STRONG.


    For those interested in the timeline:
    1665497085076.png

    For more information, please read the discussion in this thread.
    View
    8
    P
    pndwal
    Some Insight on the New Cat and Mouse Game...

    Since many are asking:
    vMAC said:
    Is there a fix for this? ... Can't pass MEETS_STRONG_INTEGRITY.
    Click to expand...
    Click to collapse
    I'm posting this WOT. 🤪

    I predict some will like it, some won't... You've been warned! 😜

    FWIW, Play Integrity MEETS_STRONG_INTEGRITY is akin to SafetyNet Evaluation type HARDWARE with CTS Profile match...

    Banks could have used this before (w/ S/N API) but haven't as it would have excluded too many users/devices/customers... Nothing has actually changed with new PI API; MEETS_STRONG_INTEGRITY will exclude the same group, so it's doubtful they'll rush to require this verdict...

    Basically, the means to enforce Hardware key-backed Attestation has already been here w/ either of these attestations, but banks don't want to exclude all those w/Android 7 and below, or many w/ broken keymaster 3+ implementations in Android 8+ devices (CTS Profile match with HARDWARE Evaluation type / MEETS_STRONG_INTEGRITY won't pass with locked bootloader), eg most OnePlus devices (nb. Keymaster may have been fixed in OnePlus devices launched with Android 12+)...

    I'm guessing the banks may well leverage this at some point if the time arrives when they feel there is a sufficient critical mass of devices w/ working hardware-backed keymaster (ie w/ hardware keystore, A8+) to trade against the number of modded (bootloader unlocked) devices in use especially if they deem Google slow to close the fallback-to-basic-attestation loophole that has allowed modders to bypass hardware based attestation to CTS Profile match enforcement (by triggering fallback to BASIC Evaluation type as well as bypassing enforcement) and also to allow its counterpart, MEETS_DEVICE_INTEGRITY verdict. (Nb. This verdict should not properly be obtained on modded devices, and it requires the same attestations as S/N as well as the same tricks to trigger fallback to BASIC attestation and bypass enforcement) The incentive to use this foolproof means is also certainly being weighed constantly against the cost / need to use their own custom means of sophisticated 'root' detection...

    Google also, as other authorities have commented, appears to be waiting for some 'acceptable' percentile / critical mass of such devices in use to be reached also, before they swing the 'big hammer' that is Hardware-backed Key Attestation enforcement and that will definitely spell the endgame for modders' use of bank apps, and possibly for OnePlus users and others whose devices have broken keymaster*

    *Nb. There are exceptions, eg Asus ROG Phone 3, where broken keymaster actually results in PI MEETS_STRONG_INTEGRITY and S/N CTS Profile match with Evaluation type HARDWARE regardless of bootloader status instead of the converse...

    It seems likely to me that OnePlus and other devices with broken keymaster can be spared if Google do prevent on-device triggering of fallbacks to basic attestation use simply by using device info contained in the cryptographic attestation sent to Google servers instead of userspace model props etc now used, to bypass enforcement at the server end. If they do this it would be a concession as modded OnePlus etc may then still be able to pass CTS Profile match / DEVICE_INTEGRITY while other modern modded devices won't...

    This would, however, be a way to swing the hammer a bit sooner, and either way, as can be seen from the above, they may be forced to do this once banks do indicate a willingness to enforce
    MEETS_STRONG_INTEGRITY in order to stop a landslide that would prevent all stock locked Android 7 and lower devices using bank apps etc... Or maybe they'll just let the landslide go and force bank app users to upgrade devices...

    Hopefully this gives some insight regarding what pressures may finally force Google to properly deploy (ie. strictly enforce) Hardware-based Key Attestation on devices that support it...

    Personally, I think Google has exercised great restraint, possibly out of some regard for the modding community since I can't see any other compelling reason not to have properly enforced CTS Profile match with HARDWARE Evaluation type where supported or Hardware attested MEETS_DEVICE_INTEGRITY sooner, unless the matter of ensuring that the API properly sees hardware identifiers (ie. these cannot be spoofed, which I believe would again require cryptographic server-side attestation that the device doesn't indicate the presence of hardware keystore) for bypassing hardware attestation enforcement in devices launched with Android 7 and earlier is proving difficult (but I'm fairly sure this mechanism will be a simple matter for Google and probably already in place)... 😛

    It may well be that Google is benevolently holding off but is using/will use MEETS_STRONG_INTEGRITY uptake data as tha natural indicator of the banks propensity for reliable HKA... My bet is that if Google doesn't have immediate plans to move to srtict HKA enforcement for MEETS_DEVICE_INTEGRITY, then they will when the banks themselves move to use the even stricter MEETS_STRONG_INTEGRITY verdict...

    👀 🤠
    View
    5
    shadowstep
    shadowstep
    mrjuniork said:
    RL does hold me tight lately.
    Click to expand...
    Click to collapse
    ...which is why I already moved a few posts @V0latyle requested. Got your back! (y)
    View
    5
    P
    pndwal

    Tech = Spy-Biz, HippoMan

    FWIW, I'm answering this here (might be the best place...):
    Its none of the banks business to stop their clients from using rooted devices. Theyre just adding another hindrance to smooth banking operations thereby possibly hampering their own business by wasting both their and their clients time. Thats Stupidity!
    Click to expand...
    Click to collapse
    Well, seems that's a popular option here, but it's also a highly subjective one...
    Bank Devs did you hear? Pls discuss this with your bosses. Its like going backwards instead of forward.
    Click to expand...
    Click to collapse
    And you're going to need to do better than that... Even if banks themselves didn't persue these initiatives (ostensibly to protect their interests / bottom line) they're being driven by many other powerful entities...

    The Open Mobile Terminal Platform (OMTP) first defined TEE in their "Advanced Trusted Environment:OMTP TR1" standard around 2007, and for some 15 years Hardware implementations for a hardware isolation mechanism with a secure operating system running on top of this along with an associated "hardware root of trust" have been progressively adopted and implemented not just in/by mobile devices / ARM SOCs (TrustZone, first iterations in 2008, but not much further development/excited customer till 1012, and more), but also by Apple (Secure Enclave is a hardware feature found in most versions of iPhone, iPad, Mac, Apple TV, Apple Watch and HomePod), AMD (Platform Security Processor, PSP, 2013, and more), IBM (IBM Secure Service Container, 2017, and more),
    Intel (Trusted Execution Technology / Management Engine, 2008 and more),
    RISC-V SOCs (MultiZone™ Security Trusted Execution Environment, 2018, and more)...

    The aim of tee on SOC is to to reduce the attack surface... Typical applications include DRM functionality for controlling the use of media (ie. media security) and preventing any unapproved use of a device (ie. device/data security)...

    And it's not just banks who are interested in this; Service providers, mobile network operators (MNO), operating system developers, application developers, device manufacturers, platform providers and silicon vendors are the main stakeholders contributing to the standardization efforts around the TEE in SOC and implementation...

    Banks are simply impatient as, at least in Android, secure TEE implementation for device security is un-developed, flawed, lagging, arguably broken even... unlike in iOS (iOS Secure Enclave) ... And that's a problem, not just for Google...

    So banks do their own security checks... Simply because Android Verified Boot doesn't work for them... I mean attestation to it in the usable deviceIntegrity verdict can't be trusted... I mean it's hardly 'verified', is it?... It's 'chain of trust' can't be trusted because components can be spoofed so Verified Boot can't be trusted, and all because of TEE not being usefully implemented (ie. to allow detection of tampering with a runtime environment along with either a hardware based attestation to the device model or to a working implementation of keymaster for enforcing hardware evaluation type)... And it's not useful presently because the simple implementations of both SafetyNet evaluationType and Play Integrity strongIntegrity will necessarily fail all devices using Android 7 and below as well many OnePlus and other devices with broken keystore implementations if adopted (because attestation doesn't include the information in parentheses above) making this option largely impractical...

    Don't expect that banks won't adopt PI strongIntegrity verdict use sooner or later however... they're only waiting for a certain critical mass of compliant devices (which only they will determine)... or for a better solution (read: more useful hardware based attestation to a trusted, non-tampered runtime environment)...

    Moreover, the efforts banks are making in persuing their own detection of tampered runtime environments as an interim measure only highlights their own interest/ stake in TEE in SOC implementation of keystore/keymaster attestation for device security and standardization...

    HippoMan said:
    I totally agree!

    And as I've mentioned here before, every desktop computer is a rooted device, and of course we don't see the banks trying to hinder us from accessing their services from our computers.

    And banks gladly issue us debit cards which we keep in our wallets that are just as easy to steal as mobile devices.

    Rooted Android devices are just low-hanging fruit. And the amount of fraud that's prevented by trying to fight against Android root is minuscule, given the extremely small percentage of mobile device users who want to use rooted Android devices. I wouldn't be surprised if the amount of money that banks spend for anti-Android-modding software development exceeds the maximum amount of money that could be lost via the hacking of modded Android devices.
    Click to expand...
    Click to collapse
    But as I've told you before, and as the above should make abundantly clear, TEE and other, especially hardware backed, means to detect tampered execution environments for an application developer's code are here to stay in mobile devices, and are arriving in PCs also... cos like banks, Google and iOS etc, Microsoft is doing the maths also...
    In 2021, protections built into Windows, Azure, Microsoft 365, and Microsoft Defender for Office 365 have blocked more than 9.6 billion malware threats, more than 35.7 billion phishing and other malicious emails, and 25.6 billion attempts to hijack our enterprise customers by brute-forcing stolen passwords—that’s more than 800 password attacks per second...
    Click to expand...
    Click to collapse
    https://www.microsoft.com/security/...for-windows-11-will-help-protect-hybrid-work/

    Hardware and software makers hope TEEs provide a long-term solution for using sensitive data in a more secure manner on smartphones, PCs, cloud systems, and virtualized workloads...
    Click to expand...
    Click to collapse
    https://www.hpe.com/us/en/insights/...with-trusted-execution-environments-2102.html

    And Microsoft are already spruiking Windows 11 as a "Zero Trust" solution for PC advanced security needs...

    Guards against sophisticated attacks​

    Protects down to the firmware level with hardware security features that shield user credentials and other critical data.

    Secured-core PCs and hardware-based security​

    Secured-core PCs deliver the highest level of Windows 11 protection including advanced protection of firmware and dynamic root of trust measurement.

    Windows 11 security innovations​

    Microsoft optimizes Windows 11 for Zero Trust protection. Read the Windows 11 Security Guide for a quick overview.
    Click to expand...
    Click to collapse
    https://www.microsoft.com/en-us/windows/business/windows-11-secured-core-computers

    Anyway, as I see it, we are able to have a bit of fun beating the system, or really subverting mobile OS's security models only because these have been slow to implement proper / useful "zero trust" protections... The fun's sure to end sooner or later however cos we live in the real world!... And being real, you and I both know 'bank devs' will NEVER convince their bosses to abandon these advances either! (...ok, ok... advancement, regression, it's your call... or is it?... Who do we think we are???)...

    Eh guys?

    ... The only way you'll get your wish is by cobbling together enough funds to buy the banks, Google, the SOC makers and the OEMs you love ... Then you'll have a fighting chance. 🙂...

    Wish you luck... PW
    View
    4
    ipdev
    ipdev
    I am not sure about the Google Pay Magisk Discussion Thread but, posts (including mine) related to Play Integrity in the Universal SafetyNet Fix 2.3.1 thread seem to start around Post # 1,796.

    All the posts about Play Integrity (that are not related to the USNF module) would have to be moved and kept in order to this thread.
    I am not sure how easy that would be to do, since a lot of the discussion included linked posts in the responses.

    Maybe @mrjuniork has an idea of the best and easiest way to do it?

    Cheers. :cowboy:

    PS.
    Sorry to ping you mrjuniork.
    I might be wrong but, it looks like you will be the one who gets stuck moving the posts.     🙃
    View

New posts