Play Integrity Attestation Bypass (SafetyNet Replacement)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Kazi za Play Integrity

Play Integrity ni mrithi wa Google wa SafetyNet kwa uthibitisho wa app. App inaita API, Google Play Services inakusanya ishara za software/hardware, inazituma zilizosimbwa kwa googleapis.com, na Google inarudisha JWT ambayo imesainiwa na kufichwa na Google. App inapeleka token kwenye backend yake, ambayo inathibitisha saini kwa public key ya Google, inafungua payload, na kutekeleza sera kulingana na mashamba ya uamuzi:

• appIntegrity: APK build/signature match (no repack/tamper).
• deviceIntegrity: genuine & certified device, locked bootloader, no root/system tamper.
• accountDetails: installation via Google Play.

Bendera kuu za uamuzi zinazotekelezwa mara kwa mara:

• MEETS_BASIC_INTEGRITY: token generated by genuine Play Services (not emulator/tampered transport).
• MEETS_DEVICE_INTEGRITY: genuine/certified device, bootloader locked, no root/system tamper.
• MEETS_STRONG_INTEGRITY: requires DEVICE plus security patches za hivi karibuni kwenye partitions zote (OS + vendor).

Mfano wa Bypass

Badala ya kutengeneza kwa uongo JWT ya Google, fanya spoof ya ishara ambazo Google inazitathmini ili ziendane na profaili tofauti, halali ya kifaa. Mnyororo wa shambulizi:

1. Ficha root ili ukaguzi wa ndani na probes za Play Services wasione Magisk/su.
2. Badilisha key attestation certificate chain (keybox.xml) na ile kutoka kwa kifaa halisi ili Play Integrity ifikiri kifaa kimeidhinishwa/imefungwa.
3. Falsifu (spoof) security patch level ili kutimiza MEETS_STRONG_INTEGRITY.

Google inapunguza kwa kuvua keyboxes zilizotumiwa vibaya; mzunguko (rotation) unapohitajika pale keybox itakapozuiwa.

Mahitaji ya Awali & Zana

• Root hiding: ReZygisk (au ZygiskNext). Zima Zygisk, wezesha Magisk Hide, weka module, anzisha upya.
• Key attestation spoofing: TrickyStore + Tricky Addon (Magisk modules).
• UI helper: KSU Web UI kuendesha TrickyStore.
• Validation: Play Integrity API Checker na Key Attestation APKs.
• Optional background on attestation key material: https://tryigit.dev/android-keybox-attestation-analysis

Kufikia MEETS_BASIC_INTEGRITY + MEETS_DEVICE_INTEGRITY

1. Install modules & reboot: Flash TrickyStore na Tricky Addon katika Magisk, anzisha upya.
2. Configure TrickyStore (via KSU Web UI): Select TrickyStore → Select All → Deselect Unnecessary → Save.
3. Inject a valid keybox: Katika Keybox, chagua Valid ili kupakua/kutumia keybox.xml mpya (vendor attestation credentials). Faili hii ina msingi wa hardware key attestation na sasa imespoofiwa kutoka kwa kifaa kilichoidhinishwa/imefungwa.
4. Verify: Endesha Play Integrity API Checker → MEETS_BASIC_INTEGRITY na MEETS_DEVICE_INTEGRITY zinapaswa kupita. Katika Key Attestation bootloader inaonekana locked kwa sababu attestation chain imebadilishwa.

Kufikia MEETS_STRONG_INTEGRITY (Patch-Level Spoof)

STRONG inashindwa kwenye patch levels zilizochakaa. TrickyStore inaweza kufalsifu tarehe ya security patch ya kisasa kwa partitions zote:

1. Katika TrickyStore, chagua Set Security Patch → Get Security Patch Date → Save.
2. Endelea tena Play Integrity API Checker; MEETS_STRONG_INTEGRITY sasa inapaswa kupita.

Vidokezo vya Uendeshaji

• Revocation risk: Kuipiga API mara kwa mara na keybox.xml ile ile kunaweza kuibua na kuizuia. Iwapo imezuiwa, ibadilishe na keybox mpya halali.
• Arms race: Keyboxes zilizogawanywa hadharani hupotea/kutumiwa haraka; weka nakala za kibinafsi na fuatilia masasisho ya module za jamii (XDA/Telegram/GitHub) kwa chains mpya zinazo fanya kazi.
• Scope: Bypass hii inafalsifu (spoof) tu viingilio vya attestation; uthibitisho wa saini kwenye backend unaofanywa na Google bado unafanikiwa kwa sababu JWT yenyewe ni halali.

Marejeo

• Play Integrity API: How It Works & How to Bypass It
• ReZygisk
• TrickyStore
• Tricky Addon
• KSU Web UI
• Play Integrity API Checker
• Key Attestation
• Android keybox attestation analysis

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.