Fairphone 6 with official build does not pass integrity checks

Hello,

I have several issues on my Fairphone 6 I’ve flashed to /e/os. I’ve used the official image and locked the bootloader.
I cannot do sensible operation through my bank (Crédit Mutuel) because it needs Google notifications (sadly). I thought microG through Cloud Messaging would do that.
For work, I need Microsoft Authenticator, I do not receove notificationw as well. It’s ok because I can check it manually but still surprising.
I cannot use France identité at all, it is a recuring issue, but on an official build with locked bootloader seems to work for many.
I can’t use MAIF application, I assume because I have a big warn that says my phone is insecure

When trying to investigate, I noticed the fairphone has only MEETS_BASIC_INTEGRITY on an integrity check

10000015091116×2484 72 KB

And I cannot generate a Key attestation, I have the error :
This device does not support key attestation or the trusted environment on this device is broken.
Solution: Consult the device manufacturer whether the device supports key attestation function and the destruction conditions of the trusted environment, such as unlocking the bootloader.

Detailed messages:
java.security.ProviderException: Failed to generate key pair.
android.security.KeyStoreException: -49 (internal Keystore code: -49 message: system/security/keystore2/src/security_level.rs:680 Caused by: 0: system/security/keystore2/src/security_level.rs:674: While generating without a provided attestation key and params: [KeyParameter { tag: r#KEY_SIZE, value: Integer(256) }, KeyParameter { tag: r#ALGORITHM, value: Algorithm(r#EC) }, KeyParameter { tag: r#EC_CURVE, value: EcCurve(r#P_256) }, KeyParameter { tag: r#PURPOSE, value: KeyPurpose(r#SIGN) }, KeyParameter { tag: r#DIGEST, value: Digest(r#NONE) }, KeyParameter { tag: r#DIGEST, value: Digest(r#SHA_2_256) }, KeyParameter { tag: r#NO_AUTH_REQUIRED, value: BoolValue(true) }, KeyParameter { tag: r#ACTIVE_DATETIME, value: DateTime(1752040840336) }, KeyParameter { tag: r#ORIGINATION_EXPIRE_DATETIME, value: DateTime(1752041840336) }, KeyParameter { tag: r#USAGE_EXPIRE_DATETIME, value: DateTime(1752042840336) }, KeyParameter { tag: r#CERTIFICATE_NOT_AFTER, value: DateTime(2461449600000) }, KeyParameter { tag: r#CERTIFICATE_NOT_BEFORE, value: DateTime(0) }, KeyParameter { tag: r#CERTIFICATE_SERIAL, value: Blob([1]) }, KeyParameter { tag: r#CERTIFICATE_SUBJECT, value: Blob([48, 31, 49, 29, 48, 27, 6, 3, 85, 4, 3, 19, 20, 65, 110, 100, 114, 111, 105, 100, 32, 75, 101, 121, 115, 116, 111, 114, 101, 32, 75, 101, 121]) }, KeyParameter { tag: r#ATTESTATION_CHALLENGE, value: Blob([87, 101, 100, 32, 74, 117, 108, 32, 48, 57, 32, 48, 56, 58, 48, 48, 58, 52, 48, 32, 71, 77, 84, 43, 48, 50, 58, 48, 48, 32, 50, 48, 50, 53]) }, KeyParameter { tag: r#ATTESTATION_ID_BRAND, value: Blob([70, 97, 105, 114, 112, 104, 111, 110, 101]) }, KeyParameter { tag: r#ATTESTATION_ID_DEVICE, value: Blob([70, 80, 54]) }, KeyParameter { tag: r#ATTESTATION_ID_PRODUCT, value: Blob([108, 105, 110, 101, 97, 103, 101, 95, 70, 80, 54]) }, KeyParameter { tag: r#ATTESTATION_ID_MANUFACTURER, value: Blob([70, 97, 105, 114, 112, 104, 111, 110, 101]) }, KeyParameter { tag: r#ATTESTATION_ID_MODEL, value: Blob([70, 97, 105, 114, 112, 104, 111, 110, 101, 32, 54]) }, KeyParameter { tag: r#CREATION_DATETIME, value: DateTime(1752040840372) }, KeyParameter { tag: r#ATTESTATION_APPLICATION_ID, value: Blob([48, 78, 49, 40, 48, 38, 4, 32, 105, 111, 46, 103, 105, 116, 104, 117, 98, 46, 118, 118, 98, 50, 48, 54, 48, 46, 107, 101, 121, 97, 116, 116, 101, 115, 116, 97, 116, 105, 111, 110, 2, 2, 0, 132, 49, 34, 4, 32, 31, 101, 14, 196, 16, 62, 60, 202, 173, 248, 202, 226, 10, 129, 105, 59, 145, 119, 238, 164, 168, 243, 94, 160, 224, 174, 20, 235, 250, 114, 196, 249]) }]. 1: Error::Km(r#SECURE_HW_COMMUNICATION_FAILED))

And safetynet test fails :

10000015101116×2484 105 KB

However, for Microg everything is fine :

10000015111116×2484 172 KB

I don’t know if I’m the only one, if I should reinstall /e/os, if this is a bug, if it is just complex to match all those requirements.

Probably better to install fairphone stock android ;- )

• have you tried factory reset? Which eOS version installed?
• have you activated all mircroG options and added Google credentials?

@Manoj Can you please check forum device topic, seems messed up

I chose /e/os because I don’t like Google and don’t want to depend on it (I was using iOS before just for this reason). It’s just I’ve searched a little on these issues and I’m surprised that it doesn’t work on a fairphone 6 with official release, given that it works for a lot of/e/os user.

I haven’t tried yet to reset the phone, I’d like to know if it works for some users before reinstalling everything for nothing.

I use 3.0.2-a15-20250627504414-official-FP6 and all microg options are activated. I’ve connected a google account on Microg, probably try to remove the account if can once everything’s set.

I’m technical but new to Android, so I try to understand how everything is related and what tradeoff there is using /e/os on different apps

You discovered many of the things which crop up for /e/OS users. I do not think you made significant mistakes in your analysis.

Many come to /e/OS with a strong aversion to anything Google and are happy to work around handicaps of using a Google built system with Google removed. It will not be fully auto magical there will be things which don’t work.

I can see this difficult to come to terms with when your first experience is an expensive new phone but wish you good luck in your journey.

Ok fine, I can get around for some of them, however for integrity checks, I thought microG was supposed to do the work.
I understand well for Google notifications that if the app have no fallback, it just won’t work. It’s just a choice of wether I want Goovle to receive my bank notifications…

MicroG does not emulate all Google Play services. It does enough to use all but a few Google Play apps. You can even buy apps provided you have a payment method set up in your Google account. However some apps will only run on an OEM version of Android. The option is to conform to the app or possibly gain access to your bank through a web browser. I know I can do that with my bank in USA. I don’t have to use an app, a web browser can do the same thing, but It depends on the bank.

I solved some issues, I enabled the option on microG to ask me before an app could register with Cloud Messaging. And it did trigger something and a lot of apps asked me to register. I then reinstalled my banking app and I could enable everything for sensitive operations. I do rely on Google, but my bank notifications are just to confirm operations, there is no sensitive data in notifications, that’s an acceptable compromise.
I’m still surprised to not have integrity checks passing, I saw a lot of users in this forum that could install apps like France Identité on previous Fairphone versions, which requires integrity checks to pass and key attestation to work. Given the collaboration between /e/os and because they succeeded in previous Fairphone versions, I thought they found a way to make it work, but maybe devs still have issues to fix or the hardware is different and does not allow it or Google changed something and it is not working anymore.

I see that you posted here Signature of the Calendar app does not match - #10 by Pato it seems to me that this build is at least “ususual” … whatever the unusuality turns out to be … it could account for other teething problems which I would not want to speculate on without the device.

Bonjour,

J’ai le même problème avec l’appli de ma banque sur un Fairphone 6 acheté avec /e/OS préinstallé.
Qu’elle soit installée par App Lounge ou Aurora Store, elle me dit qu’elle n’a pas été installée par le Google Play Store et refuse de fonctionner.
Pourtant elle fonctionne sur mon ancien Galaxy S9 avec /e/OS.

J’ai testé SafetyNet et Play Integrity API Checker sur les deux téléphones et… j’ai le même résultat alors que l’appli fonctionne d’un côté et pas de l’autre !
Est-ce que MicroG remplit bien son rôle sur le FP6 ? Je ne sais pas mais entre ça et l’absence de zoom sur l’appareil photo, j’ai l’impression que cette version d’/e/OS n’est pas encore très au point !

I had another feedback like that on the FP6. After reading a lot, I think it is because of the end of SafetyNet and its replacement by Play Integrity :

It seems MicroG doesn’t take in charge Play Integrity. It seems to be possible to fake it by rooting the device and install Magisk : https://xdaforums.com/t/detailed-guide-play-integrity-fix-use-banking-apps-on-rooted-android.4739042/

I tried Magisk (with init_boot to be a bit technical), it works (I have root access) but it breaks the Integrity checks. I tried Apatch, it works nicely but Play Integrity Fix give me only basic or evennothing. With the basic checks, it is still enough for most apps including Identité Numérique, but not Boursorama.

Boursorama doesn’t work with the FP6 (because not installed by Google Play, it says) but works fine on my Galaxy S9 (/e/OS 3.0.4-t Android 13) with the same version of MicroG and installed with Aurora Store…
There is a more recent version of MicroG on GitHub (april 2025) but not integrated yet in the last version of /e/OS (july 2025).
Perhaps in the next release ?

Hey,
it is the same for me on FP6. Key attestation under e.os is working on another phone without problem, but not with FP6.
I hope it gets solved.

FP6 official got released as userdebug build. Wait one or two releases for this to get ironed out (to user build, then no adb root), then device integrity could meet criteria (assuming it’s relocked too).

Why do you need this? I use Aegis with Azure at work.

@tcecyk Your insights, always welcome. Thanks for pointing out such things

There are things working now, including my notifications issues, including Microsoft Authenticator. I checked the option to ask my permission for notifications, all apps asked and it is perfectly working now.
Can’t use some apps requiring integrity checks, however, banking apps are working, so it’s not a big issue. Thanks @tcecyk for your answer, it gives hopes that it will be solved in the near future, it should be great after that.

Bonjour à tous
J’utilise également un FP6 avec e/os pré installé. L’appli Crédit Mutuel s’est installée correctement et fonctionne. Par contre il m’est impossible de lier l’appli Credit Mutuel Pay avec l’appli Crédit Mutuel. Il manque le bouton de validation de l’option dans l’appli principale. Pour information j’utilisais Credit Mutuel Pay avec mon FP2 sous e/os sans problème !
@Pato utilises-tu l’appli Credit Mutuel Pay permettant d’effectuer des paiements directement avec le smartphone ?
Merci de ton retour.

Non, je n’ai pas réussi, ça me redirige vers ma carte dans l’appli Crédit Mutuel et là rien… Donc si j’ai bien compris, le même soucis que toi

Oui j’ai exactement le même comportement. Après essai sur un autre appareil sur lequel cela fonctionne, on devrait avoir un bouton sous l’image de la carte. C’est curieux que la même appli se comporte différemment suivant l’appareil ou le contexte.

Just for your interest, same ‘issue’ on Fp5. I am currently on 3.0.4 official, installed by myself and locked, everything looks ok, beside no device integrity pass.

But I am a new user, cannot say if this is "normal’ nor needed this until now, furthermore I have no Google account linked, using all ‘anonym’ - I thought this possibly is the reason but I did no further tests.