Why not just impersonate the device to Google's safetynet and Google Pay

infinitieunique

Is it possible to make whatever function checks that the device is fit for GPay think that it is another device that actually is? I am not sure how it works but with root you can launch google pay, so why not just emulate the devices identity withing the Sandboxed Compatibility Layer? Is why you are not doing it somehow connected to you getting into legal trouble over this?

Dumdum

infinitieunique
A lengthy discussion can be found here: https://github.com/GrapheneOS/os-issue-tracker/issues/1986

Here's a snippet from thestinger (Daniel Micay) in June:

They can trivially block any spoofing we do because they submit GPU fingerprints, etc. and don't use them for direct enforcement but rather only to monitor spoofing and choose when to block it when it's being done at scale. They block it with primitive checks instead of the more advanced techniques like GPU fingerprinting right now, but they could start directly enforcing the more advanced techniques. It's not realistic to do anything about this in a production OS which needs to keep working properly. We could dedicate substantial development resources to spoofing it as part of sandboxed Google Play (which is more involved than spoofing it for privileged Google Play because a lot of what it tries to do fails permission checks, etc.) but then they can quickly block it and likely will. We have over 200k users in total, and if around half of them use sandboxed Google Play then that's going to trigger around 100k devices submitting spoofed basic integrity attestations which still fail strong integrity. Play Store does this itself to filter apps marked as requiring Play Integrity to avoid users giving bad ratings.

infinitieunique

Dumdum I kinda am missing the important piece of the puzzle here. I dont understand the basic principle behind all those checks. How do they work? What is CTS? Can't the condition somewhere in the code be changed to always return "true" for the checks to always be "valid"? It seems like some advanced discussion, but I am not really knowledgeable to understand it on a basic level. Where do I even start?

missing-root

Most importantly: Google doesnt use Safetynet anymore.

Afaik Safetynet was possible to bypass 1. by spoofing, and 2. By pretending that the device has no secure element and then spoofing.

https://github.com/kdrag0n/safetynet-fix/releases/tag/v2.4.0

They simply disabled hardware attestation, as Google doesnt really care about insecure android phones with no support for that. They only care about their enforced Google ecosystem being fully present on Android.

The Play Integrity check is only possible for devices that ship AOSP+Google apps + whatever changes they want, afaik.

GrapheneOS does many changes to AOSP and also doesnt ship Google Apps as system apps, which makes it incompatible currently.

All we can do is get powerful representatives to take this seriously and force Google, or at least App devs, to either allow GrapheneOS as a "Google certified OS" or make an exception for play integrity for GrapheneOS.

Like the EU, which is a pretty broken and corrupt system though. The GDPR is a thing and it works though. So this would be totally possible.

Apps like Payback and other random things already dont work anymore, and people rely on them in the EU.