[thot_experiment]

I can tap to pay with google pay on my rooted pixel while the spoof key isn't blacklisted, IIRC it uses dumped credentials extracted from other devices but I can reliably spoof Play Integrity and SafetyNet. It would be nice to not have an adversarial relationship with my things for once.

[stavros]

"While the spoof key isn't blacklisted" is the critical bit. Soon, all the keys will be, as these old devices age away from being too common to blacklist.