One of the tools available to Android developers to ensure the security of their applications is the set of integrity checks provided through the Play Integrity API. These checks allow developers to verify if a device meets certain security and integrity standards. The three main levels of checks are:
- MEETS_DEVICE_INTEGRITY: This check verifies whether the device is using official and unmodified Android firmware with a locked bootloader. It represents the highest level of security, ensuring the device is in a fully trusted state.
- MEETS_BASIC_INTEGRITY: This check is more general and verifies whether the device is in a reasonably secure state. Devices with official firmware or non-rooted custom ROMs with an unlocked bootloader pass this check.
- MEETS_STRONG_INTEGRITY: This is the most stringent check. In addition to the requirements of MEETS_DEVICE_INTEGRITY, it verifies that the device has passed Google’s Strong Integrity verification, which includes confirming the hardware-backed security key. Only devices meeting the highest security standards, such as Android stock devices with official firmware and a locked bootloader, pass this check.
Here is an overview of how these checks are handled on different types of devices:
- Devices with Android stock firmware and locked bootloader: Pass all three checks (MEETS_DEVICE_INTEGRITY, MEETS_BASIC_INTEGRITY, MEETS_STRONG_INTEGRITY).
- Devices with Android stock firmware and unlocked bootloader: Pass only MEETS_BASIC_INTEGRITY. They do not meet MEETS_DEVICE_INTEGRITY and MEETS_STRONG_INTEGRITY due to the unlocked bootloader.
- Devices with custom ROM and unlocked bootloader: Generally pass only MEETS_BASIC_INTEGRITY, but they might fail even this check if the firmware is not configured according to Google’s standards.
- Devices with custom ROM, unlocked bootloader, and root: Do not pass any of the three checks, as root represents a significant modification that compromises the device’s integrity according to Google’s standards.
These levels of checks help developers make informed decisions about how to manage access to their apps. For example, a payment app might require MEETS_STRONG_INTEGRITY to ensure it is only used on fully secure devices, while a gaming app might settle for MEETS_BASIC_INTEGRITY to reduce the risk of fraud or unauthorized modifications.
How to verify which Play Integrity checks your device pass
In order to verify which Play Integrity checks your device pass open Play Store → Settings (About → tap version number 7 times), now you are a developer.
In Play Store Settings go to General → Developer options, under Play Integrity tap “check integrity” and check labels.
Alternatively, there are also Android apps like Play Integrity API Checker or TB Checker available on Play Store to verify Play Integrity checks.
How to pass PlayIntegrityFix checks
PlayIntegrityFix (PIF) is a module available on GitHub that tries to fix Play Integrity verdicts to get a valid attestation.
The module is not made to hide root, nor to avoid detections in other apps. It only serves to pass Device verdict in the Play Integrity tests and certify your device.
In order to use the module you must have root (with Magisk or KernelSU or APatch) and Zygisk enabled / ZygiskNext module installed, read Tutorial section.
After flashing and reboot your device, you can check PlayIntegrity verdicts how described previously. The device should pass MEETS_DEVICE_INTEGRITY, MEETS_BASIC_INTEGRITY checks.
How to also pass MEETS_STRONG_INTEGRITY check?
This is the most stringent check, requiring that the device with Google Play Services must have a strong guarantee of system integrity such as a hardware-backed proof of boot integrity and for Android 13 or later devices requires to have a security update in the last year, and the bootloader must be locked.
It is possible to attempt to pass this check using the procedure described in this article.
