Skip to content

Add spoofVendingSdk to force legacy verdicts from new PI #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 8, 2025
Merged

Add spoofVendingSdk to force legacy verdicts from new PI #30

merged 4 commits into from
Feb 8, 2025

Conversation

TheFreeman193
Copy link

@TheFreeman193 TheFreeman193 commented Feb 4, 2025
edited by osm0sis
Loading

This adds the spoofVendingSdk advanced option to custom.pif.json which, when enabled, spoofs the build SDK level for Play Store (com.android.vending). It is disabled by default.

When spoofVendingSdk is set to 1, PIFork spoofs SDK level 32 for Play Store. Values higher than 1 will spoof that SDK level. PIFork will not spoof an SDK level higher than device's real one as this is likely to cause instability.

Additionally, killgms.sh has been replaced with killpi.sh which stops both DroidGuard and Play Store processes. Stopping both processes is necessary to see changes to new Play Integrity verdicts.

Context

Play Integrity verdicts are changing in May 2025 for devices running Android 13 and later, and will require a locked bootloader for MEETS_DEVICE_INTEGRITY. The new Play Integrity system uses signals from both DroidGuard and Play Store. When Play Store sees an SDK level less than 33, Play Integrity returns the legacy (pre-Android 13) verdicts. This spoofing feature may help in getting MEETS_DEVICE_INTEGRITY verdicts when the bootloader is unlocked.

Known Issues

Devices will experience degraded functionality in Play Store when this feature is enabled:

  • Back gesture/nav button from within the Play Store exits directly to homescreen for all
  • Blank account sign-in status and broken app updates for ROMs A14+
  • Incorrect app variants may be served for all
  • Full Play Store crashes for some setups

We're investigating ways to rectify this.

@TheFreeman193
Add spoofVendingSdk to force legacy verdicts from new PI
5ffeb5a 
Squashed: Add spoofVendingSdk for forcing new PI legacy verdicts
Squashed: Move vending SDK spoof to EntryPointVending, replace killgms.sh with killpi.sh
@osm0sis
Copy link
Owner

osm0sis commented Feb 5, 2025
edited
Loading

Brilliant work! 😍

I'd be happy to merge this as an undocumented feature for testing purposes as-is, would just need to "undocument" it a bit by removing it from the scripts' --advanced outputs for now until the Play Store issues can be addressed.

Also would be tidier if it could somehow not touch vending at all unless the feature was enabled, but not sure how possible that is with how the Zygisk JNI works.. 🤔

@TheFreeman193
Copy link
Author

I don't think we can have Zygisk dlclose the entire module for vending before it's forked from Zygote without moving the readJson() processing to preAppSpecialize, but we can certainly turn off JNI loading the custom classes. Since class loading is dynamic in Java this would leave everything inside the ART untouched when disabled.

Something along the lines of:

if (spoofBuild + spoofProvider + spoofSignature + spoofVendingSdk > 0 ||
pkgName == "com.google.android.gms.unstable" && verboseLogs > 99)
    inject();

This would have the added benefit of not loading the custom classes for DroidGuard either when field, signature, and provider spoofing are all turned off, unless logFields() is needed.

TheFreeman193 and others added 2 commits February 5, 2025 18:36
@TheFreeman193
No class loading if Java features disabled
e2cc803 
- No longer loads custom classes if not needed for respective packages
- Renames isGmsUnstable to isDroidGuardOrVending
- Removes spoofVendingSdk from migrate/autopif scripts (don't document yet)
- Adds missing setAccessible() call for early return in EntryPointVending.init()
- Adds missing set of spoofSignature -> 0 for vending
@osm0sis
Add com.android.vending to DenyList changes
bc6c714
@osm0sis osm0sis marked this pull request as ready for review February 7, 2025 04:23
@TheFreeman193
Remove special case for logFields, simplify logs
523cf00 
- Run logFields only when spoofProvider, spoofBuild, or spoofSignature is on
- Simplify log outputs; PS -> Play Store, DG -> DroidGuard
@osm0sis osm0sis merged commit 11e2629 into osm0sis:main Feb 8, 2025
1 check passed
@TheFreeman193 TheFreeman193 deleted the vending-sdk branch February 8, 2025 22:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TheFreeman193 @osm0sis