some of us recommend doing the airplane mode thing for Google Play Store/Google Play Services when trying to pass the Integrity test after installing Magisk
not necessary for the average app
Is this better than originalSo, here is my modification of USNF with Play Integrity API bypass.
It changes fingerprint to old
126.96.36.199 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.
Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )
Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version
1. Delete/disable/reset MagiskHidePropsConfig (if installed).
2. Just install it over old Universal SafetyNet Fix and reboot device.
3. You may be needed to wipe GMS data (not cache) if there is no result immediately.
Many thanks to @1nikolas for integrity checker.
Source code: https://github.com/Displax/safetynet-fix/tree/integrity
Did you read what you quoted?
Wait this module will be updated ”within days”?He's possibly still asleep as its 5:30AM Sydney time, or starting his walk up his belltower on the way to work
USNF MOD v.2: Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )
It functionally makes no dfifference if youre
a) already passing with the non-modded one
b) whether you use v1.0 or v2.0 of the Modded version, if the non-modded one doesnt work, unless youre on a device launching with A13...
All the above will be moot wihin days when kdrag0n rolls out his updated official one
Will it rain next year on the same day?
You may be missing the point of this module.
Very low level firmware... Looks like broken droidguard implementation to me, but OEM is responsible to implement keymaster functions...
Wow, yes... We have a major problem Huston...
I Hadn't noticed this till two days ago... Google Wallet was working for contactless payments at lunch, but for coffee afterwards it failed with 'device doesn't meet security requirements'... (FWIW, I may have rebooted phone during lunch...)
Checked and deviceIntegrity was good, but immediately after a reboot got failed verdict and minutes later all is good again...
FYI Google Pay/Wallet somehow monitors device security even while app is closed (likely Google gets telemetry if lockscreen pattern/password is removed, deviceIntegrity is lost, etc), and contactless fails on next use... This occurs after bad device integrity verdicts, or if a user disables lockscreen pin or pattern... even if this is restored before opening Google Pay/Wallet, bank cards may have already been removed... So even brief loss of deviceIntegrity at startup is catastrophic for G Pay / Wallet!
To avoid intermittent Play Integrity failures I've reverted to @Displax modded USNF also; all seems good and can't reproduce failed verdict...
To fix G Wallet however, despite knowing it would likely just come right in about a week, I tried the immediate fix as it's worked for me in the past:
...Bit of a saga begins...
Uninstalled wallet, cleared Google Pay and Google Play Services data, rebooted, installed wallet again only to get the familiar "Google Pay is Currently Updating..." Screen that never goes away! .... No problem... I covered a fix for this in "Current fixes needed for Google Pay / Wallet" linked here:
Post in thread '[Discussion] Google Pay Magisk Discussion Thread' https://forum.xda-developers.com/t/...agisk-discussion-thread.3906703/post-87481637
... Tried both clearing data and rebooting as well as uninstalling/reinstalling and nothing worked this time!... Still stuck on updating screen!
Finally resolved after removing all Play Store and Play Services updates, clearing their caches only, uninstalling Google Pay (even latest version doesn't show as 'Wallet' until online 'App is updating...' completes), rebooting, re-installing Google 'Wallet' --> Finally G Pay opens and updates to Wallet successfully!... No more security issue for contactless payments since reverted to @Displax modded USNF...
...End of Saga...
But this part-time spoofing based on new hooks is only for fingerprint prop mismatch (for some devices on Google's list for HKA based verdict enforcement in PI API) AFAIK ... My device (Xiaomi RedMi Note 8T w/ stock MIUI A10) like many A8, 9 & 10 devices, actually needs none of the three prop based bypasses we now have to pass either S/N or PI deviceIntegrity; I do need the principal broken keystore based fallback to Basic attestation to pass these however...
Because of this, I think the issue is something other than temporary fingerprint prop spoofing... Could it be that the fake keystore is registered so late that I can run Play Integrity API Checker before it breaks HKA?...
Anyone else had G Pay/Wallet failing after installing USNF 2.4.0?...
Yes, I missed something in JSON... While Unevaluated results DO NOT apply to deviceIntegrity as I mentioned already (These are for appIntegrity - appRecognitionVerdict and accountDetails - appLicensingVerdict ... These are different signals from deviceIntegrity within the new Play integrity verdict), I'm no longer sure deviceIntegrity is actually supplying a proper response since while documentation says "device_recognition_verdict can have one of the following labels:Hey.
So with all modules (including USNF) the safetynet and PI Integrity shows "Not passed" (Duh).
The MOMO shows just that it found the SU folder and detected Magisk.
When everything excluding the @Displax modded USNF is turned off (and also Play Services data cleared) the results are on the screenshots below. Note: Deny list is enforced and only Google Wallet and some banking apps are added, nothing more.
YASNAC passes with flying colours. The device integrity in 2 apps fail to be checked and return UNEVALUATED results. Json is also attached.
What's baffling is that even now, the Google Wallet worked (I checked it now in the supermarket terminal).
No labels (a blank value)
The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is not running on a physical device (such as an emulator that does not pass Google Play integrity checks).
Apart from permissive SELinux, you may break system partition/digest checks if you have ever run ANY system mods (even changing simple file permissions), eg twrp flashable mods etc, and even if you have fully reverted these, on current ROM... If you suspect this, flashing system again should fix...PWAnyway, it seems something is now breaking PI's more sensitive basicIntegrity verdict... Again, please report check w/ all modules disabled except USNF... This user also had passing S/N but failing PI basicIntegrity due to modules on OnePlus 7 device w/ stock ROM:
Also, please check your selinux status is enforcing regardless of results disabling modules... (Are you a viper4android user?)... PW
Thanks for your experience/confirmation per recent discussion here!... My initial experience here:I wasn't able to add bank card to the Wallet.
Using Magisk Alpha which is hidden,
Google Play Services and Google Play Store added to DenyList,
Shamiko and Universal SafetyNet Fix 2.4.0 are installed,
Play Integrity API Checker says Device and Basic Integrity pass,
YASNAC says Basic integrity and CTS profile match both pass
I have clear data for Google Play Services, Google Play Store and for Wallet, phone rebooted but still getting: "Couldn't finish setup to pay in stores. This phone can't be used to pay in stores"
Then I have uninstalled USNF 2.4.0, reboot, installed safetynet-fix-v2.3.1-MOD_2.1.zip and finally bank card added to the Wallet.
Please make 'Universal Play Integrity Fix' ... #204
Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.
The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API.
New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.
June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.
June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.
The new Integrity API has more strict requirements for passing attestation, and this seems to be enforced in Android 11+ particularly.
Currently (evidently due to this), device security issues are detected by
I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.
- Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
- Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.
A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.
Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.
A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.