Android Fixes How-to Guides Root & Recovery

What is SafetyNet and How to Pass It – Complete Guide (2026)

📌 Quick Summary: SafetyNet was Google's original integrity-checking system that determined whether an Android device was trustworthy enough for sensitive apps like banking and payment services. However, SafetyNet was fully deprecated in January 2025 and has been replaced by the Play Integrity API . For rooted users, the goal has shifted from "passing SafetyNet" to "passing Play Integrity checks." This guide covers: (1) what SafetyNet was and why it mattered, (2) the Play Integrity API that replaced it, (3) how to check your device's integrity status today, and (4) step-by-step methods using Magisk and modules like Play Integrity Fix to pass integrity checks on rooted devices.

You unlock your bootloader, flash Magisk, and finally have root access. Then you open your banking app—and it refuses to run. Google Pay won't work. Netflix isn't available in the Play Store. This is integrity checking in action.

For years, Google's SafetyNet was the gatekeeper. It performed two main checks: Basic Integrity (detecting if the device was rooted or compromised) and CTS Profile Match (verifying the device matched a Google-certified profile) . Apps that handle sensitive data—banking, payments, streaming—would check SafetyNet and block access if the device failed .

But the landscape changed in 2025. Google fully deprecated SafetyNet and replaced it with the Play Integrity API . This new system consolidates multiple integrity checks into a single API and provides more nuanced verdicts: "VIRTUAL," "BASIC," and "STRONG" integrity levels .

This guide covers everything you need to know—both the history and the current reality. You'll learn how to check your device's integrity status, what the verdicts mean, and how to configure Magisk and its modules to pass integrity checks while maintaining root access.

Part 1: What Was SafetyNet?

SafetyNet was a suite of Google services and APIs designed to protect apps from security threats, including device tampering, malicious URLs, harmful apps, and impersonating users . For most users, the most visible part was the SafetyNet Attestation API, which app developers used to check a device's integrity .

How SafetyNet Worked

When an app wanted to verify a device's integrity:

  1. The app called the SafetyNet Attestation API with a unique number (nonce).
  2. The API checked the device's runtime environment and sent this information to Google's servers.
  3. Google's servers assessed the information and returned a signed attestation.
  4. The app forwarded this attestation to its own server for validation .

The Two Key Checks

  • Basic Integrity: Checked for common signs of system compromise, such as rooting or the presence of an su binary .
  • CTS Profile Match: Verified that the device's software and hardware profile matched a model that passed Google's Compatibility Test Suite (CTS), ensuring it conformed to official Android standards .

Why It Mattered: Apps like Google Pay, banking apps, and streaming services (Netflix, Disney+) used SafetyNet to ensure they weren't running on compromised devices where sensitive data could be stolen or content pirated.

🚨 CRITICAL UPDATE: SafetyNet Is Dead

The SafetyNet Attestation API was deprecated in 2022 and fully turned down in January 2025 . If you call the SafetyNet API today, it returns an error (status code 7: NETWORK_ERROR). All developers have migrated to the Play Integrity API, and discussions about "passing SafetyNet" are now historical .

Part 2: The Replacement – Play Integrity API

Google replaced SafetyNet with the Play Integrity API, which consolidates multiple integrity offerings under a single API . It's designed to provide stronger protections and deeper insights than SafetyNet ever could .

What Play Integrity API Checks

The Play Integrity API provides three main integrity verdicts:

Integrity Level What It Means Typical Rooted Device Result
MEETS_STRONG_INTEGRITY Device has strong integrity guarantees (locked bootloader, verified boot, no modifications) ❌ Fails (unlocked bootloader)
MEETS_BASIC_INTEGRITY Device passes basic integrity checks (no obvious signs of compromise like known rooting apps) 🟡 Possibly passes with proper hiding
MEETS_DEVICE_INTEGRITY Device is running on a Google-certified Android device with Play Services 🟡 Possibly passes with fingerprint spoofing

Additionally, the API can detect if the app was installed from the Play Store, if it's a genuine binary, and if the device is free from known malware .

Benefits Over SafetyNet

  • More nuanced signals: Instead of a simple pass/fail, developers get detailed integrity levels .
  • App licensing verification: Confirms the app was legitimately installed from Play Store .
  • Regular updates: Google actively maintains and improves the API .
  • Harder to bypass: More sophisticated detection makes it more difficult for rooted devices to pass .

Limitations of Play Integrity

Even for developers, Play Integrity has drawbacks:

  • Quota limits: Only 10,000 online checks per day by default (can be increased by request) .
  • Limited insights: Verdicts lack granular details, making false positives hard to diagnose .
  • Play Store dependency: Only works on Google-certified devices with Play Services .

Part 3: How to Check Your Device's Integrity Status (2026)

Before attempting to pass integrity checks, you need to know your current status. Several apps can test Play Integrity:

✅ Recommended Apps

  • YASNAC (Yet Another SafetyNet Attestation Checker): Despite the name, it now supports Play Integrity checks. Shows both BASIC and DEVICE integrity results.
  • Play Integrity API Checker: Various apps on the Play Store specifically designed to test the new API.
  • Root Checker apps: Many include integrity verification features.

What the Results Mean

When you run a check, you'll typically see:

  • MEETS_BASIC_INTEGRITY: YES/NO – This is the most important for rooted users. "YES" means your device isn't showing obvious signs of compromise.
  • MEETS_DEVICE_INTEGRITY: YES/NO – "YES" means your device is recognized as a certified Android device.
  • MEETS_STRONG_INTEGRITY: YES/NO – Almost always "NO" on rooted devices (requires locked bootloader).

Goal for most users: Pass BASIC_INTEGRITY and, if possible, DEVICE_INTEGRITY. STRONG_INTEGRITY is not required for most apps.

Part 4: How to Pass Integrity Checks on Rooted Devices

Passing integrity checks with an unlocked bootloader and root is a cat-and-mouse game. Google continuously updates Play Integrity, and the Magisk community continuously develops workarounds. The methods below are current as of 2026.

Prerequisites

  • Unlocked bootloader (see our bootloader unlocking guide).
  • Magisk installed and working (v28+ recommended).
  • Zygisk enabled in Magisk settings.
  • Basic understanding of flashing modules.

Step-by-Step Method

  1. Hide Magisk App
    • Open Magisk app → Settings → Tap "Hide the Magisk app"
    • Choose a new package name (randomized) – this prevents apps from detecting Magisk by its package name.
  2. Configure DenyList
    • In Magisk settings, enable "Enforce DenyList" (this hides root from selected apps).
    • Go to "Configure DenyList" and select all banking apps, Google Pay, and any other sensitive apps you use.
    • For better hiding, disable "Enforce DenyList" and use Shamiko module instead (see below).
  3. Install Play Integrity Fix Module

    The most essential module for passing integrity checks is the Play Integrity Fix (originally SafetyNet Fix, now updated for Play Integrity). This module works by:

    • Using Zygisk to inject code into Google Play Services .
    • Blocking key attestation, forcing Play Services to fall back to basic attestation .
    • Spoofing device fingerprint to pass CTS profile checks .

    Installation:

    • Download the latest Play Integrity Fix module from GitHub (search "Play Integrity Fix" or "safetynet-fix" on GitHub).
    • In Magisk app → Modules → Install from storage → Select the downloaded zip.
    • Reboot.
  4. Install Shamiko (Optional but Recommended)

    Shamiko is a Zygisk module that provides advanced root hiding capabilities beyond Magisk's built-in DenyList. It works in "blacklist" mode, hiding root from specified apps without breaking system functionality.

    • Download Shamiko from its official GitHub repository.
    • Install via Magisk Modules.
    • Note: When using Shamiko, disable "Enforce DenyList" in Magisk settings (but keep DenyList configured).
  5. Install MagiskHide Props Config (For Fingerprint Issues)

    If you still fail DEVICE_INTEGRITY, you may need to spoof a certified device fingerprint. MagiskHide Props Config allows you to change device properties to match a certified device .

    Usage:

    • Install the module and reboot.
    • Open a terminal or ADB shell and run props.
    • Follow the menu to select a certified device fingerprint (choose one close to your device).
    • Reboot and test again.
  6. Test with Integrity Checker App

    After all steps, run YASNAC or another Play Integrity checker. You should see:

    • MEETS_BASIC_INTEGRITY: YES
    • MEETS_DEVICE_INTEGRITY: YES (if fingerprint spoofing worked)

⚠️ IMPORTANT NOTES:

  • Play Integrity detection evolves. What works today may fail tomorrow. Check XDA forums for your device regularly.
  • Some banking apps have additional detection beyond Play Integrity (app integrity, debugging detection). You may need to use Island or Shelter to sandbox them.
  • Never install random "integrity fix" modules from untrusted sources. Use only well-known modules from reputable developers (Play Integrity Fix by kdrag0n and Displax, Shamiko by LSPosed team).

Part 5: Common Issues and Solutions

Issue Likely Cause Solution
BASIC_INTEGRITY fails Root not properly hidden; Magisk app not hidden Hide Magisk app, configure DenyList, install Shamiko
DEVICE_INTEGRITY fails (but BASIC passes) Device fingerprint not matching certified profile Install MagiskHide Props Config and spoof a certified fingerprint
Banking app still detects root App has additional detection (debugging, app integrity) Use Island/Shelter to sandbox the app; try different hiding modules
Play Integrity Fix module not working Outdated module; incompatible with Android version Update to latest version; check XDA for device-specific fixes
YASNAC shows "Query failed" Network issue; Play Services not updated Ensure internet connection; update Play Services; reboot

Part 6: The Cat-and-Mouse Game – Why Passing Isn't Permanent

Google continuously updates Play Integrity to detect new bypass methods. When a new bypass is found and widely used, Google patches it. This creates an ongoing cycle:

  1. Google releases Play Integrity update with stronger detection.
  2. Rooted users find their devices failing checks.
  3. Developers update modules (Play Integrity Fix, Shamiko) to work around the new detection.
  4. Users update modules and regain access.
  5. Repeat.

Practical implications:

  • Check XDA forums or module GitHub pages after major Google Play Services updates.
  • Keep your modules updated.
  • Consider using a dedicated device for rooted experimentation and keeping your daily driver (with banking apps) stock.

Frequently Asked Questions (FAQs)

1. Is SafetyNet still relevant in 2026?

No. SafetyNet was fully deprecated and turned down in January 2025 . Apps now use the Play Integrity API. If you see references to "SafetyNet" in older guides, they need to be updated to "Play Integrity."

2. Do I need to pass STRONG_INTEGRITY for banking apps?

No. Most banking apps and Google Pay only require BASIC_INTEGRITY and sometimes DEVICE_INTEGRITY. STRONG_INTEGRITY is typically only required for enterprise apps with the highest security requirements.

3. Will passing Play Integrity work for all apps?

Not necessarily. Some apps implement their own additional detection methods (checking for debugging flags, looking for known root apps, verifying app installation source). Play Integrity is just one layer.

4. Can I pass Play Integrity with an unlocked bootloader?

Yes, with the right setup. An unlocked bootloader alone doesn't automatically fail checks if root is properly hidden and you're using the Play Integrity Fix module . However, some apps may still detect the unlocked bootloader.

5. Do I need to relock my bootloader to pass?

No. Relocking is dangerous on custom ROMs and doesn't guarantee passing. The module-based approach is safer and more flexible.

6. What's the difference between Play Integrity Fix and MagiskHide?

MagiskHide (or DenyList) hides root from individual apps. Play Integrity Fix specifically targets Google Play Services to modify how integrity checks are performed . Both are often needed together.

7. My device passes checks but Google Pay still doesn't work. Why?

Google Pay has additional requirements: NFC must be working, the app must be installed from Play Store, and sometimes it checks for card compatibility. Try clearing Google Pay app data and re-adding your cards.

Conclusion: The New Reality of Android Integrity

SafetyNet was the gatekeeper for years, but its time has passed. In 2026, Play Integrity is the standard, and it's a tougher opponent for rooted users . The methods to bypass it are more complex and require more maintenance.

Your approach to integrity should be:

  1. Check your needs: Which apps actually require integrity? Many apps still work fine on rooted devices.
  2. Use the tools: Magisk, Play Integrity Fix, and Shamiko form the current standard stack.
  3. Stay updated: Follow module developers on GitHub or XDA for updates after Google Play Services releases.
  4. Accept the limitations: Some apps may never work on rooted devices, no matter what you try. For those, consider using a secondary device.

Before you start your integrity-passing journey, complete this checklist:

  • ☐ I have Magisk installed and working (v28+).
  • ☐ I have enabled Zygisk in Magisk settings.
  • ☐ I have hidden the Magisk app (randomized package name).
  • ☐ I have downloaded the latest Play Integrity Fix module from a trusted source.
  • ☐ I have downloaded Shamiko (optional but recommended).
  • ☐ I have configured DenyList for my sensitive apps.
  • ☐ I have an integrity checker app installed to verify results.

The cat-and-mouse game between Google and the root community continues. What works today may break tomorrow. But for now, with the right setup, you can enjoy both root access and working banking apps, Google Pay, and streaming services.

This article is for educational purposes only. Bypassing integrity checks may violate app terms of service. The author and platform assume no responsibility for apps that stop working, accounts that get locked, or devices that become unstable as a result of following these instructions. The information presented here is current as of March 2026 and is based on community-verified knowledge; it may become outdated as Google updates Play Integrity and as module developers release new versions.

Your path to passing integrity checks begins not with a module flash—but with accepting that root and security are inherently at odds, and you're choosing the flexibility of root over the guaranteed compatibility of stock.

Tags
URL Print Email

Post a Comment

[blogger][disqus][facebook]
GSM Tools & Files © 2016. All Rights Reserved.
Powered by Blogger

Author

MKRdezign

MathJax

Contact Form

Name

Email *

Message *

Powered by Blogger.
Javascript DisablePlease Enable Javascript To See All Widget