It is possible to bypass Play Integrity on most devices (even at the "strong" level) using a sewing needle.

Specifically, you poke the data lines of the memory bus to induce bitflips, much like I described in https://www.da.vidbuchanan.co.uk/blog/dram-emfi.html

This is trickier if your device has the DRAM mounted directly on top of the CPU, but still possible - you'll need to do some BGA rework to get a wire soldered to one of the DQ lines.

Once you get a physical memory read/write primitive, you can start patching the kernel. Play Integrity does not detect this, since it only attests the state of the kernel at boot. I chose to patch out the permission checks related to ptrace, allowing me to inject frida-gadget into running apps, and to inject shellcode into pid 1.

The initial exploit is pretty unreliable, and usually takes a few reboots to hit. But once it lands, the device is pwned until the next reboot - like a "tethered jailbreak".

I tested this on a Samsung A06 because it was the cheapest device supporting Play Integrity I could get my hands on, but there's no fundamental reason it shouldn't work on any other device, including flagships. Some mitigations would require a different exploit strategy (e.g. memory encryption), but the fundamental flaw is still there.

Demo: https://bsky.app/profile/retr0.id/post/3mljtyauw322d