New Google Integrity API update breaks universal safetynet fix #203
Comments
|
"Google Play device is certified. YASNAC safety net fix passed. Google Pay is now Google Wallet which detects device as rooted regardless of safetynet pass status." |
|
Same with Oneplus nord, Android 12 stock with magisk |
|
Got the same problem with Oneplus 9 |
|
It actually is not part of the Wallet app. Before updating I got a notification from the Google Pay app before updating.
Them, I updated.
However, inside Wallet config it says that the phone meets the security standards. In beer root everything works. So it seems it relies in some kind of API from Google Play different from SafetyNet. Weird.
|
|
Same issue with Pixel 4 on Android 12.1 |
|
Same issue with Pixel 4a 5G on Android 11 (edit: and 12.1). Pixel 6 Pro on Android 12.1 is still working. |
|
UPDATE FROM MY PREVIOUS COMMENT: I've just tried paying with Google Wallet and I could pay without any problem. So the security standards info is right. They know but do nothing, yet... |
|
I only get this on Android 11. It's not present on Android 12 yet, but my suspicion is that Google is rolling this patch out gradually. I've noticed my Microsoft apps in my work profile spot root now, so I suspect this new method has been shared with other app manufacturers. I expect more disruption as the change rolls out. |
I updated the Pixel 4a 5G to the latest 12.1. The problem still persists (I did not wipe). |
|
I think it's being rolled out gradually. Or maybe it's because I use Lineage on my Android 12 phone? It could be because you're using a Pixel device. I've noted that before I removed root as a safety measure on my Android 12 phone, all company apps and GPay were working normally. |
|
I think this is not related to the Google Wallet upgrade. They just happened to push a Play Services update alongside the new Google Wallet which detects root better. Try downloading Netflix from Playstore :)
|
|
Yes, you're correct but it's still saying certified and safetynet pass.
Google trolling us?
…On Fri, 22 July 2022, 8:04 am Nikolas Spiridakis, ***@***.***> wrote:
I think this is not related to the Google Wallet upgrade. They just
happened to push a Play Services update alongside the new Google Wallet
which detects root better. Try downloading Netflix from Playstore :)
—
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUXCMKWZHTXUIZQLJ7F6OZDVVHCPHANCNFSM54HK2VVA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Netflix isn't in Play Store search results.
…On Fri, 22 July 2022, 8:05 am Quentin Ormancey, ***@***.***> wrote:
I confirm Netflix is bit working too
—
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUXCMKW3C4IEG3KQU5VOOULVVHCTDANCNFSM54HK2VVA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
They are using this option on the Play Console
Which is this api Never seen that might be new |
|
Devs already know about Play Integrity API. It's basically another name for
SafteyNet. It will be replacing SafteyNet and SafteyNet will be deprecated
in 2024. This should be fixed in the next update.
…On Fri, 22 July 2022, 8:14 am Nikolas Spiridakis, ***@***.***> wrote:
It's because it's not safetynet
They are using this option on the Play Console
[image: Screenshot_20220722_005656]
<https://user-images.githubusercontent.com/30593419/180323882-dfa68e9d-e077-4711-b927-f1ff1a29b45f.png>
[image: Screenshot_20220722_011422]
<https://user-images.githubusercontent.com/30593419/180324040-0025e98b-854f-4ef8-8fd9-fb4999b38640.png>
Which is this api <https://developer.android.com/google/play/integrity>
—
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUXCMKWE77FG7P6YFEIQ6G3VVHDV3ANCNFSM54HK2VVA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
I made this simple test app, it tells you if your device passes the new Play Integrity API. Extract and install the apk app-release.zip You can use this to play around and see if anything changes without having to reinstall google pay |
|
It seems to be unable to fix when Google completely replaces and enforces it. |
|
Thanks Nicolas hopefully a patch will come out soon.
…On Fri, 22 July 2022, 12:03 pm Nikolas Spiridakis, ***@***.***> wrote:
I made this simple test app, it tells you if your device passes the new
Play Integrity API. Extract and install the apk
app-release.zip
<https://github.com/kdrag0n/safetynet-fix/files/9163805/app-release.zip>
(I might upload the source code sometime, the code is pretty junk right
now)
You can use this to play around and see if anything changes without having
to reinstall google pay
—
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUXCMKVWNHQXXUP4YVXIZ53VVH6NJANCNFSM54HK2VVA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Are there any docs regarding what it implies internally? What kind of checks it performs? |
|
it has a different package name my app hasnt said anything. im also using https://github.com/stylemessiah/GPay-SQLite-Fix/releases and hide my applist |
|
GPay isn't Google Pay it's only for certain countries.
…On Fri, 22 July 2022, 4:59 pm pbanj, ***@***.***> wrote:
it has a different package name
[image: image]
<https://user-images.githubusercontent.com/17306233/180381442-8950baf2-0f6d-4fbd-a47f-c34411acdd6d.png>
my app hasnt said anything. im also using
https://github.com/stylemessiah/GPay-SQLite-Fix/releases and hide my
applist
—
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUXCMKSFPL4EFSKQCMKA4QDVVJBFPANCNFSM54HK2VVA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Same on S10+ android 12 beyond rom. I can download Netflix beta tho in Germany through Playstore |
|
These steps worked for me.
Some of the steps might be unnecessary so you are free to experiment. |
Yes. Google says "Does not meet requirements" means this:
|
|
API hooking (zygisk) or being rooted could be the problem |
|
What I don't get is people changing device fingerprints to pass the Integrity API. Why would that work? Why would I have to change my fingerprint when I don't have a custom rom? Is it banned or something? |
|
I guess Play Integrity is basically just rebranded Safetynet because when I create |
Yes but it should have extra stuff too.. I'm starting to think that Magisk's creator is behind all this. He started working as an Android security researcher at Google and he is incredibly talented at this kind of stuff. We never had such an aggressive api before |
This fingerprint (taken from the real device) passes DEVICE_INTEGRITY on non-rooted device and fails on the rooted device: This fingerprint (taken from another real device) passes DEVICE_INTEGRITY on non-rooted device and fails on the rooted device: But this fingerprint (bundled with MHPC) passes DEVICE_INTEGRITY on the rooted device: As you can see Android version is the same (7.1.1). The only difference is the firmware build number. That's what confuses me. |
Yes, the tests are different depending on the version. If you use a7 fingerprint on >a7 it can't check correctly and passes. If you use a7 fingerprint on a7, it does the intended checks and doesn't pass. I'm not entirely sure about this but is sound like a reasonable explanation |
I use a7 fingerprints on a7 and the point is that one fingerprint doesn't pass but another one passes. |
Then I have no idea |
Maybe it's the version conflict, it can't have the same build number in the version installed after root, I don't know. |
I think Google has some whitelist/blacklist for some prints. Blacklist for some ROMs existed even for SafetyNet (https://android.googleapis.com/attestation/status). |
|
Today I updated my GT 2 Pro and now I pass DEVICE_INTEGRITY too, and I was able to add a card to Google Wallet*. Looks like Google has to manually blacklist each fingerprint from using BASIC_INTEGRITY. *Google Wallet still says that my device doesn't meet the requirements, but probably it's just because I didn't clear its data after the update. |
Rooted OnePlus 8T On Android 12 (OOS12). Used moded safetynet fix module from here: https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-2-3-1.4217823/post-87198517. I used ONLY this module, did NOT use magisk Prop config module to spoof fingerprint. ✔️ MEETS_DEVICE_INTEGRITY Wallet and Netflix are working perfectly fine, Netflix is searchable in google play store too. |
|
okay here me out. If someone doesn't find a proper solution to the integrity api thing we are screwed real bad. I found a real world use case of the integrity api which makes the app's root check unhackable. Basically the integrity check is done 100% on a server and it is tied to the login request. This way it just won't let you log in if the integrity token you sent doesn't pass. And there is 0 way you can fake that token, everything in this is encrypted and tied to your device and the specific app. Now imagine your bank does this (which will probably do once SafetyNet is discontinued in 2024 I think). The only option would be to unroot. Sighhh.. This reminds me of Apple: "Oh yeah we support right to repair but we charge the parts 2x the price of the in-store repair". Google supports the platform being open but at the same time they want to block every app you have if you try to mess with it. |
Can confirm this modded SN Fix works for me on my Pixel 6 Pro on the new Android 13. |
|
safetynet-fix-v2.3.1-MOD.zip worked perfectly for me. Using beyond rom v4.6 |
|
I noticed suddenly Google Pay didn't work even though Netflix is in the Play Store. GPay detected a "rooted" device when I attempted to pay at a Starbucks. safetynet-fix-v2.3.1-MOD.zip also works for me when using GPay on a Pixel 6 running Android 13. |
How do you install this mod? |
|
@kax17 remove any fingerprint changer module you might have, reboot, go to magisk modules, install from storage, choose the zip, reboot |
Thank you, it was appearing greyed out at first. |
|
@kax17 it's still greyed out for me. Did you unistalled the old version ? |
|
Neither the Original or Modded SN gets Wallet contactless allowed. Samsung S22 Ultra Android 12. Safety Net passes fine though. EDIT: Forgot to clear playstore data, reporting certified now, but I just want google wallet tbh. |
|
Can someone check if Xbox Game Pass now works on their device? I suspect they started checking for Strong Verify... |
|
I have a OP6 which fails Strong Integrity. According to the Playstore, I
can install Xbox Game Pass. Dunno if that helps.
from my phone
…On Fri, 23 Sep 2022, 20:54 Alvaro - Lambda Softwares, < ***@***.***> wrote:
Can someone check if Xbox Game Pass now works on their device? I suspect
they started checking for Strong Verify...
—
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A2F6CEMVWFZTE5A4HQVI43LV7WD57ANCNFSM54HK2VVA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
I can install it, but when it launches, closes automatically. |
Just installed it and it launches without issues |
|
I see . . I didn't try to actually install it.
Cheers.
from my phone
On Sat, 24 Sep 2022, 07:01 Alvaro - Lambda Softwares, <
***@***.***> wrote:
… I have a OP6 which fails Strong Integrity. According to the Playstore, I
can install Xbox Game Pass. Dunno if that helps. from my phone
… <#m_5991493211522626575_>
On Fri, 23 Sep 2022, 20:54 Alvaro - Lambda Softwares, < *@*.*> wrote: Can
someone check if Xbox Game Pass now works on their device? I suspect they
started checking for Strong Verify... — Reply to this email directly, view
it on GitHub <#203 (comment)
<#203 (comment)>>,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/A2F6CEMVWFZTE5A4HQVI43LV7WD57ANCNFSM54HK2VVA
<https://github.com/notifications/unsubscribe-auth/A2F6CEMVWFZTE5A4HQVI43LV7WD57ANCNFSM54HK2VVA>
. You are receiving this because you commented.Message ID: @.*>
I can install it, but when it launches, closes automatically.
—
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A2F6CEKOWTYGAP34VHKLFB3V7YLCHANCNFSM54HK2VVA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Magisk settings : (default) only Zygisk is ON BeforeBefore installing modded safetynet-fix, the Play Integrity API checker was all red. AfterAfter installing it, cleared data from every play service and framework, reboot, I got this error.
My playstore version was revert back by the module to 28.3.16-21. The section to check certification is not available in settings. Google wallet and Netflix are now available in store. TestFor testing purpose, I updated the playstore to see if it would solve the Play Integrity API checker error. It took some time with no notification. Now playstore version is 32.4.13-21. It still suggests to update but there is no newer version. After some time, the certification section displays. It passes. After clearing data of Play Integrity API checker. No error and new result. SafetyNet Check app before and after installing the mod.
Pretty straight forward solution. |
|
Duplicate of #204 |
|
You can also use Hide My Applist install the Magisk module in settings.
Create a custom black list rule with Magisk, Xposed,/LSPosed and all other
root apps and apply the rule to Google Play, Play Services, Google Service
Framework, Google Wallet.
…On Sun, 24 July 2022, 3:14 am whitewallman, ***@***.***> wrote:
Probably too early, but there's not a Pixel 4 solution yet, correct?
—
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUXCMKXKNKQRJUDEGYAGM6TVVQR7FANCNFSM54HK2VVA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
"AndroidCAStore" always seems to be used early in the attestation process, before the fingerprint is checked. Dynamic patching avoids problems with device detection and functionality that can be caused by permanently spoofing another device. Fixes #207, #224, #222, #220, #218, #212, #211, #210, #204, #203, #201, #196, #188, #171, #170
"AndroidCAStore" always seems to be used early in the attestation process, before the fingerprint is checked. Dynamic patching avoids problems with device detection and functionality that can be caused by permanently spoofing another device. Closes #207, closes #224, closes #222, closes #220, closes #218, closes #212, closes #211, closes #210, closes #204, closes #203, closes #201, closes #196, closes #188, closes #171, closes #170
and others
New Google Integrity API update breaks universal safetynet fix
Describe the bug
Google Play device is certified. YASNAC safety net passes. Google Pay is now Google Wallet which detects device as rooted regardless of safetynet pass status.
To reproduce
Steps to reproduce the behavior:
Expected behavior
To be able to add payment method credit or debit card to new Google Wallet.
Screenshots
Device info
Device model: Samsung Galaxy S22 Ultra SM-S908E Snapdragon
Android version: 12
ROM name/version: Stock rom with Magisk and TWRP
The text was updated successfully, but these errors were encountered: