Please make 'Universal Play Integrity Fix' ...

[pndwal]

Fixes to expand 'Universal SafetyNet Fix' to become a 'Universal Play Integrity Fix' are needed.

The SafetyNet Attestation API is deprecated and has been replaced by the Play Integrity API. https://developer.android.com/training/safetynet/deprecation-timeline

New Play Integrity API is rolling out from June 2022, and evidently Google Play Store and Google Pay/Wallet are already using its verdict.

June 2023 is the Migration Deadline for app developers. This will also allow their older app versions to continue working with SafetyNet API for a limited time.

June 2024 is the End of life for SafetyNet API; its attestation will no longer work for any app version, and apps will receive an error.

The new Integrity API has more strict requirements for passing attestation, and there seems to be extra requirements for passing fingerprint props in Android 11+ particularly.

Currently (evidently due to this), device security issues are detected by

1. Google Pay/Wallet, which may state "You can't pay contactless with this device...(Your phone doesn't meet software standards)" on updating or attempting to add a card despite in-app Contactless setup stating "You're ready to pay contactless with your phone (Your phone meets security requirements)", and
2. Google Play Store, which may no longer show apps like Netflix w/ Android 11+ (developers can 'exclude devices from their app's distribution based on their device integrity . Device exclusion is based on the latest device integrity verdict that the Play Store app receives from the Play Integrity API') despite in-app settings showing Play Protect 'Device is certified' result.

I'm guessing that the 'passing' messages based on the old SafetyNet API are likely to realigned soon.

A workaround that evidently allows Play Integrity API attestation to pass (and solve Wallet / Play Store issues also) has been discovered. It involves spoofing an earlier certified ROM, generally by using MagiskHide Props Config module to change fingerprint prop to one for Android 10 or earlier.

Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

A 'Universal Play Integrity Fix' will evidently require more understanding / research into how the fingerprint prop is used, and possibly other new behaviours.

[HuskyDG]

Play Integrity will return one or more of these: MEETS_BASIC_INTEGRITY, MEETS_DEVICE_INTEGRITY, MEETS_STRONG_INTEGRITY. You shall not pass the last one.

[pndwal]

No solution to fake bootloader status thrown from hardware attestation

Well y̶o̶u̶ ̶k̶n̶o̶w̶ that's been irrelevant while Universal SafetyNet Fix can achieve fallbacks to basic attestation and banks etc avoided using old evaluationType. As long as they avoid using STRONG_INTEGRITY it will be irrelevant w/ Play Integrity also...

Seems they have avoided this with SafetyNet API so as not to exclude app use from devices launched with.Android 7 and later devices with broken keymaster implementation such as OnePlus... Since new STRONG_INTEGRITY attestation is basically equivalent to SafetyNet passing with evaluationType = HARDWARE, I guess it will be avoided for the same reasons. Ie. not much is really changing w/ new device Integrity responses...

I̶f̶ ̶G̶o̶o̶g̶l̶e̶ ̶a̶p̶p̶s̶ ̶̶a̶f̶f̶e̶c̶t̶e̶d ̶a̶r̶e̶ ̶u̶s̶i̶n̶g̶ ̶P̶l̶a̶y̶ ̶I̶n̶t̶e̶g̶r̶i̶t̶y̶'̶s̶ ̶S̶T̶R̶O̶N̶G̶_̶I̶N̶T̶E̶G̶R̶I̶T̶Y̶ ̶d̶e̶v̶i̶c̶e̶_̶r̶e̶c̶o̶g̶n̶i̶t̶i̶o̶n̶_̶v̶e̶r̶d̶i̶c̶t̶ ̶(̶t̶h̶e̶ ̶o̶n̶e̶ ̶h̶a̶v̶i̶n̶g̶ ̶"̶a̶ ̶s̶t̶r̶o̶n̶g̶ ̶g̶u̶a̶r̶a̶n̶t̶e̶e̶ ̶o̶f̶ ̶s̶y̶s̶t̶e̶m̶ ̶i̶n̶t̶e̶g̶r̶i̶t̶y̶ ̶s̶u̶c̶h̶ ̶a̶s̶ ̶a̶ ̶h̶a̶r̶d̶w̶a̶r̶e̶-̶b̶a̶c̶k̶e̶d̶ ̶p̶r̶o̶o̶f̶ ̶o̶f̶ ̶b̶o̶o̶t̶ ̶i̶n̶t̶e̶g̶r̶i̶t̶y̶"̶)̶ ̶w̶h̶i̶c̶h̶ ̶s̶e̶e̶m̶s̶ ̶l̶i̶k̶e̶l̶y̶,̶ ̶t̶h̶e̶n̶ ̶U̶S̶N̶F̶ ̶i̶s̶ ̶c̶e̶r̶t̶a̶i̶n̶l̶y̶ ̶a̶c̶h̶i̶e̶v̶i̶n̶g̶ ̶t̶h̶e̶s̶e̶ ̶f̶a̶l̶l̶b̶a̶c̶k̶s̶ ̶f̶o̶r̶ ̶P̶l̶a̶y̶ ̶I̶n̶t̶e̶g̶r̶i̶t̶y̶ ̶A̶P̶I̶ ̶a̶s̶ ̶w̶e̶l̶l̶ ̶a̶s̶ ̶f̶o̶r̶ ̶S̶a̶f̶e̶t̶y̶N̶e̶t̶.̶ [it's now clear Google Apps are not yet using STRONG_INTEGRITY verdict...]

For example, cards can be added to GPay/Wallet for contactless payments where a fingerprint prop is selected that both satisfies both the old CTS Profile match and new Play Integrity DEVICE_INTEGRITY verdict. Many on Android 11+ now need to select an Android 10 (or earlier) fingerprint prop value to bypass Play integrity failed DEVICE_INTEGRITY, but the fact this failure will also occur where USNF is disabled indicates that S̶T̶R̶O̶N̶G̶_̶I̶N̶T̶E̶G̶R̶I̶T̶Y̶ ̶v̶e̶r̶d̶i̶c̶t̶ ̶i̶s̶ ̶e̶f̶f̶e̶c̶t̶i̶v̶e̶l̶y̶ ̶b̶e̶i̶n̶g̶ ̶b̶y̶p̶a̶s̶s̶e̶d̶ ̶b̶y̶ ̶U̶S̶N̶F̶ USNF functions are allowing PI MEETS_DEVICE_INTEGRITY verdict.

A Universal Play Integrity Fix will not solve "bootloader status thrown from hardware attestation" when this is properly enforced any more than Universal SafetyNet Fix can... But that's beside the point; it hasn't happened yet...

[pndwal]

Then please stop spamming this issue...

[pndwal]

What is your "spamming" definition?

Things not relevant to the issue...

However it is now clear that STRONG_INTEGRITY is not being used as yet by google apps or bypassed successfully, so you observation may be relevant to that despite not having any bearing on the need for a better workaround to allow Play Integrity API DEVICE_INTEGRITY attestation to pass and solve Wallet / Play Store and potential bank app issues.

Undoubtedly other apps will begin to detect broken TEE etc / fail as they migrate or begin integrating the Play Integrity API.

Btw, you might not pass strong integrity in this case.

Sure... But I doubt banks will want to exclude all devices launched with Android 7 and earlier, as well as many late OnePlus and other devices any more than Google does...

I'm guessing this won't be an issue for a while yet as critical mass / market saturation of devices with working keystore in hardware for STRONG_INTEGRITY verdict enforcement is still (probably) a way off...

[pndwal]

use safetynet fix mod [safetynet fix mod]...

Please see @Displax link for Play Integrity Api bypass #207 above; Pending fix for this and other issues per: https://github.com/kdrag0n/safetynet-fix/pull/207#issuecomment-1194661739

[Zibri]

Google pay is horrible in every aspect... in the end for contactless payments "Cards" is better.

[pndwal]

Guess this shouldn't be called 'Universal Play Integrity Fix' as clearly we can't make strongIntegrity verdict pass...

Changed issue description to reflect that proposed fix is really a 'Universal deviceIntegrity Fix for PI API' only... (basicIntegrity can be assumed if deviceIntegrity is passing)

Dependence on PI strongIntegrity verdict hasn't been seen in the wild yet AFAIK, but it may be invoked by banks at some point in future with not obvious 'fix' for modders on the horizon... 😭