Implement Play Integrity

[js6pak]

It doesn't work yet, I'm suspecting microg's droidguard implementation, but it also doesn't make sense as there are recent reports of play integrity working through patched play store (I wasn't able to test it myself).
The same error (Error retrieving information from server. DF-DFERH-01) is returned for basically all potential problems, but at this point I'm pretty sure the issue is with the droidguard token, either with the data I pass into it or with the implementation being unable to handle the play integrity flow.
As a side note I tried updating the droidguard version in microg, but it caused even the safetynet check to fail.

TODO

• make it work
• move AIDL and other @publicapi into play-services-integrity
• express/standard api

Closes #2050

[ale5000-git]

@js6pak
You have misunderstood, I pass with microG GmsCore + the original (so NOT patched) Play Store intalled in the system partition.

[ale5000-git]

Both SafetyNet and Play Integrity pass with official PlayStore.

[ale5000-git]

I have got it working with direct system partition modifications (without Magisk), so I don't know if it can work with Magisk.

I will try in the future but I can't try it now.

PS: This is a PR, so it isn't the correct place to get help.

[huwenkai26]

@js6pak You have misunderstood, I pass with microG GmsCore + the original (so NOT patched) Play Store intalled in the system partition.

How do you install the official play store + microG gms

[BurhanBudak]

Options for this issue is either the fakeStore2PlayStore module that added a shell Play Store SDK 28.

But the requirement for passing play integrity is Google Apps, most importantly its Google Play Store and the Google Play Services. We have the shells but not the logic.

[LeVraiRoiDHyrule]

Hi, as of today, what is the best solution to get play integrity to work with MicroG ? I found this : https://github.com/daboynb/PlayIntegrityNEXT that can apparently get device fingerprints automatically. I tried it but still get no valid play integrity. I guess I need something like fakeStore or similar. What is the best solution as of today ? I would like to avoid installing a true play store that could track me. Thanks in advance for any answer and have a nice day

[ale5000-git]

@LeVraiRoiDHyrule
Currently the only way is to use microG Services + real Play Store.
Also now it is more complicated because it need a stock kernel, if you are using a different kernel you should spoof the strings to look like a stock kernel (I cannot help with this).

[ale5000-git]

You can probably spoof everything but you need to find the sources of the kernel, change it, compile it and flash it on the device.
Spoof other devices isn't really needed because it only check againts blacklisted words like "lineageos".

[BurhanBudak]

This cat and mouse game isnt profitable, sure some apps dont need to abuse PI but for Google Wallet there should be alternatives. Streaming can be beat with 🏴‍☠️.

[ale5000-git]

Actually since there are infinite valid kernel strings they can't whitelist but only blacklist so it isn't hard to fix.
The only problem is that compiling the kernel is needed.

New ROMs will probably be already ok since once the developer know it will fix it, the only problem is with not maintained ROMs.

[LeVraiRoiDHyrule]

@LeVraiRoiDHyrule Currently the only way is to use microG Services + real Play Store. Also now it is more complicated because it need a stock kernel, if you are using a different kernel you should spoof the strings to look like a stock kernel (I cannot help with this).

I see, thanks for the information. Is there a modified minimal play store that would work to avoid the fully featured play store ? Is installing real play store a problem for privacy ?
I am using this microg installer so I plan on doing this : https://github.com/nift4/microg_installer_revived#how-do-i-get-the-real-play-store

[Espionage724]

You can probably spoof everything but you need to find the sources of the kernel, change it, compile it and flash it on the device. Spoof other devices isn't really needed because it only check againts blacklisted words like "lineageos".

Can I get fingerprints and all the official strings from stock OxygenOS and then add it in some files before building LineageOS? I assume fingerprints are unique and that getting it from OOS and not sharing it means it'll be good theoretically forever? I saw some people mentioning fingerprints getting banned and needing changed every so often, but I guess that's just because of multiple devices using a public key? Or are keys regardless of how unique banned based on not passing certain checks?

I'm curious about avoiding obvious Google blacklist checks and it seems as easy as changing some device-specific text before building; can you provide more details?

[ale5000-git]

To all: Please stop all unrelated discussions.

This is a PR so only the ones that want to help or post constructive messages related to the subject should post.
Instead to get help please open a new ticket.

[jakubslaby09]

any progress on this?

[MoralCode]

Would it be feasible to add an option to microG settings to disable fakestore or install the real playstore (or a stripped down version) so that users have a choice between maximum privacy (at the cost of apps that require the Integrity API not working) or functioning apps? (ideally without rooting)

[jakubslaby09]

Would it be feasible to add an option to microG settings to disable fakestore or install the real playstore (or a stripped down version) so that users have a choice between maximum privacy (at the cost of apps that require the Integrity API not working) or functioning apps? (ideally without rooting)

I think it's a better idea to try to send a PI response from fakestore, like what @js6pak tried to do in 45a3732 , but I don't have experience with microg code.

[Weissnix4711]

Would it be feasible to add an option to microG settings to disable fakestore or install the real playstore (or a stripped down version) so that users have a choice between maximum privacy (at the cost of apps that require the Integrity API not working) or functioning apps? (ideally without rooting)

Afaik the play store must be installed to priv-apps, so I doubt this would be possible. If the device is rooted, sure, but not every device will be. Also, some installation methods already provide the ability to do this, so I'm not sure it's necessary. microg_installer_revived will install any apk you want, be it real or patched. I think nanodroid also allows you the option to install the patched play store.

[CoelacanthusHex]

Would it be feasible to add an option to microG settings to disable fakestore or install the real playstore (or a stripped down version) so that users have a choice between maximum privacy (at the cost of apps that require the Integrity API not working) or functioning apps? (ideally without rooting)

There isn't any option needed. Just install only microG Service and don't install microG Companion, and then install modified Google Play (modification to make purchase feature work). It's unnecessary to install both microG Service and microG Companion.

[bphd]

Would it be feasible to add an option to microG settings to disable fakestore or install the real playstore (or a stripped down version) so that users have a choice between maximum privacy (at the cost of apps that require the Integrity API not working) or functioning apps? (ideally without rooting)

There isn't any option needed. Just install only microG Service and don't install microG Companion, and then install modified Google Play (modification to make purchase feature work). It's unnecessary to install both microG Service and microG Companion.

So as of now you can validate PI with MGIR + PS, or not?

[ale5000-git]

This is a PR, anything not related to code should not belong here.
I have locked the conversation; if anyone has a constructive comment related to this PR then he/she could always create a new ticket and link this PR.