[INFO] Play Integrity API - replacement for SafetyNet

HippoMan said:

Ah ... so the final end of Life As We Know It (regarding rooting and modding) has been postponed for an extra year.

This gives developers more time to turn their otherwise non-banking apps into banking-like apps which are crippled or don't run at all under root.

We should enjoy our apps on our rooted devices now, while we still can.

Bro...

This changes literally nothing. Most contemporary apps have already been migrated to Play Integrity. Developers have always had the ability to use SafetyNet attestation to determine device and OS integrity. Play Integrity does the exact same thing. It is completely up to the app developers to require hardware backed attestation, via a vis MEETS_STRONG_INTEGRITY, and nothing is changing regarding that. I do not know of any apps that require that result; all of the apps that otherwise detect root are doing so via their own methods completely outside of Google Play Services.

The SafetyNet turndown has not, does not, and will not affect our ability to use every day root or our ability to spoof basic/device integrity responses.

pndwal said:

Not bs... The hardware is required:

It is "required" to make people panic and buy new hardware. I have 2 systems, one which only has Legacy BIOS and one with the third generation intel core i chip, also doesn't have any kind of TPM/TCM chip equipped (TCM is Chinese based version of TPM, I think you've known that already.

The first system is a sony vaio laptop, which did an upgrade from Windows 10 1511 to 21H2 via the official ISO, all programs and user data were kept. It also did an upgrade to an early version of 22H2 via that same method and it did work. Updating to later builds keeps failing so later 22H2 builds may actually need an UEFI based system, I don't have a spare computer to confirm this myth.

The second system as I said, doesn't have any kind of a TPM chip present and can still receive the latest canary builds via registry and temp file bypassing by injecting a dummy .dll file, has secure boot turn off but I have to admit that it boots via UEFI, so the hard UEFI requirement may be correct for latest updates. Earlier builds? Not so much

The "requirement" here probably implies that you would receive/ clean install windows 11 via windows update/official ISO seamlessly without any tinkering, not meaning it's critical for windows 11 to actually boot and function on your computer.

intel_core_i7 said:

It is "required" to make people panic and buy new hardware. I have 2 systems, one which only has Legacy BIOS and one with the third generation intel core i chip, also doesn't have any kind of TPM/TCM chip equipped (TCM is Chinese based version of TPM, I think you've known that already.

The first system is a sony vaio laptop, which did an upgrade from Windows 10 1511 to 21H2 via the official ISO, all programs and user data were kept. It also did an upgrade to an early version of 22H2 via that same method and it did work. Updating to later builds keeps failing so later 22H2 builds may actually need an UEFI based system, I don't have a spare computer to confirm this myth.

The second system as I said, doesn't have any kind of a TPM chip present and can still receive the latest canary builds via registry and temp file bypassing by injecting a dummy .dll file, has secure boot turn off but I have to admit that it boots via UEFI, so the hard UEFI requirement may be correct for latest updates. Earlier builds? Not so much

The "requirement" here probably implies that you would receive/ clean install windows 11 via windows update/official ISO seamlessly without any tinkering, not meaning it's critical for windows 11 to actually boot and function on your computer.

Click to expand...

As I said, I don't know much about this, but MS says UEFI is required and I can't update my old Pentium machine with Win 10... Says hardware not compatible. On the other hand my wife and daughter's later laptops update with no issues... I might look into your dummy .dll method sometime; thanks for the info.

However just as Google stipulated hardware requirements for CTS/VTS certification including basic keystore implementations before even Android 6.0 (Android already had a simple, hardware-backed crypto services API, provided by versions 0.2 and 0.3 of Keymaster HAL), long before ever using it to attest to device integrity, it seems that MS is doing the same for Windows machines with UEFI...

Just from Googling it seems MS is requiring UEFI hardware to better support large drive sizes (3TB+) and OS on SSD among other things going forward... Windows was UEFI compatible from Windows 7 (x64)/ Windows Server 2008 (x64) and UEFI is expected to replace traditional bios completely in the near future...

Apparently TPM 2.0 provides PCs with a modern hardware root-of-trust to help protect from both common and sophisticated attacks like ransomware and more sophisticated attacks from nation-states and elevates the standard for hardware security by requiring that built-in root-of-trust. (David Weston, director of enterprise and OS security at Microsoft blog post)

Like Google, MS does not have only secure boot attestation in mind when setting minimum hardware requirements. These machines require a hardware TEE OS just like Android/ARM in order to decode DRM content, store and analyse biometric data etc etc securely, and TPM's purpose is to protect encryption keys, user credentials, and other sensitive data behind a hardware barrier.

Even the fact that MS may not require secure boot components to be running on Win 11+ machines does NOT make the hardware requirements stupid... Secure boot attestation ability is only part of the picture; the hardware / TPM cryptographic keys may in fact be used by a raft of other functions and processes required on modern devices, and like Android MS sets minimum requirements. PW