Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Play Integrity #2077

Closed
wants to merge 1 commit into from
Closed

Conversation

js6pak
Copy link
Contributor

@js6pak js6pak commented Oct 26, 2023

It doesn't work yet, I'm suspecting microg's droidguard implementation, but it also doesn't make sense as there are recent reports of play integrity working through patched play store (I wasn't able to test it myself).
The same error (Error retrieving information from server. DF-DFERH-01) is returned for basically all potential problems, but at this point I'm pretty sure the issue is with the droidguard token, either with the data I pass into it or with the implementation being unable to handle the play integrity flow.
As a side note I tried updating the droidguard version in microg, but it caused even the safetynet check to fail.

TODO

Closes #2050

@ale5000-git
Copy link
Member

ale5000-git commented Oct 27, 2023

@js6pak
You have misunderstood, I pass with microG GmsCore + the original (so NOT patched) Play Store intalled in the system partition.

@ale5000-git
Copy link
Member

Both SafetyNet and Play Integrity pass with official PlayStore.

@ale5000-git
Copy link
Member

ale5000-git commented Nov 18, 2023

I have got it working with direct system partition modifications (without Magisk), so I don't know if it can work with Magisk.

I will try in the future but I can't try it now.

PS: This is a PR, so it isn't the correct place to get help.

@huwenkai26
Copy link

@js6pak You have misunderstood, I pass with microG GmsCore + the original (so NOT patched) Play Store intalled in the system partition.

How do you install the official play store + microG gms

@BurhanBudak
Copy link

BurhanBudak commented Feb 21, 2024

Options for this issue is either the fakeStore2PlayStore module that added a shell Play Store SDK 28.

But the requirement for passing play integrity is Google Apps, most importantly its Google Play Store and the Google Play Services. We have the shells but not the logic.

@LeVraiRoiDHyrule
Copy link

Hi, as of today, what is the best solution to get play integrity to work with MicroG ? I found this : https://github.com/daboynb/PlayIntegrityNEXT that can apparently get device fingerprints automatically. I tried it but still get no valid play integrity. I guess I need something like fakeStore or similar. What is the best solution as of today ? I would like to avoid installing a true play store that could track me. Thanks in advance for any answer and have a nice day

@ale5000-git
Copy link
Member

@LeVraiRoiDHyrule
Currently the only way is to use microG Services + real Play Store.
Also now it is more complicated because it need a stock kernel, if you are using a different kernel you should spoof the strings to look like a stock kernel (I cannot help with this).

@ale5000-git
Copy link
Member

You can probably spoof everything but you need to find the sources of the kernel, change it, compile it and flash it on the device.
Spoof other devices isn't really needed because it only check againts blacklisted words like "lineageos".

@BurhanBudak
Copy link

This cat and mouse game isnt profitable, sure some apps dont need to abuse PI but for Google Wallet there should be alternatives. Streaming can be beat with 🏴‍☠️.

@ale5000-git
Copy link
Member

ale5000-git commented Apr 6, 2024

Actually since there are infinite valid kernel strings they can't whitelist but only blacklist so it isn't hard to fix.
The only problem is that compiling the kernel is needed.

New ROMs will probably be already ok since once the developer know it will fix it, the only problem is with not maintained ROMs.

@LeVraiRoiDHyrule
Copy link

@LeVraiRoiDHyrule Currently the only way is to use microG Services + real Play Store. Also now it is more complicated because it need a stock kernel, if you are using a different kernel you should spoof the strings to look like a stock kernel (I cannot help with this).

I see, thanks for the information. Is there a modified minimal play store that would work to avoid the fully featured play store ? Is installing real play store a problem for privacy ?
I am using this microg installer so I plan on doing this : https://github.com/nift4/microg_installer_revived#how-do-i-get-the-real-play-store

@Espionage724
Copy link

Espionage724 commented Apr 20, 2024

You can probably spoof everything but you need to find the sources of the kernel, change it, compile it and flash it on the device. Spoof other devices isn't really needed because it only check againts blacklisted words like "lineageos".

Can I get fingerprints and all the official strings from stock OxygenOS and then add it in some files before building LineageOS? I assume fingerprints are unique and that getting it from OOS and not sharing it means it'll be good theoretically forever? I saw some people mentioning fingerprints getting banned and needing changed every so often, but I guess that's just because of multiple devices using a public key? Or are keys regardless of how unique banned based on not passing certain checks?

I'm curious about avoiding obvious Google blacklist checks and it seems as easy as changing some device-specific text before building; can you provide more details?

@ale5000-git
Copy link
Member

To all: Please stop all unrelated discussions.

This is a PR so only the ones that want to help or post constructive messages related to the subject should post.
Instead to get help please open a new ticket.

@jakubslaby09
Copy link

any progress on this?

@MoralCode
Copy link

Would it be feasible to add an option to microG settings to disable fakestore or install the real playstore (or a stripped down version) so that users have a choice between maximum privacy (at the cost of apps that require the Integrity API not working) or functioning apps? (ideally without rooting)

@jakubslaby09
Copy link

Would it be feasible to add an option to microG settings to disable fakestore or install the real playstore (or a stripped down version) so that users have a choice between maximum privacy (at the cost of apps that require the Integrity API not working) or functioning apps? (ideally without rooting)

I think it's a better idea to try to send a PI response from fakestore, like what @js6pak tried to do in 45a3732 , but I don't have experience with microg code.

@Weissnix4711
Copy link

Would it be feasible to add an option to microG settings to disable fakestore or install the real playstore (or a stripped down version) so that users have a choice between maximum privacy (at the cost of apps that require the Integrity API not working) or functioning apps? (ideally without rooting)

Afaik the play store must be installed to priv-apps, so I doubt this would be possible. If the device is rooted, sure, but not every device will be. Also, some installation methods already provide the ability to do this, so I'm not sure it's necessary. microg_installer_revived will install any apk you want, be it real or patched. I think nanodroid also allows you the option to install the patched play store.

@CoelacanthusHex
Copy link
Contributor

Would it be feasible to add an option to microG settings to disable fakestore or install the real playstore (or a stripped down version) so that users have a choice between maximum privacy (at the cost of apps that require the Integrity API not working) or functioning apps? (ideally without rooting)

There isn't any option needed. Just install only microG Service and don't install microG Companion, and then install modified Google Play (modification to make purchase feature work). It's unnecessary to install both microG Service and microG Companion.

@bphd
Copy link

bphd commented Sep 19, 2024

Would it be feasible to add an option to microG settings to disable fakestore or install the real playstore (or a stripped down version) so that users have a choice between maximum privacy (at the cost of apps that require the Integrity API not working) or functioning apps? (ideally without rooting)

There isn't any option needed. Just install only microG Service and don't install microG Companion, and then install modified Google Play (modification to make purchase feature work). It's unnecessary to install both microG Service and microG Companion.

So as of now you can validate PI with MGIR + PS, or not?

@microg microg locked as off-topic and limited conversation to collaborators Sep 19, 2024
@ale5000-git
Copy link
Member

This is a PR, anything not related to code should not belong here.
I have locked the conversation; if anyone has a constructive comment related to this PR then he/she could always create a new ticket and link this PR.

@mar-v-in
Copy link
Member

We have a working implementation now via #2599

@mar-v-in mar-v-in closed this Dec 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet