Hacktricks-skills play-integrity-bypass

Android pentesting skill for bypassing Play Integrity API attestation (SafetyNet replacement). Use this skill whenever you need to test Android app security, bypass device attestation checks, achieve MEETS_BASIC_INTEGRITY/MEETS_DEVICE_INTEGRITY/MEETS_STRONG_INTEGRITY, or work with root hiding and key attestation spoofing. Trigger this for any Android security testing involving Play Integrity, SafetyNet, device certification, or app attestation validation.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/mobile-pentesting/android-app-pentesting/play-integrity-attestation-bypass/SKILL.MD

source content

Play Integrity Attestation Bypass

A guide for Android security researchers to bypass Play Integrity API checks during application pentesting.

What Play Integrity Does

Play Integrity is Google's SafetyNet successor for app attestation. The flow:

App calls the Play Integrity API
Google Play Services gathers software/hardware signals
Sends encrypted data to
```
googleapis.com
```
Google returns a JWT (signed and encrypted)
App forwards token to backend
Backend validates signature with Google's public key, decrypts payload, enforces policy

Key Verdict Fields

Field	Purpose
`appIntegrity`	APK build/signature match (no repack/tamper)
`deviceIntegrity`	Genuine & certified device, locked bootloader, no root/system tamper
`accountDetails`	Installation via Google Play

Commonly Enforced Flags

MEETS_BASIC_INTEGRITY
: Token generated by genuine Play Services (not emulator/tampered transport)
MEETS_DEVICE_INTEGRITY
: Genuine/certified device, bootloader locked, no root/system tamper
MEETS_STRONG_INTEGRITY
: Requires
```
DEVICE
```
plus recent security patches on all partitions (OS + vendor)

Bypass Model

Instead of forging Google's JWT (impossible), spoof the signals Google evaluates so they correspond to a different, legitimate device profile.

Attack Chain

Hide root so local checks and Play Services probes don't see Magisk/su
Replace the key attestation certificate chain (
```
keybox.xml
```
) with one from a genuine device so Play Integrity sees a certified/locked device
Spoof the security patch level to satisfy
```
MEETS_STRONG_INTEGRITY
```

Important: Google mitigates by revoking abused keyboxes; rotation is required when a keybox is blocked.

Prerequisites & Tooling

Required Tools

Tool	Purpose	Link
ReZygisk	Root hiding (or ZygiskNext)	https://github.com/PerformanC/ReZygisk
TrickyStore	Key attestation spoofing (Magisk module)	https://github.com/5ec1cff/TrickyStore
Tricky Addon	Target list for TrickyStore	https://github.com/KOWX712/Tricky-Addon-Update-Target-List
KSU Web UI	UI helper to drive TrickyStore	https://github.com/adivenxnataly/KsuWebUI

Validation Tools

Tool	Purpose
Play Integrity API Checker	Verify integrity flags
Key Attestation	Check bootloader/attestation chain

Background Reading

Procedure: Achieve MEETS_BASIC_INTEGRITY + MEETS_DEVICE_INTEGRITY

Step 1: Install Root Hiding

Install ReZygisk (or ZygiskNext) Magisk module
In Magisk: Disable Zygisk, Enable Magisk Hide
Reboot device

Step 2: Install TrickyStore Modules

Flash TrickyStore Magisk module
Flash Tricky Addon Magisk module
Reboot device

Step 3: Configure TrickyStore

Open KSU Web UI
Navigate to
```
TrickyStore
```
→
```
Select All
```
```
Deselect Unnecessary
```
(keep core system apps)
Save configuration

Step 4: Inject Valid Keybox

In KSU Web UI, go to
```
Keybox
```
section
Choose Valid to download/apply a new
```
keybox.xml
```
This file contains vendor attestation credentials from a certified/locked device
The attestation chain is now spoofed

Step 5: Verify

Run Play Integrity API Checker
Confirm
```
MEETS_BASIC_INTEGRITY
```
= PASS
Confirm
```
MEETS_DEVICE_INTEGRITY
```
= PASS
In Key Attestation APK, verify bootloader shows as locked

Procedure: Achieve MEETS_STRONG_INTEGRITY

STRONG

integrity fails on outdated patch levels. TrickyStore can spoof a modern security patch date for all partitions.

Step 1: Set Security Patch

In TrickyStore (via KSU Web UI), pick Set Security Patch
Select Get Security Patch Date (fetches current date)
Save configuration

Step 2: Verify

Re-run Play Integrity API Checker
Confirm
```
MEETS_STRONG_INTEGRITY
```
= PASS

Operational Notes

Revocation Risk

Hitting the API repeatedly with the same
```
keybox.xml
```
can flag and block it
If blocked, replace with a fresh valid keybox
Monitor for
```
MEETS_DEVICE_INTEGRITY
```
failures as a sign of revocation

Keybox Management

Publicly shared keyboxes burn fast (get revoked quickly)
Keep private copies of working keyboxes
Track community module updates (XDA/Telegram/GitHub) for new working chains
Rotate keyboxes periodically during extended testing

Scope Limitations

This bypass only spoofs attestation inputs
Backend signature verification by Google still succeeds because the JWT itself is genuine
Does not bypass
```
appIntegrity
```
checks (APK signature verification)
Does not bypass backend business logic checks

Troubleshooting

Issue	Likely Cause	Solution
`MEETS_BASIC_INTEGRITY` fails	Root not hidden	Verify ReZygisk installed, Zygisk disabled, Magisk Hide enabled
`MEETS_DEVICE_INTEGRITY` fails	Keybox revoked or invalid	Download fresh keybox, check TrickyStore configuration
`MEETS_STRONG_INTEGRITY` fails	Patch level not spoofed	Run "Set Security Patch" in TrickyStore
Bootloader shows unlocked	Keybox not applied	Re-inject keybox, reboot, verify in Key Attestation APK

Security Research Context

This technique is used for:

Testing Android app security controls
Understanding attestation bypass vectors
Red teaming mobile applications
Security research and education

Always obtain proper authorization before testing any application or device.