Implement Play Integrity

[js6pak]

It doesn't work yet, I'm suspecting microg's droidguard implementation, but it also doesn't make sense as there are recent reports of play integrity working through patched play store (I wasn't able to test it myself).
The same error (Error retrieving information from server. DF-DFERH-01) is returned for basically all potential problems, but at this point I'm pretty sure the issue is with the droidguard token, either with the data I pass into it or with the implementation being unable to handle the play integrity flow.
As a side note I tried updating the droidguard version in microg, but it caused even the safetynet check to fail.

TODO

• make it work
• move AIDL and other @publicapi into play-services-integrity
• express/standard api

Closes #2050

[ale5000-git]

@js6pak
You have misunderstood, I pass with microG GmsCore + the original (so NOT patched) Play Store intalled in the system partition.

[foxjaw]

@ale5000-git Is that safetynet attestation ? I pass that with fakestore too (official nonpatched). It's not play integrity.

[ale5000-git]

Both SafetyNet and Play Integrity pass with official PlayStore.

[foxjaw]

@ale5000-git Sorry to ask this here but, can you explain how you achieved it ? I've tried revived module as well as minmicrog. Play Integrity on both state Error getting token from Google. Caz I wasn't able to have play store properly. Tried systemizing Official Play Store apk. It crashes.

Caz there's no magisk module that installs microg and skips com.android.vending app. It's either fakestore or patched play store. How to avoid that & have original play store with microg involved ?

PS: Btw I'm on phhusson's A14 gsi tested with original play store downloaded from apkmirror.

[ale5000-git]

I have got it working with direct system partition modifications (without Magisk), so I don't know if it can work with Magisk.

I will try in the future but I can't try it now.

PS: This is a PR, so it isn't the correct place to get help.

[huwenkai26]

@js6pak You have misunderstood, I pass with microG GmsCore + the original (so NOT patched) Play Store intalled in the system partition.

How do you install the official play store + microG gms

[foxjaw]

How do you install the official play store + microG gms

Microg Revived is one way to do it
Get the store apk by extracting from any gapps provider. I recommend NikGApps.
Here's the latest Android 14 core gapps zip.

[BurhanBudak]

Options for this issue is either the fakeStore2PlayStore module that added a shell Play Store SDK 28.

But the requirement for passing play integrity is Google Apps, most importantly its Google Play Store and the Google Play Services. We have the shells but not the logic.

[foxjaw]

Play Integrity depends on the device fingerprints. There's an xda thread on how to edit a .pif file by @osm0sis & where to get the fingerprints. The lesser a fingerprint is known to google, the longer it'll work. If more users start using one, chances are google banning them one by one.

Some apps also have capability of checking bootloader unlock status & restrict usage altogether, such as banking apps.
If your aim is to just install apps like Netflix & DRM support, you can try above stuff. But if you expect more services to work like banking apps, not gonna suggest.

[LeVraiRoiDHyrule]

Hi, as of today, what is the best solution to get play integrity to work with MicroG ? I found this : https://github.com/daboynb/PlayIntegrityNEXT that can apparently get device fingerprints automatically. I tried it but still get no valid play integrity. I guess I need something like fakeStore or similar. What is the best solution as of today ? I would like to avoid installing a true play store that could track me. Thanks in advance for any answer and have a nice day

[foxjaw]

@LeVraiRoiDHyrule Microg's droidguard maybe the fault here. Did you try with play services ?

[ale5000-git]

@LeVraiRoiDHyrule
Currently the only way is to use microG Services + real Play Store.
Also now it is more complicated because it need a stock kernel, if you are using a different kernel you should spoof the strings to look like a stock kernel (I cannot help with this).

[foxjaw]

@ale5000-git Can we spoof stock kernels of other devices?

[ale5000-git]

You can probably spoof everything but you need to find the sources of the kernel, change it, compile it and flash it on the device.
Spoof other devices isn't really needed because it only check againts blacklisted words like "lineageos".

[BurhanBudak]

This cat and mouse game isnt profitable, sure some apps dont need to abuse PI but for Google Wallet there should be alternatives. Streaming can be beat with 🏴‍☠️.

[ale5000-git]

Actually since there are infinite valid kernel strings they can't whitelist but only blacklist so it isn't hard to fix.
The only problem is that compiling the kernel is needed.

New ROMs will probably be already ok since once the developer know it will fix it, the only problem is with not maintained ROMs.

[foxjaw]

This cat and mouse game isnt profitable, sure some apps dont need to abuse PI but for Google Wallet there should be alternatives.

which is the reason this MR might stay drafted forever. It isn't feasable to maintain the play integrity outside play services walled gardens. Android is at least open source unlike iOS.

Streaming can be beat with 🏴‍☠️

@BurhanBudak Bro. You mean Jack Sparrow ?

[LeVraiRoiDHyrule]

@LeVraiRoiDHyrule Currently the only way is to use microG Services + real Play Store. Also now it is more complicated because it need a stock kernel, if you are using a different kernel you should spoof the strings to look like a stock kernel (I cannot help with this).

I see, thanks for the information. Is there a modified minimal play store that would work to avoid the fully featured play store ? Is installing real play store a problem for privacy ?
I am using this microg installer so I plan on doing this : https://github.com/nift4/microg_installer_revived#how-do-i-get-the-real-play-store

[Espionage724]

You can probably spoof everything but you need to find the sources of the kernel, change it, compile it and flash it on the device. Spoof other devices isn't really needed because it only check againts blacklisted words like "lineageos".

Can I get fingerprints and all the official strings from stock OxygenOS and then add it in some files before building LineageOS? I assume fingerprints are unique and that getting it from OOS and not sharing it means it'll be good theoretically forever? I saw some people mentioning fingerprints getting banned and needing changed every so often, but I guess that's just because of multiple devices using a public key? Or are keys regardless of how unique banned based on not passing certain checks?

I'm curious about avoiding obvious Google blacklist checks and it seems as easy as changing some device-specific text before building; can you provide more details?

[foxjaw]

@Espionage724 That issue is there for all. I think no one is willing to help you in this regard. Almost 95% of the keys used by public roms is hunted down and banned by Google. I think they also hunt the play integrity modules that are using some sort of hidden databases.

[ale5000-git]

To all: Please stop all unrelated discussions.

This is a PR so only the ones that want to help or post constructive messages related to the subject should post.
Instead to get help please open a new ticket.