Hey, looking for advice from people who understand Play Integrity on Android 13+ custom ROMs.

• Device: Pixel 5 / redfin
• ROM base: custom AOSP/LineageOS 20, Android 13
• State: unlocked/custom ROM, but I’m testing ROM-level spoofing/attestation work rather than a normal Magisk module stack on this device.

Current weird result

• With one build/profile, 1nikolas Play Integrity API Checker returns: MEETS_BASIC_INTEGRITY only

​

sdkVersion=29
appRecognitionVerdict=PLAY_RECOGNIZED

• With another build/profile, the same checker returns: MEETS_DEVICE_INTEGRITY only

​

sdkVersion=33
appRecognitionVerdict=PLAY_RECOGNIZED

• I have not yet been able to get BASIC + DEVICE together on redfin.

The Device-only build has shell-visible trust props looking clean

• ro.boot.verifiedbootstate=green
• ro.boot.flash.locked=1
• ro.boot.vbmeta.device_state=locked
• release-keys / user
• real GMS, GSF, and Play Store installed
• Play Integrity request is from 1nikolas, not SPIC

What I’m trying to understand

1. Has anyone seen SDK 29 -> BASIC-only, but SDK 33 -> DEVICE-only on Android 13?
2. Could BASIC be failing because of native ro.product.first_api_level / vendor API level / board API level mismatch?
3. Is Play Store certification still a hard blocker for BASIC + DEVICE together even if public PI returns DEVICE?
4. For Pixel 5/redfin specifically, what API tuple has worked for you? Example:
   • SDK_INT
   • DEVICE_INITIAL_SDK_INT
   • ro.product.first_api_level
   • ro.vendor.api_level
   • ro.board.api_level
5. Any known conflict between built-in ROM spoofing and TrickyStore/PIF-style behavior that causes this BASIC vs DEVICE split?

Not asking for keyboxes. Just trying to understand the cleanest diagnosis path and which properties/attestation fields to compare.