Play Integrity API
What is Play Integrity?
Play Integrity has replaced SafetyNet for the most part, with a deadline of June 2024, when Google's SafetyNet servers will go offline. Apps that continue to exclusively depend on SafetyNet will no longer work once this happens. Most developers have already migrated to Play Integrity.
Is Play Integrity the same as Play Protect?
No. Play Integrity provides users with the ability to verify device compatibility and security, much like SafetyNet did. Play Protect is a part of the Play Store that ensures that your device is certified, and helps to protect against malware. In this context, "certified" refers to whether or not your device has passed Android compatibility testing. This is also used for part of the Play Integrity checks. More information here
My device passes SafetyNet but I can't use Google Pay/other apps.
Don't rely on SafetyNet as a good assessment of your device's compatibility and security. It is possible to pass SafetyNet, but fail Play Integrity.
Rooted Pixel 5 on stock firmware: USNF 2.3.1 shows SafetyNet Pass using YASNAC
, but device fails Play Integrity DEVICE_INTEGRITY check.
How do I know if my device is passing Play Integrity checks?
To check Play Integrity status, you can use this app:
If you're a nerd and you want to check key attestation, use this:
Get info about your Device Integrity through the Play Intergrity API
What causes a device to fail Play Integrity checks?
Demo for Key Attestation feature of the Android system.
It depends on your Android version and device state. If you're on an old version of Android prior to 8.0, even an unmodified device will only pass BASIC_INTEGRITY and DEVICE_INTEGRITY, because they are not capable of hardware backed attestation methods. Android 8.0+ devices that are not modified or unlocked should pass all 3; Android 8.0+ devices with unlocked bootloaders will fail all 3, because the unlocked bootloader state means hardware backed attestation is not possible.
What do I do if my device is failing all 3 checks?
You can use the Universal SafetyNet Fix Magisk module 2.4.0 or higher, which forces basic attestation similar to pre Android 8. If you're on rooted OEM firmware, this should be sufficient for most apps including Google Pay. Custom ROMs and Chinese OEMs may have to use fingerprint altering methods to pass. It is not possible to pass STRONG integrity on an unlocked bootloader...unless it's"broken", like an ASUS ROG. Fortunately, this isn't a big deal, as no app developers are known to require that verdict.
Now, details on what Play Integrity is and how it works...
SafetyNet has been discontinued
in favor of the new Play Integrity
, which uses stronger methods to verify the security of a device. This is why many rooted users have been unable to use security sensitive apps, such as banking and DRM. There is a workaround for this.
But first, details on the new API.
The three elements in Play Integrity are:
MEETS_DEVICE_INTEGRITY: Corresponds to SafetyNet
ctsProfileMatch. The app is running on an Android device powered by Google Play services. The device passes system integrity checks and meets Android compatibility requirements. (Device profile matches that of a device that has passed Compatibility Test Suite) A device that fails this will appear as Uncertified in Play Store.
MEETS_BASIC_INTEGRITY: Corresponds to SafetyNet
basicIntegrity. The app is running on a device that passes basic system integrity checks. The device may not meet Android compatibility requirements and may not be approved to run Google Play services. For example, the device may be running an unrecognized version of Android, may have an unlocked bootloader, or may not have been certified by the manufacturer. Most devices should pass this, even if they're rooted.
MEETS_STRONG_INTEGRITY: Corresponds to SafetyNet
HARDWARE_BACKED attestation. The app is running on an Android device powered by Google Play services and has a strong guarantee of system integrity such as a hardware-backed proof of boot integrity. The device passes system integrity checks and meets Android compatibility requirements. An unlocked bootloader will ALWAYS fail this label because boot integrity cannot be verified, meaning that hardware backed attestation methods cannot be used.
shows the relationship between SafetyNet and Play Integrity responses:
View attachment 5732079
The most fundamental change is that Play Integrity, by default, uses hardware methods to verify BASIC and DEVICE integrity, which is why simply having an unlocked bootloader will cause the device to fail all 3 results. However, Play Integrity also uses hardware methods (if available) to verify device security state in addition to
the aforementioned checks. This is STRONG integrity, which relies on hardware-backed key attestation
as well as Verified Boot
to verify that a device has not been tampered with and
. It is not possible to pass STRONG integrity on an unlocked and/or modified device, or a pre Android 8 device.
(Notable exception being devices with broken keystores such as ASUS ROG)
It is worth noting that SafetyNet always provided the means for developers to force hardware backed evaluation types; none did, including Google. The same seems to still be true; most app developers require DEVICE verdict, "secure" apps require BASIC and DEVICE, but none are known to require STRONG
So this all sounds rather depressing. What do we do?
Fortunately, we have the ability to force a basic attestation method that prevents the use of hardware checks, meaning it is possible to partially pass. Universal SafetyNet Fix 2.4.0 does this:
(Response from Play Integrity Checker on my rooted Pixel 5 with Universal SafetyNet Fix MOD by Displax)
View attachment 5751415
You can find that module here:
Google SafetyNet attestation workarounds for Magisk - kdrag0n/safetynet-fix
As far as how this is going to affect us in the future, it's up to the app developers to decide what results they want. In most cases, all they care about is
. But if they really want to ensure that they're running on a trusted platform, they can require
attestation, which cannot be spoofed or bypassed. BASIC and DEVICE can, because they use the same mechanisms that SafetyNet did. The million dollar question is whether they ever will.
For those interested in the timeline:
View attachment 5732061
For more information, please read the discussion in this thread.