<center>![](https://files.peakd.com/file/peakd-hive/techcoderx/23tGXSzMPvgwP3ZqtUQdLk9CScBRcJg3zg7TQLEAs6Nta3GaN5xMD9wFjg3Uj39AF7epQ.png)</center>

I have been wanting to post this some time ago, figured that there is no better time than now as Google rolled out the [latest changes](https://developer.android.com/google/play/integrity/improvements) to the Play Integrity API yesterday that was [announced](https://android-developers.googleblog.com/2024/12/making-play-integrity-api-faster-resilient-private.html) a few months ago.

# What is this anyway?

It is the main way for most Android apps to check that the device where the apps are running on what they deem to be a "trusted environment", which generally means the device is running unmodified stock OS with locked bootloader and the app is downloaded from the official app store in the name of "security". This is commonly used by TradFi apps and some others like RCS, ChatGPT and Uber. Most of these apps require `DEVICE_INTEGRITY` to function properly.

Effective 20 May PDT, this check was made stricter on devices running Android 13 and above where `DEVICE_INTEGRITY` will require hardware attestation like the old `STRONG_INTEGRITY`, and the new `STRONG_INTEGRITY` will require a security patch no more than 12 months old.

# This isn't about security at all

The only thing this API provides to app devs is a false sense of security. It is totally possible to pass `STRONG_INTEGRITY` on old devices running Android 12 or below (which are unsupported today) that have plenty of security vulnerabilities that are unpatched and exploited in the wild. Meanwhile those running a custom operating system with up to date security patches can no longer pass `DEVICE_INTEGRITY` without some workaround that breaks within a few days if not within hours.

This is a way to force everyone to be on stock OS that is full of bloatware that almost no one uses and only makes your device run slower and reduces battery life. After all Google is just an advertising company that harvests your personal data as much as possible.

This is also part of planned obsolescence to force users to purchase a new device when official support runs out rather than having them to install a more secure and up to date custom OS of their choice to keep their perfectly functional device as long as possible.

# Cat and mouse game

On devices running Android 12 or below, the previous hack of installing [Play Integrity Fix](https://github.com/chiteroman/PlayIntegrityFix) Magisk module with a valid fingerprint from unbanned devices to achieve `DEVICE_INTEGRITY` will continue to function. This is no longer sufficient on Android 13+ devices as achieving `DEVICE_INTEGRITY` also require [Tricky Store](https://github.com/5ec1cff/TrickyStore) with a valid keybox and spoofing a locked bootloader. The keybox can only obtained from devices with a broken TEE chip or leaked from manufacturers and must contain a valid and unbanned signature from Google.

These leaked keyboxes are routinely banned once discovered which also affects Play Integrity verdicts of the actual devices with **locked** bootloaders. The remaining keyboxes will eventually run out some day.

Another workaround is to spoof the SDK version using PIF as version 32 (Android 12) or below, however it crashes Play Store and may cause system instability.

# Revert back to stock ROM?

Some users gave up rooting due to this and it may work for them. I run LineageOS 22 on my Pixel 4a [since day one](/hive-134220/@techcoderx/tpxiopoeuk) and will continue to do so. Not only will reverting to stock ROM puts it 2 years behind in security and OS updates, it makes the phone completely unusable as Google force pushed a software update earlier this year that reduced the battery capacity to less than half of original and launched a [battery performance program](https://consumerrights.wiki/Pixel_4a_Battery_Performance_Program) that this particular phone isn't eligible because it is a demo unit (which the seller where I bought it from did claim) even though it should be considered as "impacted devices" from its adb output.

The program provides a free battery replacement in eligible countries (which I do not currently reside in), a $50 compensation that requires KYC with some 3rd party payment processor that I have never heard of or a $100 coupon towards another Pixel device that can't be stacked with other offers.

This isn't the first time this happened, Apple did something similar by quietly slowing down older phones particularly the 6/6s. It will not be the last one either.

# Another case for crypto and FOSS

This is yet another case for permissionless crypto and FOSS as TradFi institutions and big tech are the largest beneficiaries of this API while screwing everyone else.

No crypto wallets that I know uses Play Integrity API today. It is obviously pointless for any FOSS application to use it as it can be easily forked by anyone to remove the check.

Until crypto gets mass adoption worldwide, this will remain the biggest issue when unlocking the bootloader and taking full ownership and control of your device. For instance, all banks in the country where I live are mandated to require the use of mobile banking apps to approve transactions (essentially [forced app download](https://consumerrights.wiki/Forced_app_download) and precursor to the CBDC agenda) and there is no other way around it.