-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify SafetyNet / Play Integrity row #33
Comments
I think you're right. The table needs to be changed because it's not as compatible as stock Android. For GrapheneOS [1] it says that only For microG I believe it's the same (only What would you propose is the right way to show it?
I don't have any personal experience because I don't use either Play Services or microG. |
SafetyNet is obsolete and has been replaced by Play Integrity API. SafetyNet is largely no longer relevant. GrapheneOS passes |
Thank you @matchboxbananasynergy Do you know if that's the same for microG? |
I know that it can't pass MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY on devices not running a Google-certified OS unless you spoof, which can pass one of the two, but not in a way that will be possible for a long time. I don't think microG makes any such spoofing attempts. Regarding MEETS_BASIC_INTEGRITY, I don't know how that is handled and it might depend on factors outside of microG's control too. |
By the way, I am against adding information about "root" or magisk modules regarding spoofing this. It's not robust, it's being cracked down, and will cease being possible no matter what people do soon. In addition to that, rooting destroys the Android security model; it's not a valid approach. |
I agree. I just updated the row to saw "passes only basic integrity" in light green. The only one exception being Stock Android of course. |
I haven't tried it but I don't think it is impossible to pass strong integrity (but only if it is done directly by ROM authors). For ROMs that spoof original details (like model, device, fingerprint, etc.) but also Kernel version strings, and they are even able to relock the bootloader with the cutom ROM; then maybe they can pass without root and without Magisk. |
It's not possible is hardware attestation is used. Play integrity API is moving to that, and it won't be spoofable, not matter what the OS does. |
I was wondering why it says Yes for CalyxOS as I'm running the latest build on my Pixel 8 Pro and I get neither SafetyNet nor Play Integrity.
Do you mean Basic Integrity here? If yes I think the field should be split up into
As far as I know it's not possible to fully pass both on a custom ROM without using something like Magisk and a module that fixes it (not sure about Graphene)
The text was updated successfully, but these errors were encountered: