Sends malformed request to https://android.googleapis.com/auth/devicekey breaking Google Translate (and likely others)

[infinity0]

Was working; broke a few months ago. adb logcat shows that MicroG is sending a "malformed request" to Google:

11-22 10:22:23.879 10895 17148 D GmsHttpFormClient: device=<REDACTED>&app=com.google.android.gms&cert=<REDACTED>&app_ver=223616050&X-subscription=<REDACTED>&X-X-subscription=<REDACTED>&X-subtype=<REDACTED>&X-X-subtype=<REDACTED>&X-scope=DeviceKeyRequest&X-app_ver_name=0.2.25.223616&target_ver=29&sender=<REDACTED>
--------- beginning of system
11-22 10:22:23.887  1371 18211 W NotificationService: notification 0|de.blinkt.openvpn|1346787898|null|10175 added an invalid shortcut
11-22 10:22:23.888  1371  1758 W NotificationService: notification 0|de.blinkt.openvpn|1346787898|null|10175 added an invalid shortcut
11-22 10:22:23.913  1040 16882 E sensors-hal: handle_sns_std_sensor_event:281, wise_light: lux 456 ,period 35 ms, data c 0
11-22 10:22:23.934 10895 17148 D GmsHttpFormClient: -- Response --
11-22 10:22:23.934 10895 17148 D GmsHttpFormClient: token=<REDACTED>
11-22 10:22:23.951 10895  3803 D AppCertManager: Request: DeviceKeyRequest{droidGuardResult=<REDACTED>
11-22 10:22:23.951 10895  3803 D AppCertManager: <base64, REDACTED>
11-22 10:22:23.951 10895  3803 D AppCertManager: <base64, REDACTED>
[.. etc ..]
11-22 10:22:23.951 10895  3803 D AppCertManager: <base64, REDACTED>
11-22 10:22:23.951 10895  3803 D AppCertManager: <base64, REDACTED>
11-22 10:22:23.951 10895  3803 D AppCertManager: onId=<REDACTED>, versionInfo=VersionInfo{sdkVersion=32, gmsVersion=223616050}, token=<REDACTED>
11-22 10:22:23.951 10895  3803 D AppCertManager: <base64, REDACTED>}
11-22 10:22:24.040 10895 17145 E Volley  : [376] NetworkUtility.shouldRetryException: Unexpected response code 400 for https://android.googleapis.com/auth/devicekey
11-22 10:22:24.041 10895 10895 D AppCertManager: Error: [..
webpage in base64, includes:
<main id="af-error-container" role="main"><a href=//www.google.com><span id=logo aria-label=Google role=img></span></a><p><b>400.</b> <ins>That’s an error.</ins><p>The server cannot process the request because it is malformed. It should not be retried. <ins>That’s all we know.</ins></main>
.. ]
11-22 10:22:24.041 10895  3803 D AppCertManager: Using fallback spatula header based on Android ID
11-22 10:22:24.041 10895  3803 D AppCertManager: Spatula Header: SpatulaHeaderProto{packageInfo=PackageInfo{packageName=com.google.android.apps.translate, packageCertificateHash=JLskwF5H4K76aKWKdmF52bYTpgA=}, deviceId=<REDACTED>}
11-22 10:22:24.042 10895 10895 D AuthProxyService: Result: <REDACTED>
11-22 10:22:24.043 17009 17114 D OkHttp  : --> GET https://translate-pa.googleapis.com/v1/translate?<REDACTED>
11-22 10:22:24.087 17009 17114 D OkHttp  : <-- 400 Bad Request https://translate-pa.googleapis.com/v1/translate?<REDACTED> (43ms, unknown-length body)
11-22 10:22:24.088 17009 17114 E GTR_jpj : Translation response error
11-22 10:22:24.088 17009 17114 E GTR_jpj : retrofit2.HttpException: HTTP 400 Bad Request
11-22 10:22:24.088 17009 17114 E GTR_jpj : 	at retrofit2.KotlinExtensions$await$2$2.onResponse(PG:11)
11-22 10:22:24.088 17009 17114 E GTR_jpj : 	at retrofit2.OkHttpCall$1.onResponse(PG:4)
11-22 10:22:24.088 17009 17114 E GTR_jpj : 	at rkb.b(PG:4)
11-22 10:22:24.088 17009 17114 E GTR_jpj : 	at rkq.run(PG:3)
11-22 10:22:24.088 17009 17114 E GTR_jpj : 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
11-22 10:22:24.088 17009 17114 E GTR_jpj : 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
11-22 10:22:24.088 17009 17114 E GTR_jpj : 	at java.lang.Thread.run(Thread.java:920)

Part of the request includes MicroG's own internal version number, maybe that's what's breaking things.

Work-around is to (1) download offline translation file then (2) firewall block Google Translate from making any internet requests, thereby tricking it into using offline translation.

[infinity0]

Note, the endpoint that is failing is a fairly generic one https://android.googleapis.com/auth/devicekey that is not specific to Google Translate. Likely other Google services have been failing too, but I don't use many of them so I don't know which ones.

[mar-v-in]

Device Keys are per device, not per app. Only very few apps require device key so far, Google Translate recently started requiring it, as well as Google's Live Transcribe App. Device Key support in microG is still rather new (only known to be working since 0.2.25), but it requires that you enable device attestation (SafetyNet) - and passing SafetyNet attestation is most likely also required.

[infinity0]

I have enabled device attestation, and via various hacky Magisk modules (MagiskHide Props Config + Universal SafetyNet Fix) I do pass SafetyNet, at least via MicroG's own SafetyNet UI. The bug still occurs.

I am also using XPrivacyLua but it has only been blocking "Get Applications", "Record Audio", and "Use Camera", and these seem unrelated to the device key. I also see other people online with the same issue, presumably not all of them are using XPrivacyLua.

[braga2]

I have similar issue. Here is a logcat

OkHttp  : --> GET https://translate-pa.googleapis.com/v1/translate?query.text=vhb&query.source_language=es&query.target_language=ru&query.display_language=es-ES&params.client=at&data_types=16&data_types=1&data_types=10&data_types=21&data_types=6&data_types=7&data_types=5&data_types=17&data_types=12&data_types=8&data_types=22&params.request_token=782842.3665162471
22542 01-04 16:59:05.443   757   757 I Zygote  : Process 6474 exited due to signal 9 (Killed)
22543 01-04 16:59:05.514  4121  4354 D OkHttp  : <-- 403 Forbidden https://translate-pa.googleapis.com/v1/translate?query.text=vhb&query.source_language=es&query.target_language=ru&query.display_language=es-ES&params.client=at&data_types=16&data_types=1&data_types=10&data_types=21&data_types=6&data_types=7&data_types=5&data_types=17&data_types=12&data_types=8&data_types=22&params.request_token=782842.3665162471 (71ms, unknown-length body)

And headers I sniffed by mitmproxy:

User-Agent: GoogleTranslate/6.50.0.492210553.3-release (Linux; U; Android 13; Pixel 6a) 
X-Server-Token:
Host: translate-pa.googleapis.com
Connection: Keep-Alive
Accept-Encoding:gzip

But when I uninstalled MicroG GmsCore or made it non-force-queryable google translate works as expected. Here is mitmproxy dump of "good request":

User-Agent: GoogleTranslate/6.50.0.492210553.3-release (Linux; U; Android 13; Pixel 6a)
X-Server-Token:
X-Goog-Api-Key: AIzaSyB3hNT9hc3jh2EfvcW6Q7PcYg3F6pPlzso
X-Android-Package:com.google.android.apps.translate
X-Android-Cert: 24bb24c05e47e0aefa68a58a766179d9b613a600
Host: translate-pa.googleapis.com
Connection: Keep-Alive
Accept-Encoding:gzip

Query strings are the same. In bad request 3 'X-'headers are absent.

[braga2]

As a workaround GmsCore can be installed not as system app and without --force-queryable so Google Translate wont see it. It will break GoogleCamera but it also can be fixed by playing with in play-services-core/src/main/AndroidManifest.xml to make gms visible for GoogleCamera but not for Google Translate. I added this code to AccountPickerActivity activity block and it works for now:

<intent-filter>
    <action android:name="android.intent.action.SEARCH"/>
</intent-filter>

To know what (not) to add to <activity> as <intent-filter> just extract AndroidManifest.xml from interesting apks(like Camera,Translate,Gearhead, etc) and look at <queries> -> <intent> blocks and copy(or not) whole <intent> block as <intent-filter> to the gms AndroidManifest to the right place(any activity that has <intent-filter>'s.

It's not a solution, it's just a (temporary) workaround.

[infinity0]

I found a semi-"workaround" which is to use the camera translate functionality. For some reason this works even though direct text translation doesn't. Of course if the stuff is on your phone you'll need to find a way to write it down. I'm using 2 phones. lol.

[ale5000-git]

microG now send X-Android-Package and X-Android-Cert, see here: 7048363

If you want, you can try it with the nightly build.

[t-m-w]

If you want, you can try it with the nightly build.

Running the nightly, 0.2.28.231657-28 (a749fe4), I get the same base64-encoded error about the request being malformed, and Translate still doesn't work. Unfortunately, the devices I have available all have CTS profile mismatch, but I'm not sure if that's related.

[infinity0]

MagiskHide Props Config is unmaintained and doesn't support Android 13 (LineageOS 20), however a fork of Safetynet works for me https://github.com/Displax/safetynet-fix/releases, use safetynet-fix-v2.4.0-MOD_1.3-microG.zip, don't use safetynet-fix-v2.4.0-MOD_2.0.zip which doesn't work. This should fix CTS profile mismatch to pass Safetynet BASIC attestation again. (Install YASNAC to see if you are passing only BASIC or HARDWARE as well).

[infinity0]

Anyway, Safetynet should be unrelated to this bug, I just wanted to spread around the most up-to-date information about it.