1272 words
6 minutes
Play Integrity API: How It Works & How to Bypass It
2026-01-11
Mobile Pentest
Android-Pentest
/
Play-Integrity
/
Magisk

بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيم

Hey Folks

In this article, I will try to explain the concept of the Google Play Integrity API, why developers might use it, and how it can potentially be bypassed. However, before getting into all of that, we first need to understand an important concept called App Attestation.

What is App Attestation?#

Any application that uses APIs and transfers sensitive data needs to verify the integrity of the environment it is running in. Specifically, it must continuously ensure that:

  • The API requests are coming from a legitimate device
  • The device is not rooted
  • The application APK has not been modified or tampered with

To achieve this, the concept of App Attestation was introduced. Some developers use it as an additional security layer with traditional root detection mechanisms.

For example, even if you successfully bypass root detection using tools like Magisk modules, the application may still refuse to work. In most cases, this behavior is caused by app attestation checks failing.

To standardize and strengthen this mechanism, Google introduced Play Integrity as an official solution for app attestation.

What is Play Integrity API?#

Before the Play Integrity API existed, Google provided a set of APIs known as SafetyNet. it was used to perform app attestation, but it had several limitations and was not always reliable or accurate.

As a result, Google decided to replace SafetyNet with a more robust and modern solution: Play Integrity API.

According to the official documentation:

The Play Integrity API helps you check that user actions and server requests are coming from your genuine app, installed by Google Play, running on a genuine and certified Android device. By detecting risky interactions — like those from tampered app versions, untrustworthy devices, or emulated environments — your backend server can respond with appropriate actions to prevent abuse and unauthorized access, fight fraud, combat cheating, and protect users from attacks.

How Play Integrity API Works#

alt text

  1. First, the application requests Play Integrity API to perform an integrity check on the device.
  2. Google then collects various signals from the device, including software and, in some cases, hardware-based data. This information is sent in an encrypted form to googleapis.com. alt text
  3. Based on these collected signals, Google generates an verdict. The response is returned as a payload containing a JWT token, which includes all relevant information and is signed and encrypted by Google.
  4. The application receives this token and forwards it as-is to its backend server.
  5. The backend server verifies the token using Google’s public key to ensure that it was issued by Google. After verification, the server decrypts and parses the token to extract the verdict. alt text

Play Integrity Verdict Mechanisms#

The verdict returned by the Play Integrity API is based on three main integrity mechanisms:

  • App Integrity:
    • Verifies that the application has not been modified or tampered with.
    • This check returns the appIntegrity verdict.
  • Device Integrity:
    • Ensures that the device is genuine, certified, and not compromised (not rooted).
    • This check returns the deviceIntegrity verdict.
  • Account Integrity:
    • Indicates whether the application or game was installed or purchased through the official Google Play Store.
    • This check returns the accountDetails verdict.

The most important verdicts#

  • MEETS_BASIC_INTEGRITY: This ensures that the Attestation Token is generated by the genuine Google Play Services and cannot be easily forged or tampered with by external modifications.
  • MEETS_DEVICE_INTEGRITY: The app is running on a genuine and certified Android device.
  • MEETS_STRONG_INTEGRITY:  This requires MEETS_DEVICE_INTEGRITY and security updates in the last year for all partitions of the device, including an Android OS partition patch and a vendor partition patch.

Based on this verdict, the server decides how to handle the request. For example:

  • One application may trust MEETS_BASIC_INTEGRITY
  • Another may require MEETS_DEVICE_INTEGRITY
  • A third may enforce MEETS_STRONG_INTEGRITY

most applications typically consider MEETS_BASIC_INTEGRITY and MEETS_DEVICE_INTEGRITY to be sufficient.

How Play Integrity Can Be Bypassed#

Most Play Integrity bypass techniques rely on spoofing, Instead of sending the real device (rooted) properties or hardware fingerprint to the Play Integrity API, the application environment is manipulated to send the profile of a different, legitimate, and certified device. As a result, the integrity checks are evaluated against spoofed data rather than the actual device state.

From Google’s perspective, the primary mitigation strategy is to invalidate or block known device profiles or keybox once abuse is detected. However, this has effectively become an arms race whenever Google blocks a compromised profile, attackers switch to spoofing a new, clean one.

Hiding Root Detection#

Before anything else, we need to hide root from the device. Personally, I use the ReZygisk module, which you can download from its repository. You can also use any other Zygisk-based module, such as ZygiskNext.

  1. From Magisk settings, Make sure that Zygisk is disabled
  2. Ensure that Magisk Hide is enabled.
  3. Import the ReZygisk module to Magisk and reboot the device,

Bypass Play Integrity API#

Prerequisite#

I will use TrickyStore, Tricky Addon Modules, KSU Web UI APK, Play Integrity API Checker APK and Key Attestation APK

TrickyStore: it is used for spoofing and modifying the certificate chain generated for Android key attestation.
Tricky Addon : it is used to add some packages to target.txt.
alt text

KSU Web UI: to make configuration and editing easier from UI.

Play Integrity API Checker & Key Attestation: to check for Play integrity API

Bypass MEETS_DEVICE_INTEGRITY and MEETS_BASIC_INTEGRITY#

As we said befote, MEETS_DEVICE_INTEGRITY This specifically verifies the absence of root access, unlocked bootloaders, and system-level tampering. So to bypass it, we need to spoof the device profile using a legitimate device.

MEETS_BASIC_INTEGRITY is expected to be passed normally as long as there are no modifications by modules because it’s primary check to verify that you are not using an emulator and that the Attestation Token sent to Google was not directly intercepted or tampered with

alt text

However, once you start installing modules and making changes, it will no longer pass unless the modifications are done correctly so that both checks can pass.

As you can see, this is a screenshot after installing Magisk modules. alt text

Steps to Bypass Play Integrity API#

  1. Download These modules, import them into Magisk, and reboot the device.

  2. After that, from KSU Web UI, select TrickyStore alt text

  3. From menu choose Select All icon, then select Deselect Unnecessary, and click Save alt text

  4. From the Keybox, choose Valid to download a new keybox.xml alt text

keybox.xml is a file storing vendor security credentials used in the Key Attestation process. the modules use a spoofed or replaced copy of this file (taken from a genuine device) to trick integrity checks into believing the device is certified and has a locked bootloader, thus achieving MEETS_DEVICE_INTEGRITY. To learn more about it, you can read this article.

After that, check Play Integrity API Checker, Now MEETS_DEVICE_INTEGRITY and MEETS_BASIC_INTEGRITY have been successfully bypassed.

alt text

MEETS_STRONG_INTEGRITY Bypass#

As mentioned earlier, this verdict checks the security update level. to bypass it we need to spoofing a modern date for security patch, the module tricks Google’s integrity checks into believing the device is running the latest updates.

This manipulation is often necessary to successfully pass the strict MEETS_STRONG_INTEGRITY verdict, as Google may reject devices running significantly outdated patch levels.

  1. From the same TrickyStore menu, select Set Security Patch, then tap Get Security Patch Date, click Save, alt text

Afterward check Play Integrity API Checker. You will find that all checks have been successfully bypassed. alt text

Do not run Play Integrity API Checker too frequently, as Google may become suspicious of the keybox and block it. In that case, you will be forced to set a new valid keybox.xml.

When checking Key Attestation APK, you will find that the bootloader is locked. alt text

Finally#

The cat-and-mouse game continues — Google revokes abused keyboxes faster than ever, so private/fresh keyboxes are key (avoid widely shared ones) and follow active communities (XDA, Telegram groups for TrickyStore/PlayIntegrityFix, GitHub forks) for the latest working keyboxes and module updates.

This bypass is temporary by nature … enjoy it while it lasts, and stay aware that a future update could break it.

Thanks for reading! if you have any Questions, Feel free to reach out:

Play Integrity API: How It Works & How to Bypass It
https://m4kr0.vercel.app/posts/play-integrity-api-how-it-works--how-to-bypass-it/
Author
Adham A. Makroum
Published at
2026-01-11
License
CC BY-NC-SA 4.0
Flutter SSL Bypass: How to Intercept HTTPS Traffic When all other Frida Scripts Fail
© 2026 M4KR0. All Rights Reserved. / RSS / Sitemap