MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0

[osm0sis]

So is it something like this?:
gmscompat: Make CTS/Play Integrity pass again …

Must be an A/B test, since my device is still doing fine with MOD 2.1.

 

[crypticc]

Heads up I've noticed a flurry of updates for banking apps today
Citi
Chase etc

They currently work. Not sure if they will if updated.

 

[TotallyAnxious]

Pixel 7 Pro working fine with 3.0 mod.

 

[cognitivedissonance]

Clear data for Wallet and GPay, make sure both are in DenyList (include all subprocesses).

Stop checking for SafetyNet pass. You need to be checking Play Integrity.

Well crap, this is the first I'd seen of Play Integrity, and I fail all 3 of those checks. I guess I need to start digging into what's happening there. Very strange that this just randomly popped up. Anyway thanks for the help.

 

[V0latyle]

Well crap, this is the first I'd seen of Play Integrity, and I fail all 3 of those checks. I guess I need to start digging into what's happening there. Very strange that this just randomly popped up. Anyway thanks for the help.

I've written a pretty comprehensive article here that should help clarify things.

 

[cognitivedissonance]

I've written a pretty comprehensive article here that should help clarify things.

Just read through and then skipped to the end. Seems like something may have changed over the course of the past couple days given that people are seeing it break randomly. Hopefully a better understanding of how to pass the checks more reliably is gained in the near future, because it sounds like right now there's no definite way to fix it in the same way we worked around safetynet.

 

[cbomb1337]

All these USF mods drain my battery badly. They create a wakelock. Noticed it before in pixel 6 and tab s7.

 

[jknaggs]

Heads up I've noticed a flurry of updates for banking apps today
Citi
Chase etc

They currently work. Not sure if they will if updated.

Just updated Chase UK and working fine.

 

[iwearthebelt]

This morning I just got a pop-up from Google Wallet warning me that my Tap To Pay would no longer be available due to not meeting security requirements. Sure enough when I checked in the Google Wallet app (Profile letter in the upper right > Tap To Pay setup) the first thing listed is the message "Phone doesn't meet security requirements."

I checked to see if safety net was still passing, and the CTS profile match failed. I'm on Magisk 25.2 stable, USNF 2.4.0, Shamiko 0.6 (Denylist not enforcing of course,) Systemless Hosts 1.0, and BusyBox 1.34.1. I've been running this for quite a while without issue.

I found this thread, and installed Displax's USNF 2.3.1 (MOD 3) overtop of USNF 2.4.0 and then rebooted. SafetyNet check now fully passes again including CTS profile match. The issue with Wallet remains though -- it still is showing "Phone doesn't meet security requirements." Is that expected, or are there further steps I can take?

I had the same issue, it will disappear after the first time you opened the wallet. It shouldn't show that message again.

 

[ddrum2000]

How are you able to get both Gpay and wallet. I only see wallet in play store.

Which region are you? I recently came back from holiday in India and they were still using Gpay which was deprecated years ago I thought.

I'm not sure how i got both because this was not previously the case. I'm in the USA.

 

[cognitivedissonance]

I had the same issue, it will disappear after the first time you opened the wallet. It shouldn't show that message again.

You're correct - Wallet only gives the one pop-up, but it still seems to be detecting an issue with Play Integrity, which is unsurprising because I currently am failing all 3 of the Play Integrity checks.

Have you checked your Play Integrity? And have you checked in the Wallet menus to see if it still shows the message I mentioned?

 

[V0latyle]

Just read through and then skipped to the end. Seems like something may have changed over the course of the past couple days given that people are seeing it break randomly. Hopefully a better understanding of how to pass the checks more reliably is gained in the near future, because it sounds like right now there's no definite way to fix it in the same way we worked around safetynet.

Well, as @pndwal pointed out, Google appears to still be tinkering with the inner workings of the Play Integrity API, as he described here. Up until this point, PI only seemed to evaluate the profile/fingerprint of the device, and accept basic vs hardware-backed attestation as is. Now, it seems that they're attempting to verify whether the fingerprint/profile of the device matches what's actually running - so for example, my Pixel 5 running Android 11, 12, or 13 is a valid CTS profile, but 10 or prior is not.

In other words, PI doesn't appear to simply accept whether basic vs hardware backed attestation is used, but rather is determining which should be used based on the environment - that is, any compatible platform running Android 8+ should be using hardware backed attestation.

@Displax would you mind explaining what all changed in Mod 3.0?

 

[crypticc]

Clear data for Wallet and GPay, make sure both are in DenyList (include all subprocesses).

Stop checking for SafetyNet pass. You need to be checking Play Integrity.


All you have to do is read this thread. Others have asked your question, and it has been answered many times.

Sorry to bug you but this mention of both wallet and Gpay really confusing me.
When I look in apps Inc system I only see wallet (and only if I've actively installed from Google play). If I search Gpay it brings back the wallet (again only if actively installed)
The wallet shortcut still works in the menu but I presume it's using a hidden APK that I can't block it clear.
That's UK phone pxl6pro



Edit:. Actually then installing wallet again (I think Magisk still had the flag set from previous install) and I've now been able to add a card.

This is still with the mod 3 that I updated to earlier that was previously failing.

I still don't understand the references to Gpay on UK phones but for now at least I'm up and running again.

P.s. this is what I get in pi check

 

[chuppito]

hello, do you have a functional solution for wallet? so far I'm failing. I tried the 2 versions Universal safetynet fix

 

[cognitivedissonance]

Well, as @pndwal pointed out, Google appears to still be tinkering with the inner workings of the Play Integrity API, as he described here. Up until this point, PI only seemed to evaluate the profile/fingerprint of the device, and accept basic vs hardware-backed attestation as is. Now, it seems that they're attempting to verify whether the fingerprint/profile of the device matches what's actually running - so for example, my Pixel 5 running Android 11, 12, or 13 is a valid CTS profile, but 10 or prior is not.

In other words, PI doesn't appear to simply accept whether basic vs hardware backed attestation is used, but rather is determining which should be used based on the environment - that is, any compatible platform running Android 8+ should be using hardware backed attestation.

@Displax would you mind explaining what all changed in Mod 3.0?

Some of this is definitely over my head, so just in case it helps give context to someone who knows a lot more than me, I guess I'll give a couple additional details about my setup. I'm on a Pixel 2 XL running the latest Android 10 factory image, taken directly from Google.

I also have a sneaking suspicion that I may have screwed something up with my attempts to install the root version of ReVanced Extended. Those attempts included uninstalling Vanced (which was installed overtop of the system YouTube app,) reattaching YouTube to the Play Store (had been disconnected using TeMeFi,) then updating YouTube with the target version from apk mirror, patching it, then installing the patched version over top, and finally detaching using TeMeFi again. TeMeFi seems sorta intrusive, so it could be that, or it could be screwing with a system app that's causing me to fail Play Integrity checking.

Sorry to bug you but this mention of both wallet and Gpay really confusing me.
When I look in apps Inc system I only see wallet (and only if I've actively installed from Google play). If I search Gpay it brings back the wallet (again only if actively installed)
The wallet shortcut still works in the menu but I presume it's using a hidden APK that I can't block it clear.
That's UK phone pxl6pro

Gpay ---> https://play.google.com/store/apps/details?id=com.google.android.apps.nbu.paisa.user

Google Wallet ---> https://play.google.com/store/apps/details?id=com.google.android.apps.walletnfcrel

 

[Jon8RFC]

Firstly, test this on Pixel's

Mod 2.1 failed to help as of yesterday (maybe before then, I hadn't checked in at least a week) on p7p with JANUARY 2023 update.
Installed mod 3.0 on JANUARY 2023 update and all is well.

Thanks!

 

[V0latyle]

Sorry to bug you but this mention of both wallet and Gpay really confusing me.
When I look in apps Inc system I only see wallet (and only if I've actively installed from Google play). If I search Gpay it brings back the wallet (again only if actively installed)
The wallet shortcut still works in the menu but I presume it's using a hidden APK that I can't block it clear.
That's UK phone pxl6pro

There actually seem to be 3 separate components.

Pixel firmware has some sort of built in GPay/Wallet functionality. There's also the standalone GPay app, as well as the standalone Wallet app. I have both on my Pixel 5, but if I uninstall both of them, I still have Wallet in my Quick Settings.

hello, do you have a functional solution for wallet? so far I'm failing. I tried the 2 versions Universal safetynet fix

Try this:

• Remove any previous versions of Universal SafetyNet Fix and MagiskHide Props Config from Magisk.
• Reboot device.
• Go into Magisk DenyList, and enable DenyList on all components of Play Store, Wallet, and GPay. Clear data for all 3 apps.
• Download and install USNF 2.3.1 MOD 3.0
• Reboot again
• Check Play Integrity status, use Play Integrity API Checker

 

[V0latyle]

Some of this is definitely over my head, so just in case it helps give context to someone who knows a lot more than me, I guess I'll give a couple additional details about my setup. I'm on a Pixel 2 XL running the latest Android 10 factory image, taken directly from Google.

Shouldn't be hard to pass BASIC and DEVICE integrity. See my previous post

I also have a sneaking suspicion that I may have screwed something up with my attempts to install the root version of ReVanced Extended. Those attempts included uninstalling Vanced (which was installed overtop of the system YouTube app,) reattaching YouTube to the Play Store (had been disconnected using TeMeFi,) then updating YouTube with the target version from apk mirror, patching it, then installing the patched version over top, and finally detaching using TeMeFi again. TeMeFi seems sorta intrusive, so it could be that, or it could be screwing with a system app that's causing me to fail Play Integrity checking.

I don't think this would actually cause it, but it's possible.

 

[crypticc]

hello, do you have a functional solution for wallet? so far I'm failing. I tried the 2 versions Universal safetynet fix

As above mine currently working.

full stock Android... TQ1A.221205.011

I originally had this config:

1. Magisk latest app and root (25206)
2. Running in Zygote,
3. USNF Displax 2.3.1_MOD 3 (previously 2.1)
4. Shamiko 0.6 (126)
5. Enforce Deny list disabled (as per Shamiko instruction)

Deny list including :

• Google Play Protect,
• Google Play Services (I've tried both with and without this)
• Google wallet

In addition I've added following into deny list as mentioned by others on this thread

• Global actions Wallet API
• Android setup that includes the lifeboat API mentioned by others
• Device policy (also mentioned lifeboat so did this too)
• Betterbug (mentioned by others here)
• Hardware info, because why not?
• Security hub
• Settings service ( includes lifeboat as mentioned)

Banking and media apps

I've probably put more than u need in the deny list but something in that second list is, once mod3 installed, what finally also allowed me to add a card. Might be coincidental though as been clearing rebooting adding clearing etc all day

 

[olik2000]

So, here is my modification of USNF with Play Integrity API bypass.

It changes fingerprint to old 7.1.2 6.0 (LOL) and apply it only for GMS SafetyNet process (by Zygisk injection), so your original prints/security path level does not change. This avoids many side effects/problems with global props changing.

Updated 3.0:
No words needed, you understand everything yourself

Updated 2.1:
Hide "Enable OEM Unlock" setting

Updated 2.0:
Bypassing DEVICE_INTEGRITY for devices that shipped with Android 13+ (Pixel`s 7 )

Updated:
Drop fingerprint to lowest possible (6.0) to ensure that no one use same Android version

Usage:
1. Delete/disable/reset MagiskHidePropsConfig (if installed).
2. Just install it over old Universal SafetyNet Fix and reboot device.
3. You may be needed to wipe GMS data (not cache) if there is no result immediately.

Many thanks to @1nikolas for integrity checker.

Source code: https://github.com/Displax/safetynet-fix/tree/integrity

Thank you, this solved all my problems with the apps in my work profile!