Clarify SafetyNet / Play Integrity row

[D3SOX]

I was wondering why it says Yes for CalyxOS as I'm running the latest build on my Pixel 8 Pro and I get neither SafetyNet nor Play Integrity.

Do you mean Basic Integrity here? If yes I think the field should be split up into

• SafetyNet basic integrity
• CTS Profile match
• Play Integrity

As far as I know it's not possible to fully pass both on a custom ROM without using something like Magisk and a module that fixes it (not sure about Graphene)

[eylenburg]

I think you're right. The table needs to be changed because it's not as compatible as stock Android.

For GrapheneOS [1] it says that only basicIntegrity is passed although it doesn't mention Play Integrity here but only Safetynet.

For microG I believe it's the same (only basicIntegrity) and the additional issue that Play Integrity depends on the Play Store? [2] [3] [4] [5] [6]

What would you propose is the right way to show it?

	GrapheneOS Play Services	MicroG	MicroG + root
SafetyNet basic integrity	OK	OK	OK
CTS Profile match	No	No	OK ???
Play Integrity	No	???	???

I don't have any personal experience because I don't use either Play Services or microG.

[matchboxbananasynergy]

SafetyNet is obsolete and has been replaced by Play Integrity API. SafetyNet is largely no longer relevant. GrapheneOS passes MEETS_BASIC_INTEGRITY, but not MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY, as that requires a Google-certified OS.

[eylenburg]

Thank you @matchboxbananasynergy

Do you know if that's the same for microG?

[matchboxbananasynergy]

I know that it can't pass MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY on devices not running a Google-certified OS unless you spoof, which can pass one of the two, but not in a way that will be possible for a long time.

I don't think microG makes any such spoofing attempts. Regarding MEETS_BASIC_INTEGRITY, I don't know how that is handled and it might depend on factors outside of microG's control too.

[matchboxbananasynergy]

By the way, I am against adding information about "root" or magisk modules regarding spoofing this. It's not robust, it's being cracked down, and will cease being possible no matter what people do soon. In addition to that, rooting destroys the Android security model; it's not a valid approach.

[eylenburg]

I agree. I just updated the row to saw "passes only basic integrity" in light green. The only one exception being Stock Android of course.

[ale5000-git]

I haven't tried it but I don't think it is impossible to pass strong integrity (but only if it is done directly by ROM authors).

For ROMs that spoof original details (like model, device, fingerprint, etc.) but also Kernel version strings, and they are even able to relock the bootloader with the cutom ROM; then maybe they can pass without root and without Magisk.

[matchboxbananasynergy]

It's not possible is hardware attestation is used. Play integrity API is moving to that, and it won't be spoofable, not matter what the OS does.