safetynet-fix
safetynet-fix copied to clipboard
kdrag0n
New Google Integrity API update breaks universal safetynet fix
New Google Integrity API update breaks universal safetynet fix
Describe the bug Google Play device is certified. YASNAC safety net passes. Google Pay is now Google Wallet which detects device as rooted regardless of safetynet pass status.
To reproduce Steps to reproduce the behavior:
- Go to play store
- Update to Google Wallet
- Attempt to add payment method
- See error
Expected behavior To be able to add payment method credit or debit card to new Google Wallet.
Screenshots
Device info Device model: Samsung Galaxy S22 Ultra SM-S908E Snapdragon Android version: 12 ROM name/version: Stock rom with Magisk and TWRP
"Google Play device is certified. YASNAC safety net fix passed. Google Pay is now Google Wallet which detects device as rooted regardless of safetynet pass status." Same Realme GT Master Edition, stock rom with magisk
It actually is not part of the Wallet app. Before updating I got a notification from the Google Pay app before updating.
Them, I updated. And also got the message.
However, inside Wallet config it says that the phone meets the security standards.
In beer root everything works.
So it seems it relies in some kind of API from Google Play different from SafetyNet.
Weird.
Same issue with Pixel 4a 5G on Android 11 (edit: and 12.1). Pixel 6 Pro on Android 12.1 is still working.
UPDATE FROM MY PREVIOUS COMMENT:
I've just tried paying with Google Wallet and I could pay without any problem. So the security standards info is right. They know but do nothing, yet...
I only get this on Android 11. It's not present on Android 12 yet, but my suspicion is that Google is rolling this patch out gradually. I've noticed my Microsoft apps in my work profile spot root now, so I suspect this new method has been shared with other app manufacturers. I expect more disruption as the change rolls out.
I only get this on Android 11. It's not present on Android 12 yet,
I updated the Pixel 4a 5G to the latest 12.1. The problem still persists (I did not wipe).
I think it's being rolled out gradually. Or maybe it's because I use Lineage on my Android 12 phone? It could be because you're using a Pixel device. I've noted that before I removed root as a safety measure on my Android 12 phone, all company apps and GPay were working normally.
I think this is not related to the Google Wallet upgrade. They just happened to push a Play Services update alongside the new Google Wallet which detects root better. Try downloading Netflix from Playstore :)
Yes, you're correct but it's still saying certified and safetynet pass. Google trolling us?
On Fri, 22 July 2022, 8:04 am Nikolas Spiridakis, @.***> wrote:
I think this is not related to the Google Wallet upgrade. They just happened to push a Play Services update alongside the new Google Wallet which detects root better. Try downloading Netflix from Playstore :)
— Reply to this email directly, view it on GitHub https://github.com/kdrag0n/safetynet-fix/issues/203#issuecomment-1191980492, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUXCMKWZHTXUIZQLJ7F6OZDVVHCPHANCNFSM54HK2VVA . You are receiving this because you authored the thread.Message ID: @.***>
Netflix isn't in Play Store search results.
On Fri, 22 July 2022, 8:05 am Quentin Ormancey, @.***> wrote:
I confirm Netflix is bit working too
— Reply to this email directly, view it on GitHub https://github.com/kdrag0n/safetynet-fix/issues/203#issuecomment-1191981200, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUXCMKW3C4IEG3KQU5VOOULVVHCTDANCNFSM54HK2VVA . You are receiving this because you authored the thread.Message ID: @.***>
It's because it's not safetynet
They are using this option on the Play Console
Which is this api
Never seen that might be new
Devs already know about Play Integrity API. It's basically another name for SafteyNet. It will be replacing SafteyNet and SafteyNet will be deprecated in 2024. This should be fixed in the next update.
On Fri, 22 July 2022, 8:14 am Nikolas Spiridakis, @.***> wrote:
It's because it's not safetynet
They are using this option on the Play Console
[image: Screenshot_20220722_005656] https://user-images.githubusercontent.com/30593419/180323882-dfa68e9d-e077-4711-b927-f1ff1a29b45f.png [image: Screenshot_20220722_011422] https://user-images.githubusercontent.com/30593419/180324040-0025e98b-854f-4ef8-8fd9-fb4999b38640.png
Which is this api https://developer.android.com/google/play/integrity
— Reply to this email directly, view it on GitHub https://github.com/kdrag0n/safetynet-fix/issues/203#issuecomment-1191986753, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUXCMKWE77FG7P6YFEIQ6G3VVHDV3ANCNFSM54HK2VVA . You are receiving this because you authored the thread.Message ID: @.***>
I made this simple test app, it tells you if your device passes the new Play Integrity API. Extract and install the apk
app-release.zip (I might upload the source code sometime, the code is pretty junk right now)
You can use this to play around and see if anything changes without having to reinstall google pay
It seems to be unable to fix when Google completely replaces and enforces it.
Thanks Nicolas hopefully a patch will come out soon.
On Fri, 22 July 2022, 12:03 pm Nikolas Spiridakis, @.***> wrote:
I made this simple test app, it tells you if your device passes the new Play Integrity API. Extract and install the apk
app-release.zip https://github.com/kdrag0n/safetynet-fix/files/9163805/app-release.zip (I might upload the source code sometime, the code is pretty junk right now)
You can use this to play around and see if anything changes without having to reinstall google pay
— Reply to this email directly, view it on GitHub https://github.com/kdrag0n/safetynet-fix/issues/203#issuecomment-1192103133, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUXCMKVWNHQXXUP4YVXIZ53VVH6NJANCNFSM54HK2VVA . You are receiving this because you authored the thread.Message ID: @.***>
It's because it's not safetynet
They are using this option on the Play Console
Which is this api
Never seen that might be new
Are there any docs regarding what it implies internally? What kind of checks it performs?
it has a different package name
my app hasnt said anything. im also using https://github.com/stylemessiah/GPay-SQLite-Fix/releases and hide my applist
GPay isn't Google Pay it's only for certain countries.
On Fri, 22 July 2022, 4:59 pm pbanj, @.***> wrote:
it has a different package name [image: image] https://user-images.githubusercontent.com/17306233/180381442-8950baf2-0f6d-4fbd-a47f-c34411acdd6d.png
my app hasnt said anything. im also using https://github.com/stylemessiah/GPay-SQLite-Fix/releases and hide my applist
— Reply to this email directly, view it on GitHub https://github.com/kdrag0n/safetynet-fix/issues/203#issuecomment-1192250001, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUXCMKSFPL4EFSKQCMKA4QDVVJBFPANCNFSM54HK2VVA . You are receiving this because you authored the thread.Message ID: @.***>
Same on S10+ android 12 beyond rom. I can download Netflix beta tho in Germany through Playstore The "new" integrity check fails, tested with the app posted here and wallet also doesn't work
These steps worked for me.
- Change fingerprint to pixel device (pixel 5 to be precise)
- Reboot
- Add play store to magisk hide list (all processes)
- Clear data of play store
- Reboot
- Open app and check
- ??? Profit
Some of the steps might be unnecessary so you are free to experiment.
Are there any docs regarding what it implies internally? What kind of checks it performs?
Yes. Google says "Does not meet requirements" means this:
The app is running on a device that has signs of attack (such as API hooking) or system compromise (such as being rooted), or the app is not running on a physical device (such as an emulator that does not pass Google Play integrity checks). ... If you are having problems with your testing device meeting device integrity, make sure the factory ROM is installed (for example, by resetting the device) and that the bootloader is locked.
What I don't get is people changing device fingerprints to pass the Integrity API. Why would that work? Why would I have to change my fingerprint when I don't have a custom rom? Is it banned or something?
I guess Play Integrity is basically just rebranded Safetynet because when I create /data/local/tmp/su (which trigger Safetynet fails) also trigger Play Integrity to fail
As far as I tested:
MEETS_DEVICE_INTEGRITY = Pass ctsprofile & basicintegrity
I guess Play Integrity is basically just Safetynet because when I create
/data/local/tmp/su(which trigger Safetynet fails) also trigger Play Integrity to fail
Yes but it should have extra stuff too..
I'm starting to think that Magisk's creator is behind all this. He started working as an Android security researcher at Google and he is incredibly talented at this kind of stuff. We never had such an aggressive api before
What I don't get is people changing device fingerprints to pass the Integrity API. Why would that work? Why would I have to change my fingerprint when I don't have a custom rom? Is it banned or something?
No need to change. I use stock ROM or Custom ROM (with safetynet fix integration) also does not need to change fingerprint props
I guess Play Integrity is basically just rebranded Safetynet because when I create
/data/local/tmp/su(which trigger Safetynet fails) also trigger Play Integrity to fail As far as I tested: MEETS_DEVICE_INTEGRITY = Pass ctsprofile & basicintegrity MEETS_BASIC_INTEGRITY = Pass basicintegrity
The basic integrity flag can be only obtained through apps availabe on Playstore and I think it's something else entierly (read the docs)