New bypass for PI API hardware-backed verdict enforcement needed

[pndwal]

Many w/ late-ish devices/OS's are now reporting ctsProfileMatch and deviceIntegrity failures full-time with USNF module installed...

Google is apparently upping the anti for late-ish devices/OS's by somehow preventing SafetyNet ctsProfileMatch from passing with mismatched fingerprints now...Of course Play Integrity deviceIntegrity depends on this and thus fails also...

On the other hand, Google still seem to be flipping switches / experimenting, and there are a number of reports that even users of stock phones are having similar failures (Play Protect: Device not certified, G Pay/Wallet suddenly not meeting Security requirements etc) popping up recently on Reddit etc...

Seems for those modders affected, ctsProfileMatch still passes when a matching fingerprint prop is used, but w/o the mismatch PI deviceIntegrity doesn't pass any longer...

The strategy for Google now seems to be to come up with ways to enforce hardware-backed verdicts on a per device basis that can't easily be bypassed...

I'm hoping someone will discover a new way to bypass PI API hardware-backed verdict enforcement for devices Google identifies as hardware-ready using fingerprint prop...

We may need the best minds on this, and it may be difficult while Google makes changes and reverses them... But another good game of🐈&🐁...

Nb. I'm only analysing reports; my device is not affected...

[fcaronte]

Yes mine from today start to don't pass, and for example netflix disappeared from PlayStore, but gpay and other things seem working

[NMBlanco]

Anyone tried the Play integrity bypass lsposed module in addition with shamiko?

It got updated today. I cant really test it right now though.

[Djtrip83]

@pndwal could [this](https://github.com/kdrag0n/safetynet-fix/issues/250#issuecomment-1423834027 help in finding sth out?

[fcaronte]

Anyone tried the Play integrity bypass lsposed module in addition with shamiko?

It got updated today. I cant really test it right now though.

I try to install but won't fix, I think we need to wait Dev rom to implement new commit with fix

[Klusio19]

Anyone tried the Play integrity bypass lsposed module in addition with shamiko?

It got updated today. I cant really test it right now though.

I just tested it and it works for me. However most funny thing is, I have REMOVED Universal SafetyNet Fix module. I have Shamiko module installed, then installed that app, which you linked. And now I am passing Basic Integrity, as well as CTS profile match. GPay is working, other banking apps working, I CAN find and install Netflix from the Play Store. Everything is working. But it's strange becasue, like I said I REMOVED USNF. OnePlus 9 Pro with latest Android 13 CrDroid, obviously rooted.

[dimon222]

@Klusio19 did you reboot the phone after removing USNF? it should wipe some leftovers.

[Klusio19]

@Klusio19 did you reboot the phone after removing USNF? it should wipe some leftovers.

Yes, I always reboot after adding/removing Magisk modules

[HuskyDG]

https://github.com/kdrag0n/safetynet-fix/issues/252

[HuskyDG]

Google can kill off Safetynet Fix if they want, to be honest

[crok]

Well, according to the timeline they announced here the last "milestone" was just when we started to experience these issues lately (2023 Jan. - New developer onboarding ends) so I suspect that the end is near and they are quite actively working on it. Next "milestone" is June 2023 - Migration deadline so it is really near..

[pndwal]

Anyone tried the Play integrity bypass lsposed module in addition with shamiko? It got updated today. I cant really test it right now though.

I just tested it and it works for me. However most funny thing is, I have REMOVED Universal SafetyNet Fix module. I have Shamiko module installed, then installed that app, which you linked. And now I am passing Basic Integrity, as well as CTS profile match. GPay is working, other banking apps working, I CAN find and install Netflix from the Play Store. Everything is working. But it's strange becasue, like I said I REMOVED USNF. OnePlus 9 Pro with latest Android 13 CrDroid, obviously rooted.

I think that's expected... That module is an new alternative to USNF but requires Shamiko... I think other proper hiding modules would work with it too however, but denylist won't since it reverts/blocks modifications...

[pndwal]

Well, according to the timeline they announced here the last "milestone" was just when we started to experience these issues lately (2023 Jan. - New developer onboarding ends) so I suspect that the end is near and they are quite actively working on it. Next "milestone" is June 2023 - Migration deadline so it is really near..

Killing off SafetyNet fix means killing off it's fixes for PI deviceIntegrity also... The demise of SafetyNet is of no real concern...

I think @HuskyDG means 'kill off' by preempting a move to requiring strongIntegrity verdicts for apps...

I agree that they could do this, but I believe they won't...

Google have supplied banks themselves with the means to kill off SNF/USNF by moving to strongIntegrity when the wish to, but have helped the modding community by ensuring that when strongIntegrity is adopted there will be much 'colateral damage' among bank customers, namely anyone using any device launched with A8 or earlier (even if using late OS's now) as well as countless users of recent OnePlus and other devices with broken keymaster implementation or devices where Google has revoked keys needed for hardware-backed attestation for other issues with AVB chain of trust etc...

Google needs to be seen to be delivering strong/reliable attestation to device integrity and they delivered that even with S/N HARDWARE_BACKED evaluationType attestation, but banks never chose to enforce that...

Play Integrity was introduced to add new attestations for App integrity and accountDetails, but it's deviceIntegrity verdict doesn't really change anything (although it does add a few more checks) in relation to modders bypasses...

I think Google has done what it set out to achieve, still views the 'Magisk Community' as 'white hat' and is in no rush to pre-empt bank's take-up of strongIntegrity attestation...

Banks, on the other hand, are caught 'between a rock and a hard place'... They know they have a reliable and free alternative to all their expensive customised insecure execution environment detection development, but must wait until a critical mass of customers have keymaster 3 capable devices in their hands before availing themselves of it as doing so is bound to awaken quite different 'critical mass of customers', critical that they will be forced to choose between upgrading devices or banking...

I think Google is quite happy to leave the decision to move to strongIntegrity enforcement to the banks...

[irmo-de]

I agree, I do not think there is any reason for Google or a bank to enforce a higher level of integrity as it works quite well. The goal is to prevent tampering with the application and communication with external servers. I am not aware of any malware that can bypass the basic evaluation certificate. As a developer, this would only increase the false positive rate without any real benefit.

[hondacbr600]

I agree, I do not think there is any reason for Google or a bank to enforce a higher level of integrity as it works quite well. The goal is to prevent tampering with the application and communication with external servers. I am not aware of any malware that can bypass the basic evaluation certificate. As a developer, this would only increase the false positive rate without any real benefit.

It's BS. Reminder (notification) once a week that your device is rooted and an unskippable boot screen (I had such on my Huawei P10 it required pressing any key to continue after a 5-sec timeout) would do the trick. I just can't comprehend how banks don't mind you using their services from a home PC with an admin account that may not have antivirus software at all, but whining about rooting your phone.

[HuskyDG]

I agree, I do not think there is any reason for Google or a bank to enforce a higher level of integrity as it works quite well. The goal is to prevent tampering with the application and communication with external servers. I am not aware of any malware that can bypass the basic evaluation certificate. As a developer, this would only increase the false positive rate without any real benefit.

Don't you think why Strong Integrity is here. It is not enforced doesn't mean it will not be used in future. And there are already few apps that detect unlocked bootloader.

[pndwal]

I agree, I do not think there is any reason for Google or a bank to enforce a higher level of integrity as it works quite well. The goal is to prevent tampering with the application and communication with external servers. I am not aware of any malware that can bypass the basic evaluation certificate. As a developer, this would only increase the false positive rate without any real benefit.

Don't you think why Strong Integrity is here. It is not enforced doesn't mean it will not be used in future. And there are already few apps that detect unlocked bootloader.

Just to be clear about my point above since we're debating this:

I simply said I doubt Google will preempt a move to enforce strongIntegrity...

I believe banks are weighing this however, and the difficulty for them is simple; they will immediately be requiring customers to own devices launched w/ A8+ and that these also have good keymaster 3+ implementations (many OnePlus and other modern devices have failed to meet these standards) in order to use their banking apps...

It was in Google's interests to provide the means for 'strong' attestation and they've delivered it... I don't think it's in Google's interests to preempt its use however...

Of course banks may move to strongIntegrity anytime they perceive the collateral damage (to customer base) as sufficiently reduced...