Back to Paid GitHub Issues

Paid GitHub Issues

[BOUNTY] Support Play Integrity over remote DroidGuard + Server/Guide [$35]

microg/GmsCore

72
Score
Summary
USD 35.00
Repository
microg/GmsCore
Stars
13811
Comments
39
Platform
GitHub
Difficulty
Medium
Scam risk
Low
Status
open
Firebasebounty

Description

Play Integrity should be supported over the _remote DroidGuard_ functionality and there should be documentation how to set up a phone as a DroidGuard server. **Why?** While existing solutions allow getting a sufficiently passing Play Integrity token with a non-integrity-compliant device, there is the following problems that come with it: - the requirement for a rooted phone, - running the integrity-checking code from google on your phone that's purposefully obfuscated and fetched at runtime, - running strange bypassing software with root permissions, like the closed-source TrickyStore and - all of this has to permanently be kept up-to-date in line with updates to Play Integrity to stay passing This is tedious, never-ending work that everyone rather avoids. If you're a busy person it's also not really feasible. Imagine coming out of a cinema with your friends and heading for a rentable scooter only to realize you're device doesn't pass Play Integrity anymore. If PI would work over another device, like an old, stock one you still have at home, it would fix these problems. It would also open the oppurtunity for commercial integrity-attestation offerings, where you would like pay monthly and they then allow you to use their devices over a server which then serves valid integrity tokens to your device. **How to implement?** - [ ] Fix: > remote droidguard currently does not work for play integrity due to play integrity using a multi step droidguard process and the implementation only supports single step (which is used by most other things that use droidguard). (https://github.com/microg/GmsCore/issues/2851#issuecomment-3435884995) - [ ] Write a _remote DroidGuard server_ to handle the requests - [ ] Create a guide/docs on how to set it up - [ ] Either - make it run on stock phones or - create software that manages all the integrity-bypassing software on the custom-rom 'server device' so that it's always passes. as far as i know to make a custom phone pass you need: - microG / GApps - [Magisk](https://github.com/topjohnwu/Magisk) or [KernelSU](https://github.com/tiann/KernelSU) - [PlayIntegrityFix](https://github.com/KOWX712/PlayIntegrityFix) - [TrickyStore](https://github.com/5ec1cff/TrickyStore) <br /> This issue was edited because it was traced to being a Play Integrity issue at https://github.com/microg/GmsCore/issues/2851#issuecomment-3432997022. See <details><summary>initial Dott/Firebase sms verification issue report</summary> **Affected app** Name: Dott Package id: com.ridedott.rider **Describe the bug** Signing in or signing up fails, seemingly because of a firebase error **To Reproduce** Steps to reproduce the behavior: 1. get Dott 2. Click on sign up 3. enter phone number 4. click sign up **Expected behavior** sends sms verification or proceeds in general **Screenshots** <details><summary>sign up error page</summary> ![screenshot](https://github.com/user-attachments/assets/0938e413-1873-480a-a396-a598fcd98e47) </details> <details><summary>dott vehicle coverage</summary> ![screenshot](https://github.com/user-attachments/assets/59c7d003-1954-41be-8fc1-43956a17f4a6) </details> **System** Android Version: 15 Custom ROM: LineageOS+microg 22.1 **microG** microG Core version: 0.3.6.244735 microG Self-Check results: All ticked **Additional context** full logcat of an app start and signup attempt, filtering out all logs, except those coming from com.ridedott.rider with personal or identifying information replaced by `[...]`: [dott 06_04-09-30-30_733.log](https://github.com/user-attachments/files/19620636/dott.06_04-09-30-30_733.log) Likely critical lines from the log: ``` 1743924520.834 10285 20276 23037 W LocalRequestInterceptor: Error getting App Check token; using placeholder token instead. Error: com.google.firebase.FirebaseException: Error returned from API. code: 403 body: App attestation failed. 1743924521.066 10285 20276 23037 E FirebaseAuth: [SmsRetrieverHelper] SMS verification code request failed: unknown status code: 17499 Firebase App Check token is invalid. 1743924521.067 10285 20276 20276 D FirebaseAuth: Invoking original failure callbacks after phone verification failure for (my phone number), error - An internal error has occurred. [ Firebase App Check token is invalid. ] ``` microg Google device registration is enabled, as is cloud messaging and "SafetyNet". my device meets basic integrity and device integrity, uses sdk level 35 Possibly related: https://github.com/microg/GmsCore/issues/1967, https://github.com/microg/GmsCore/issues/1281 </details>

Open original source