Security check is needed

[pnu-s]

Hello there!

I'm getting the following error message when I try to download an app from the Google Play Store:

Security check is needed, try to visit https://accounts.google.com/b/0/DisplayUnlockCaptcha to unlock, or setup an app-specific password

I tried the following:

• account password without MFA
• account password without MFA and "unsecure" connection enabled (or however that is called)
• app-specific password (with MFA)

I obviously tried to visit the link above.
Nothing seems to work.

Full disclosure, I'm having the same issue using python module gpapi (https://github.com/NoMore201/googleplay-api) which is not really maintained for some time now.

[ame180]

I can confirm that it also does not work me in both cases.

I also tried the steps you provided, as well as clicking the link, but just a note there - as far as I know you should replace 0 with your local account id (the one that shows in gmail and any other app, first account has 0, second has 1 etc.).

I noticed that I got an email about log-in being killed for Android 2.3.7 and lower yesterday. I'm not sure this is connected in any way, but I suppose there is a chance that Auth URL used by this lib and gpapi both are old, and were not used for anything above that android version, which lost support yesterday.

I'm looking for other libs like this to see if authentication URL or something like that is different, maybe that's the case.

EDIT:
I think this might also be related to OpenSSL somehow. So far, at least gpapi did NOT work with up-to-date OpenSSL. Maybe older OpenSSL versions no longer work now as well?

[pnu-s]

The change for Android 2.3.7 happened on the exact date when the issue appeared, so that's an interesting point.

[muzzyrost]

I'm confirming this issue from yesterday. Tried few different new accounts and it didn't help.

[ame180]

I noticed something while manually making the login request:

Error=BadAuthentication Info=WebLoginRequired Url=https://accounts.google.com/signin/continue?some_get_data_i_probably_shouldnt_share

While going to the URL it goes to login but skips email and password, instead goes directly to providing SMS Code in my case. And that is while using App Password which is supposed to avoid this exact thing as far as I know.

I tried providing my SMS Code to see if maybe it unlocks the device, but website kept loading and never finished loading in the end.

I think it's possible, that after manually going through the whole hustle of clicking the Url, providing SMS code, maybe confirming suspicious activity was you or some formalities like that, the issue might be resolved for that account. I will try that as soon as I can.

Another thing that I have on my list to check, is trying to use other libraries like https://github.com/ClaudiuGeorgiu/PlaystoreDownloader but they require an android id, which is not a huge deal but I couldn't get my account to work on another phone with Google Play (it kept saying I need to log in to a Google account, while being logged in to the account, maybe that account got semi-banned or it was another unrelated problem, will see). They seem to have very similar login logic, so I'm interested to see if they got hit as well.

I'm also interested if the online apk downloaders got hit, so far as far as I tried to download very niche applications to ensure they were not cached / saved and they still worked, so that's interesting.

[muzzyrost]

I'm also interested if the online apk downloaders got hit, so far as far as I tried to download very niche applications to ensure they were not cached / saved and they still worked, so that's interesting.

Just check this https://github.com/onyxbits/raccoon4 - it works fine today.

[muzzyrost]

https://github.com/ClaudiuGeorgiu/PlaystoreDownloader

It has same issue [WARNING][playstore.util][wrapped()] Login failed, please check your credentials

[ame180]

I'm also interested if the online apk downloaders got hit, so far as far as I tried to download very niche applications to ensure they were not cached / saved and they still worked, so that's interesting.

Just check this https://github.com/onyxbits/raccoon4 - it works fine today.

That's good to know. I think I'll try to compare requests from that to requests from this / gpapi to see what's different about them.

[AlexKomrakov]

I investigate racoon4 login procedure and only difference i see is custom http client logic

[ame180]

I tried using pre-prepared android-id from a real phone for a few of these libraries to skip the initial authentication which was failing, but then authentication simply fails on next steps unfortunately.

I can also confirm raccoon4 login works. Although I tried to reproduce successful login from code, I always got something BadAuthentication or something along these lines. I'm not sure if I found the right logic for logging in, as I'm not experienced with Java GUI so I'm not sure how to find what is called when.

What I found also looks pretty much the same as all of these libraries. Maybe it's the device that raccoon4 emulates by default?

[ame180]

I investigate racoon4 login procedure and only difference i see is custom http client logic

Their CLI returns BadAuthentication for me, while GUI works, and as far as I can tell the only difference between GUI and CLI logic is creation of the client, like you pointed out.

[pnu-s]

Just tested the following fix for gpapi and it seems to work: NoMore201/googleplay-api#153

👀

[ame180]

sdk_version as '16' also seems to work, but I tried making params exactly the same as raccoon4 so it might be a combination of something else too, although I could successfully remove other params while removing sdk_version always caused problems.

EDIT:
Checked again, it seems like login works again when using MFA and App Password? What?

[pnu-s]

Checked again, it seems like login works again when using MFA and App Password? What?

Same behavior on my side 🤦

[Hainish]

As mentioned in #151 (the super-issue of this one) I've implemented the same fix as @pnu-s suggests in #17 (comment)