Play Integrity should be supported over the remote DroidGuard functionality and there should be documentation how to set up a phone as a DroidGuard server.
Why?
While existing solutions allow getting a sufficiently passing Play Integrity token with a non-integrity-compliant device, there is the following problems that come with it:
- the requirement for a rooted phone,
- running the integrity-checking code from google on your phone that's purposefully obfuscated and fetched at runtime,
- running strange bypassing software with root permissions, like the closed-source TrickyStore and
- all of this has to permanently be kept up-to-date in line with updates to Play Integrity to stay passing
This is tedious, never-ending work that everyone rather avoids.
If you're a busy person it's also not really feasible. Imagine coming out of a cinema with your friends and heading for a rentable scooter only to realize you're device doesn't pass Play Integrity anymore.
If PI would work over another device, like an old, stock one you still have at home, it would fix these problems.
It would also open the oppurtunity for commercial integrity-attestation offerings, where you would like pay monthly and they then allow you to use their devices over a server which then serves valid integrity tokens to your device.
How to implement?
remote droidguard currently does not work for play integrity due to play integrity using a multi step droidguard process and the implementation only supports single step (which is used by most other things that use droidguard).
(#2851 (comment))
This issue was edited because it was traced to being a Play Integrity issue at #2851 (comment).
See
initial Dott/Firebase sms verification issue report
Affected app
Name: Dott
Package id: com.ridedott.rider
Describe the bug
Signing in or signing up fails, seemingly because of a firebase error
To Reproduce
Steps to reproduce the behavior:
- get Dott
- Click on sign up
- enter phone number
- click sign up
Expected behavior
sends sms verification or proceeds in general
Screenshots
sign up error page
dott vehicle coverage
System
Android Version: 15
Custom ROM: LineageOS+microg 22.1
microG
microG Core version: 0.3.6.244735
microG Self-Check results: All ticked
Additional context
full logcat of an app start and signup attempt, filtering out all logs, except those coming from com.ridedott.rider with personal or identifying information replaced by [...]:
dott 06_04-09-30-30_733.log
Likely critical lines from the log:
1743924520.834 10285 20276 23037 W LocalRequestInterceptor: Error getting App Check token; using placeholder token instead. Error: com.google.firebase.FirebaseException: Error returned from API. code: 403 body: App attestation failed.
1743924521.066 10285 20276 23037 E FirebaseAuth: [SmsRetrieverHelper] SMS verification code request failed: unknown status code: 17499 Firebase App Check token is invalid.
1743924521.067 10285 20276 20276 D FirebaseAuth: Invoking original failure callbacks after phone verification failure for (my phone number), error - An internal error has occurred. [ Firebase App Check token is invalid. ]
microg Google device registration is enabled, as is cloud messaging and "SafetyNet".
my device meets basic integrity and device integrity, uses sdk level 35
Possibly related: #1967, #1281
Play Integrity should be supported over the remote DroidGuard functionality and there should be documentation how to set up a phone as a DroidGuard server.
Why?
While existing solutions allow getting a sufficiently passing Play Integrity token with a non-integrity-compliant device, there is the following problems that come with it:
This is tedious, never-ending work that everyone rather avoids.
If you're a busy person it's also not really feasible. Imagine coming out of a cinema with your friends and heading for a rentable scooter only to realize you're device doesn't pass Play Integrity anymore.
If PI would work over another device, like an old, stock one you still have at home, it would fix these problems.
It would also open the oppurtunity for commercial integrity-attestation offerings, where you would like pay monthly and they then allow you to use their devices over a server which then serves valid integrity tokens to your device.
How to implement?
This issue was edited because it was traced to being a Play Integrity issue at #2851 (comment).
See
initial Dott/Firebase sms verification issue report
Affected app
Name: Dott
Package id: com.ridedott.rider
Describe the bug
Signing in or signing up fails, seemingly because of a firebase error
To Reproduce
Steps to reproduce the behavior:
Expected behavior
sends sms verification or proceeds in general
Screenshots
sign up error page
dott vehicle coverage
System
Android Version: 15
Custom ROM: LineageOS+microg 22.1
microG
microG Core version: 0.3.6.244735
microG Self-Check results: All ticked
Additional context
full logcat of an app start and signup attempt, filtering out all logs, except those coming from com.ridedott.rider with personal or identifying information replaced by
[...]:dott 06_04-09-30-30_733.log
Likely critical lines from the log:
microg Google device registration is enabled, as is cloud messaging and "SafetyNet".
my device meets basic integrity and device integrity, uses sdk level 35
Possibly related: #1967, #1281