Back to Blog
Red Team
December 28, 202418 min read

Google Play Integrity API: How It Works & How to Bypass It

Deep dive into Google Play Integrity API, understanding app attestation mechanisms, device integrity verdicts, and practical techniques to bypass MEETS_DEVICE_INTEGRITY and MEETS_STRONG_INTEGRITY checks during Android security testing.

A
Asfaleia Team
Security Consultant
Share on LinkedIn
Google Play Integrity API: How It Works & How to Bypass It
3
Verdict Levels
JWT
Token Format
2022
API Launch Year
100%
Bypass Possible

What is Play Integrity API?

Play Integrity API is Google's modern app attestation solution that replaced SafetyNet. It verifies that API requests come from legitimate, unmodified apps running on genuine Android devices.

Key Concept: App Attestation

App attestation ensures API requests come from unmodified apps on non-rooted, certified devices. Even if you bypass traditional root detection with Magisk, Play Integrity can still detect tampering.

How Play Integrity Works

Play Integrity API Flow Diagram

Client Side

  • App requests integrity check
  • Google collects device signals
  • Receives encrypted JWT token
  • Forwards token to backend

Server Side

  • Verifies Google signature
  • Decrypts JWT payload
  • Extracts verdict values
  • Makes access decision

Evolution of Android Attestation

1

SafetyNet Era (2014-2022)

Initial app attestation API with CTS profile matching. Had reliability issues and was easier to bypass.

2

Hardware Attestation (2017+)

Introduction of hardware-backed key attestation for stronger device verification.

3

Play Integrity Launch (2022)

Google replaces SafetyNet with more robust Play Integrity API with multiple verdict levels.

4

Keybox Spoofing (2023+)

Community develops TrickyStore and similar tools to spoof hardware attestation credentials.

5

Arms Race (2024-Present)

Ongoing cat-and-mouse game between Google revocations and new bypass techniques.

Current State

Play Integrity Verdicts

The API returns different verdict levels that indicate the device's integrity status. Most apps require at least MEETS_DEVICE_INTEGRITY.

Phase 1

Basic Integrity

Not emulator, valid token

Phase 2

Device Integrity

Genuine, certified device

Phase 3

Strong Integrity

Recent security patches

Phase 4

App Integrity

Unmodified APK

MEETS_BASIC_INTEGRITY

Token is from genuine Google Play Services. Not an emulator and token wasn't intercepted.

MEETS_DEVICE_INTEGRITY

Device is genuine, certified, not rooted, and has a locked bootloader.

MEETS_STRONG_INTEGRITY

Requires device integrity PLUS security patches from the last year for all partitions (OS and vendor).

Bypass Methodology

The bypass relies on spoofing device profiles. Instead of sending real (rooted) device data, we send credentials from a legitimate, certified device.

Bypass Steps

Phase 1

Hide Root

ReZygisk + Magisk Hide

Phase 2

Install Modules

TrickyStore + Addon

Phase 3

Spoof Keybox

Valid keybox.xml

Phase 4

Patch Date

Spoof security patch

Before Bypass: Failed Checks

On a rooted device, Play Integrity checks fail by default:

Initial State - Root Detected
Play Integrity Check Failed - Initial
After Magisk - Still Failing
Play Integrity Check Failed - After Magisk

The Problem

Traditional root hiding isn't enough. Even with Magisk Hide, Play Integrity API can detect device tampering through hardware attestation.

Required Tools

Magisk Modules

  • ReZygisk - Zygisk implementation
  • TrickyStore - Keybox spoofing
  • Tricky Addon - Package management
  • Magisk Hide - Root concealment

Verification Apps

  • Play Integrity API Checker
  • Key Attestation APK
  • KSU Web UI - Configuration
  • Root Checker (optional)
Tricky Addon Module
Tricky Addon Module

Step-by-Step Bypass Process

1Open TrickyStore in KSU Web UI

TrickyStore in KSU Web UI

2Select Apps & Deselect Unnecessary

TrickyStore Select Apps

3Download Valid keybox.xml

Download Valid Keybox

What is keybox.xml?

keybox.xml stores vendor security credentials used in Key Attestation. By replacing it with a copy from a genuine certified device, we trick integrity checks into believing the device has a locked bootloader.

Result: Device Integrity Bypassed

✓ MEETS_DEVICE_INTEGRITY Passed
MEETS_DEVICE_INTEGRITY Bypassed

Bypass MEETS_STRONG_INTEGRITY

4Set Security Patch Date

Set Security Patch Date

Final Result: All Checks Bypassed

✓ All Integrity Checks Passed
All Checks Bypassed
✓ Bootloader Shows as Locked
Key Attestation - Bootloader Locked

Success!

All three verdict levels (BASIC, DEVICE, STRONG) are now bypassed. The device appears as a genuine, certified Android device with a locked bootloader.

Important Warnings

Rate Limiting

Don't run integrity checks too frequently. Google may flag and block the keybox if suspicious activity is detected.

Legal Disclaimer

This information is for security research and authorized testing only. Bypassing Play Integrity without authorization may violate terms of service.

Value for Security Testing

Why Testers Need This

Test app behavior on rooted devices
Verify server-side validation
Assess defense-in-depth
Complete mobile pentests

Developer Recommendations

Don't rely solely on Play Integrity
Implement server-side checks
Handle integrity failures gracefully
Monitor for suspicious patterns

Key Takeaway

Understanding Play Integrity bypass is essential for mobile security assessments. It demonstrates why apps need defense-in-depth rather than relying on a single attestation mechanism.

Original Research Credit: This article is based on research by Adham A. Makroum (M4KR0)

#Android Security#Play Integrity#Mobile Pentesting#Root Detection Bypass#App Attestation#SafetyNet#Magisk

Need Mobile Security Testing?

Let our experts assess your Android applications for Play Integrity implementation, root detection bypasses, and overall mobile security posture.

Get Mobile Assessment