SafetyNet started failing

[ArchangeGabriel]

Somewhere around friday morning, SafetyNet started failing (CTS Profile match: false, but Basic Integrity: true). I have not changed anything on my device (OP5T, OmniROM, no root or whatsoever) between the time it worked and the time it stopped working, and I’ve tested on my old phone (OPO) on which it does not work either (but I had to reinstall on OmniROM on it and it has also Basic Integrity: false).

Is anyone else confirming? If not, what should I look for? If yes, I suppose this is due to some DroidGuard update that now detects μG?

[n76]

Last I checked SafetyNet on my phone it passed. When I saw your issue posted, I tried again and I am now getting the same CTS profile match fail result as you. To the best of my knowledge, nothing on my phone that should affect SafetyNet has changed (same versions/builds of Android, microG, etc.) So I can confirm your issue.

[ArchangeGabriel]

OK, since I’ve seen no sign of such an issue on forum of Magisk users for instance, I suppose this is quite μG specific. So we will have to wait for @mar-v-in to take a look at it.

[ale5000-git]

It isn't a problem with microG but more likely with the ROM. I currently pass SafetyNet completely.

An official LineageOS ROM usually pass SafetyNet while an unofficial one may not pass it (for example because isn't signed).

But there may be additional problems:

• If you install root (even if disabled) your device may not pass SafetyNet, you may be able to hide it but an update to SafetyNet may break you
• If your device support verified boot (and if it fail because you have installed a custom ROM) your device may not pass SafetyNet (until you patch the ROM to simulate the missing support for it)
• If you install Xposed or Magisk your device may not pass SafetyNet (if it isn't hidden to SafetyNet); patching the ROM for signature spoofing can't be detected by SafetyNet

[n76]

@ale5000-git - None of you points explains my situation: SafetyNet test passed a few weeks ago and doesn't pass now. No change in my ROM, microG, etc.

• I don't have root installed.
• Not sure if the phone supports verified boot or not, but it hasn't changed.
• I don't have Xposed, Magisk or other equivalent software installed.

[ale5000-git]

@n76 Have you done any OTA update? Have you flashed any ZIP? I'm not sure but everything can possible break it.

I suggest to try a full wipe to be sure that it isn't a "casual" problem.

The problem may also depend on how you install microG. My flashable zip also mimic the filenames of real GApps (in some parts), I don't think it matter but just in case.

[n76]

@ale5000-git I switched from installing microG into a "normal" distribution to using Lineage with microG. So the only ZIP I've been flashing is the one for my phone from the downloads page.

I do have F-Droid set up with the microG repository and assure that I've the latest versions from that installed. (Signature for microG is the same on the ROM and repository so there is no issue with updating from the repository.)

[ArchangeGabriel]

@ale5000-git It’s way worse than that, I had it working before going to sleep but not when waking up ~8 hours later. Absolutely nothing has changed between those two attempts, the only thing the phone did during this time is… nothing. It was in airplane mode, and that’s all. Not even used it for alarm.

As stated above, I have no root, no Magisk, no Xposed, nothing. Just using official OmniROM. I have two affected phones, a OnePlus One, on which I’m going to try a clean flash (OmniROM and then LineageOS4uG to check), and that does not support verified boot, and a OnePlus 5T, that does support verified boot but of course verified boot is currently disabled because OmniROM, but the important point is that is was working literally just before, so even if not everyone is affected, this is definitively a change in DroidGuard.

So, what we need to figure out is what are the condition for SafetyNet to be tripped, and how to solve it.

@ale5000-git @n76 What ROM are you using (and eventually device)?

[ale5000-git]

SafetyNet fail also if you haven't an internet connection (maybe it fail also if it is inconstant). Probably also if the firewall block it.

@ArchangeGabriel: Official LineageOS 14.1 on Galaxy S2 + microG unofficial installer.

[ArchangeGabriel]

I had an internet connection of course, I was just saying it was in airplane mode in the eight hours span during my two trials.

I’ll try the LineageOS4uG right now on my OPO.

[ArchangeGabriel]

Does not work either with LineageOS for uG on OPO:

02-07 14:57:52.050 10063 10063 D SafetyNetHelperSAMPLE: SafetyNet start request
02-07 14:57:52.054  4671  5210 D AudioService: Stream muted, skip playback
02-07 14:57:52.056 10063 10063 D SafetyNetHelper: apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
02-07 14:57:52.101 10063 10063 D SafetyNetHelper: apkDigest:ETDTA7RlBujNlWPPrqXoNjm5jFhIzrCa/XwnUIWh6GM=
02-07 14:57:52.108  9034  9046 D SafeParcel: Unknown field num 9 in com.google.android.gms.common.internal.GetServiceRequest, skipping.
02-07 14:57:52.108  9034  9046 D GmsSafetyNetClientSvc: bound by: GetServiceRequest{serviceId=SAFETY_NET_CLIENT, gmsVersion=10084000, packageName='com.scottyab.safetynet.sample', extras=Bundle[{}]}
02-07 14:57:52.117 10063 10063 V SafetyNetHelper: Google play services connected
02-07 14:57:52.117 10063 10063 V SafetyNetHelper: running SafetyNet.API Test
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper: 
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper: java.lang.NoSuchFieldException: BUILD
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper:   at java.lang.Class.getField(Class.java:1549)
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper:   at org.microg.gms.droidguard.DroidguardHelper.createSystemInfoPair(DroidguardHelper.java:169)
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper:   at org.microg.gms.droidguard.DroidguardHelper.getSystemInfo(DroidguardHelper.java:117)
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper:   at org.microg.gms.droidguard.DroidguardHelper.guard(DroidguardHelper.java:64)
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper:   at org.microg.gms.droidguard.RemoteDroidGuardService$1$1.run(RemoteDroidGuardService.java:23)
02-07 14:57:52.163 10300 10337 W GmsDroidguardHelper:   at java.lang.Thread.run(Thread.java:761)
02-07 14:57:52.174 10300 10337 D GmsDroidguardHelper: -- Request --
02-07 14:57:52.174 10300 10337 D GmsDroidguardHelper: DGRequest{usage=DGUsage{type=attest, packageName=com.google.android.gms}, info=[KeyValuePair{key=BUILD, val=unknown}, KeyValuePair{key=BOARD, val=MSM8974}, KeyValuePair{key=BOOTLOADER, val=unknown}, KeyValuePair{key=BRAND, val=oneplus}, KeyValuePair{key=CPU_ABI, val=armeabi-v7a}, KeyValuePair{key=CPU_ABI2, val=armeabi}, KeyValuePair{key=DEVICE, val=A0001}, KeyValuePair{key=DISPLAY, val=bacon-userdebug 7.1.2 NJH47F 20180205 dev-keys}, KeyValuePair{key=FINGERPRINT, val=oneplus/bacon/A0001:6.0.1/MHC19Q/ZNH2KAS1KN:user/release-keys}, KeyValuePair{key=HARDWARE, val=bacon}, KeyValuePair{key=HOST, val=2d89f046753e}, KeyValuePair{key=ID, val=NJH47F}, KeyValuePair{key=MANUFACTURER, val=OnePlus}, KeyValuePair{key=MODEL, val=A0001}, KeyValuePair{key=PRODUCT, val=bacon}, KeyValuePair{key=RADIO, val=DI.3.0.c6-00241-M8974AAAAANAZM-1}, KeyValuePair{key=SERIAL, val=f9803a9}, KeyValuePair{key=TAGS, val=dev-keys}, KeyValuePair{key=TIME, val=1517798491000}, KeyValuePair{key=TYPE, val=user}, KeyValuePair{key=USER, val=root}, KeyValuePair{key=CODENAME, val=REL}, KeyValuePair{key=INCREMENTAL, val=216677e7a7}, KeyValuePair{key=RELEASE, val=7.1.2}, KeyValuePair{key=SDK, val=25}, KeyValuePair{key=SDK_INT, val=25}], versionNamePrefix=9.6.83 (430-, isGoogleCn=false, enableInlineVm=true, cached=[ByteString[size=20 md5=2b8833acccb8fe7894f463bbf3f7bebc]], currentVersion=3, arch=armv7l}
02-07 14:57:52.248 10300 10337 D GmsDroidguardHelper: Using cached file from /data/user/0/org.microg.gms.droidguard/app_dg_cache/2f2dbd0fd341afc7d36bd44feff6262c66a35639/the.apk
02-07 14:57:52.352 10337 10337 W Thread-3: type=1400 audit(0.0:38): avc: denied { read } for name="net" dev="sysfs" ino=7030 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
02-07 14:57:52.478 10300 10337 D SysHook : Replaced TreeSet with specially designed version
02-07 14:57:52.489 10337 10337 W Thread-3: type=1400 audit(0.0:39): avc: denied { read } for name="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
02-07 14:57:52.489 10337 10337 W Thread-3: type=1400 audit(0.0:40): avc: denied { read } for name="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
02-07 14:57:52.492 10337 10337 W Thread-3: type=1400 audit(0.0:41): avc: denied { read } for name="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
02-07 14:57:52.507 10300 10337 D GmsDroidguardHelper: b -> 0
02-07 14:57:52.549 10337 10337 W Thread-3: type=1400 audit(0.0:42): avc: denied { read } for name="/" dev="tmpfs" ino=6826 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0
02-07 14:57:52.555 10300 10337 D GmsDroidguardHelper: c -> com.google.android.gms
02-07 14:57:52.603 10063 10063 D SafetyNetResponse: decodedJWTPayload json:{"nonce":"XWXaPgdZ9jZ9CfhZ7PDafjdGqa3P3khg9RF6ilEKz/g=","timestampMs":1518011872587,"ctsProfileMatch":false,"apkCertificateDigestSha256":[],"basicIntegrity":false,"advice":"RESTORE_TO_FACTORY_ROM"}
02-07 14:57:52.603 10063 10063 D SafetyNetHelperSAMPLE: SafetyNet req success: ctsProfileMatch:false and basicIntegrity, false

[ArchangeGabriel]

@ale5000-git Could you post a working logcat for comparison? I’m wondering whether there is an issue with BUILD.

[n76]

@ArchangeGabriel I am currently running lineage-14.1-20180117-microG-harpia.zip downloaded from https://download.lineage.microg.org/harpia/ on my Moto G4 Play (XT1607 RETUS). That particular build is no longer in that directory. It is probably time for me to upgrade to a February build to get the latest security updates. . .

[ArchangeGabriel]

@n76 February patches are not in yet. Anyway, we have both OmniROM and LineageOS-uG affected on three different devices, all of them without root and regarding my OnePlus One even with clean flashing.

[ale5000-git]

[ 02-07 23:49:17.516 13759:13759 V/c        ]
running SafetyNet.API Test

[ 02-07 23:49:17.665  2359:12891 I/ActivityManager ]
Start proc 13799:com.google.android.gms.unstable/u0a33 for service org.microg.gms.droidguard/.RemoteDroidGuardService

[ 02-07 23:49:17.790 13799:13799 I/art      ]
Starting a blocking GC AddRemoveAppImageSpace

[ 02-07 23:49:17.791 13799:13799 W/System   ]
ClassLoader referenced unknown path: /system/priv-app/DroidGuard/lib/arm

[ 02-07 23:49:17.845 13799:13814 D/libEGL   ]
loaded /system/lib/egl/libEGL_mali.so

[ 02-07 23:49:17.862 13799:13814 D/libEGL   ]
loaded /system/lib/egl/libGLESv1_CM_mali.so

[ 02-07 23:49:17.907 13799:13815 D/NetworkSecurityConfig ]
No Network Security Config specified, using platform default

[ 02-07 23:49:17.910 13799:13815 W/System   ]
ClassLoader referenced unknown path: /system/framework/tcmclient.jar

[ 02-07 23:49:17.923 13799:13814 D/libEGL   ]
loaded /system/lib/egl/libGLESv2_mali.so

[ 02-07 23:49:17.948 13799:13815 D/GmsDroidguardHelper ]
-- Request --
DGRequest{usage=DGUsage{type=attest, packageName=com.google.android.gms}, info=[KeyValuePair{key=BOARD, val=smdk4210}, KeyValuePair{key=BOOTLOADER, val=unknown}, KeyValuePair{key=BRAND, val=Samsung}, KeyValuePair{key=CPU_ABI, val=armeabi-v7a}, KeyValuePair{key=CPU_ABI2, val=armeabi}, KeyValuePair{key=DEVICE, val=GT-I9100}, KeyValuePair{key=DISPLAY, val=lineage_i9100-userdebug 7.1.2 NJH47F d671ee8657}, KeyValuePair{key=FINGERPRINT, val=samsung/GT-I9100/GT-I9100:4.1.2/JZO54K/I9100XWMS2:user/release-keys}, KeyValuePair{key=HARDWARE, val=smdk4210}, KeyValuePair{key=HOST, val=agrippa.acc.umu.se}, KeyValuePair{key=ID, val=NJH47F}, KeyValuePair{key=MANUFACTURER, val=samsung}, KeyValuePair{key=MODEL, val=GT-I9100}, KeyValuePair{key=PRODUCT, val=GT-I9100}, KeyValuePair{key=RADIO, val=unknown}, KeyValuePair{key=SERIAL, val=000980d34f3d7f}, KeyValuePair{key=TAGS, val=release-keys}, KeyValuePair{key=TIME, val=1516797199000}, KeyValuePair{key=TYPE, val=user}, KeyValuePair{key=USER, val=jenkins}, KeyValuePair{key=CODENAME, val=REL}, KeyValuePair{key=INCREMENTAL, val=d671ee8657}, KeyValuePair{key=RELEASE, val=7.1.2}, KeyValuePair{key=SDK, val=25}, KeyValuePair{key=SDK_INT, val=25}], versionNamePrefix=10.0.84 (430-, isGoogleCn=false, enableInlineVm=true, cached=[ByteString[size=20 md5=cb4e88399f46561c5af157eef491ee0c], ByteString[size=20 md5=2b8833acccb8fe7894f463bbf3f7bebc]], currentVersion=3, arch=armv7l}

[ 02-07 23:49:19.641 13799:13815 D/GmsDroidguardHelper ]
Using provided response data for /data/user/0/org.microg.gms.droidguard/app_dg_cache/980ab1b823cbef217c920c908d508455788d5b2c.apk

[ 02-07 23:49:19.859 13822:13822 I/dex2oat  ]
/system/bin/dex2oat --dex-file=/data/user/0/org.microg.gms.droidguard/app_dg_cache/980ab1b823cbef217c920c908d508455788d5b2c/the.apk --oat-fd=37 --oat-location=/data/user/0/org.microg.gms.droidguard/app_dg_cache/980ab1b823cbef217c920c908d508455788d5b2c/opt/the.dex --compiler-filter=speed

[ 02-07 23:49:19.859 13822:13822 E/cutils-trace ]
Error opening trace file: No such file or directory (2)

[ 02-07 23:49:20.289 13822:13822 I/dex2oat  ]
dex2oat took 432.512ms (threads: 2) arena alloc=312KB (319600B) java alloc=70KB (72096B) native alloc=493KB (505616B) free=1554KB (1591536B)

[ 02-07 23:49:20.427  1987: 2063 D/Yamaha-MC1N2-Audio ]
yamaha_mc1n2_audio_output_stop()

[ 02-07 23:49:20.427  1987: 2063 D/Yamaha-MC1N2-Audio ]
yamaha_mc1n2_audio_route_start()

[ 02-07 23:49:20.577 13799:13815 D/GmsDroidguardHelper ]
c -> com.google.android.gms

[ 02-07 23:49:20.581 13799:13815 D/GmsDroidguardHelper ]
b -> 4136736405143157405

[ 02-07 23:49:20.593 13815:13815 W/Thread-2 ]
type=1400 audit(0.0:893): avc: denied { search } for name="1986" dev=proc ino=36092 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:zygote:s0 tclass=dir permissive=0

[ 02-07 23:49:20.868 13815:13815 W/Thread-2 ]
type=1400 audit(0.0:894): avc: denied { read } for name="/" dev=tmpfs ino=373 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0

[ 02-07 23:49:20.890 13799:13815 E/         ]
Device driver API match
Device driver API version: 29
User space API version: 29 

[ 02-07 23:49:20.890 13799:13815 E/         ]
mali: REVISION=Linux-r3p2-01rel3 BUILD_DATE=Tue Jul 22 19:59:34 KST 2014 

[ 02-07 23:49:20.941 13799:13815 D/GmsDroidguardHelper ]
a: [removed] -> [removed]
7=ARM:Mali-400 MP
8=[removed]
9=[removed]

[ 02-07 23:49:21.675 13759:13759 D/d        ]
decodedJWTPayload json:{"nonce":"[removed]","timestampMs":1518043762800,"apkPackageName":"org.freeandroidtools.safetynettest","apkDigestSha256":"[removed]","ctsProfileMatch":true,"apkCertificateDigestSha256":["[removed]"],"basicIntegrity":true}

[ale5000-git]

You have scontext=u:r:untrusted_app:s0:c512,c768 instead I have scontext=u:r:priv_app:s0:c512,c768

Try to put both microG GmsCore and DroidGuard Helper in /system/priv-app to fix it. Also in yours I see advice":"RESTORE_TO_FACTORY_ROM" probably for the same cause.

If it still do not work try the official LineageOS (without microG) and then a flashable microG zip.

[n76]

@ale5000-git Seems you are correct. Doing the following for me gets SafetyNet to pass:

$ adb root
$ adb remount
$ adb push org.microg.gms.droidguard.apk /system/priv-app/
$ adb reboot

I guess I must have upgraded my Lineage with microG after my last successful SafetyNet test. Seems like Lineage with microG ought to install DroidGuard helper along with the other parts of microG.

[ArchangeGabriel]

OK, so this did it. Still, it means something changed on DroidGuard side and that it now requires additional rights, which is never good news.

However, I think that Lineage with uG should still not install DroidGuard Helper at all, it’s quite invasive and not needed by everyone.

[ArchangeGabriel]

And thank you @ale5000-git for figuring this out.

[ale5000-git]

For me it never worked as user app, it is possible you was having DroidGuard Helper as both system and user app and it worked but the OTA update removed the system app.

For me it is fine to have it installed with Lineage with uG since microG GmsCore have it disabled by default, so having it installed doesn't mean anything.

[ArchangeGabriel]

No, I’m sure I wasn’t having it as system-app, and also I remind you that nothing happened on my phone between working and non-working state. It was definitively working as user-app, but not anymore. Even GmsCore is not system-app on my system.

That’s right, SafetyNet being disabled by default, having DroidGuard lying somewhere might not be an issue. @corna should have a look at it. ;)

[ale5000-git]

On many ROMs you won't get location binding if GmsCore is not a system app. Beside that being a system app will also reduce problems; if you wipe the phone and you don't remember to install GmsCore before other apps you will have a lot of not-working things.

[ArchangeGabriel]

I know, but I use OmniROM so I’m not affected by this first point AFAIK (though I admit having not tried network location with my OnePlus 5T yet, since the GPS works everywhere) and I don’t use GCM so I don’t really need GmsCore to be installed before anything else.

[ArchangeGabriel]

It seems that GmsCore must be installed as system-app for network location to work even under OmniROM apparently… Not sure if that is expected or an issue.

Anyway, this mean that every week I have to push back DroidGuard and GmsCore to /system/priv-app after OTA update… Is there a way to make a flashable zip just installing those two components? Because apparently OmniROM OTA can flash zips in a specific folder after update.

[Espionage724]

I built LineageOS with patches to allow location providers outside /system and signature spoofing. I installed microG and DroidGuard as normal apps (non-privileged). SafetyNet works enough to start Pokemon GO (Basic Integrity is true, CTS profile match is false).

When using the LineageOS for microG ROM, SafetyNet fails both checks and Pokemon GO fails to start. This started happening relatively recently. I haven't tried pushing DroidGuard to priv-app.

So it seems DroidGuard has to be installed with GmsCore in the same location (standard apps or privileged) in order to work now?

[ale5000-git]

No, it must be installed in privileged app folder due to SELinux. The position of GmsCore doesn't matter.

[ArchangeGabriel]

I’m surprised PoGO works for you with CTS false… Anyway, sometimes DroidGuard as normal app works, but every time it fails, pushing it to /system/priv-app made it work.

[ArchangeGabriel]

Less than 30 minutes ago, SafetyNet started failing again. Both LineageOS4μG and OmniROM, with DroidGuard in /system/priv-app. Anyone else confirming?

[ArchangeGabriel]

Logcat:

04-09 10:56:45.637  4254  4254 D SafetyNetHelperSAMPLE: SafetyNet start request
04-09 10:56:45.642  4254  4254 D SafetyNetHelper: apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
04-09 10:56:45.687  4254  4254 D SafetyNetHelper: apkDigest:ETDTA7RlBujNlWPPrqXoNjm5jFhIzrCa/XwnUIWh6GM=
04-09 10:56:45.693  3407  4278 D SafeParcel: Unknown field num 9 in com.google.android.gms.common.internal.GetServiceRequest, skipping.
04-09 10:56:45.693  3407  4278 D GmsSafetyNetClientSvc: bound by: GetServiceRequest{serviceId=SAFETY_NET_CLIENT, gmsVersion=10084000, packageName='com.scottyab.safetynet.sample', extras=Bundle[{}]}
04-09 10:56:45.703  4254  4254 V SafetyNetHelper: Google play services connected
04-09 10:56:45.703  4254  4254 V SafetyNetHelper: running SafetyNet.API Test
04-09 10:56:45.761  4281  4328 D GmsDroidguardHelper: -- Request --
04-09 10:56:45.761  4281  4328 D GmsDroidguardHelper: DGRequest{usage=DGUsage{type=attest, packageName=com.google.android.gms}, info=[KeyValuePair{key=BOARD, val=MSM8974}, KeyValuePair{key=BOOTLOADER, val=unknown}, KeyValuePair{key=BRAND, val=oneplus}, KeyValuePair{key=CPU_ABI, val=armeabi-v7a}, KeyValuePair{key=CPU_ABI2, val=armeabi}, KeyValuePair{key=DEVICE, val=A0001}, KeyValuePair{key=DISPLAY, val=bacon-userdebug 7.1.2 NJH47F 20180404 dev-keys}, KeyValuePair{key=FINGERPRINT, val=oneplus/bacon/A0001:6.0.1/MHC19Q/ZNH2KAS1KN:user/release-keys}, KeyValuePair{key=HARDWARE, val=bacon}, KeyValuePair{key=HOST, val=14712d0abb5d}, KeyValuePair{key=ID, val=NJH47F}, KeyValuePair{key=MANUFACTURER, val=OnePlus}, KeyValuePair{key=MODEL, val=A0001}, KeyValuePair{key=PRODUCT, val=bacon}, KeyValuePair{key=RADIO, val=unknown}, KeyValuePair{key=SERIAL, val=f9803a9}, KeyValuePair{key=TAGS, val=dev-keys}, KeyValuePair{key=TIME, val=1522811665000}, KeyValuePair{key=TYPE, val=user}, KeyValuePair{key=USER, val=root}, KeyValuePair{key=CODENAME, val=REL}, KeyValuePair{key=INCREMENTAL, val=a85be089c9}, KeyValuePair{key=RELEASE, val=7.1.2}, KeyValuePair{key=SDK, val=25}, KeyValuePair{key=SDK_INT, val=25}], versionNamePrefix=10.0.84 (430-, isGoogleCn=false, enableInlineVm=true, cached=[ByteString[size=20 md5=bc68b97ff4517bc116cdea1d38e40cf0], ByteString[size=20 md5=fe52fda8d68281f7402a287161c26252], ByteString[size=20 md5=729de0272dc9b6287c1064d60ec83b97], ByteString[size=20 md5=69ddec86ff6b69c952aac03633b7ac85], ByteString[size=20 md5=fd0b06bdf688e65c3180145244166a95], ByteString[size=20 md5=7bc9230cd2666d7fd3db7830d8213021], ByteString[size=20 md5=555123379ef02f4811b4743c7923e7e1], ByteString[size=20 md5=b038b9114fde93b2a0bd3eeb33036834]], currentVersion=3, arch=armv7l}
04-09 10:56:46.071  4281  4328 D GmsDroidguardHelper: Using cached file from /data/user/0/org.microg.gms.droidguard/app_dg_cache/bbb07e2667c85f792643d6f33261226472f58c7f/the.apk
04-09 10:56:46.339  4281  4328 D GmsDroidguardHelper: b -> 0
04-09 10:56:46.378  4281  4328 D GmsDroidguardHelper: c -> com.google.android.gms
04-09 10:56:46.378  4328  4328 W Thread-3: type=1400 audit(0.0:15): avc: denied { read } for name="/" dev="tmpfs" ino=6842 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0
04-09 10:56:46.549  4254  4254 D SafetyNetResponse: decodedJWTPayload json:{"nonce":"2evYOeNcax/5lmAhQJYuFeMwpIQrPmcFYBnv0VW3Hbs=","timestampMs":1523264207077,"ctsProfileMatch":false,"apkCertificateDigestSha256":[],"basicIntegrity":false,"advice":"RESTORE_TO_FACTORY_ROM"}
04-09 10:56:46.550  4254  4254 D SafetyNetHelperSAMPLE: SafetyNet req success: ctsProfileMatch:false and basicIntegrity, false

[JonnyTech]

I can confirm, just checked it, Android 7.1.2, shall get a logcat later...

[JonnyTech]

Logcat during safetynet test with filter guard|safety:

<snipped>

Is that sufficient? (are there any personal details that I should scrub?)

[Benutzer1234]

Same here; something dramatic must have changed. I was using microG Core v0.2.4-22-gcb356d2 and Droidguard 0.1.0-4-g0ca6fb2 without problems. About 14 hours ago Safetynet startet to fail, although no changes were made on the phone. After updating microG files to newer versions logcat-output for "SafetyNet Helper Sample 0.5" looks basically the same as ArchangeGabriel's (I only have other OS, phone, CPU, etc.).

[JonnyTech]

Could this be a reason? Google Play Certification

[Benutzer1234]

I don't think so. Another user replaced microG with a sort of gapps (here: https://github.com/microg/android_packages_apps_GmsCore/issues/510#issuecomment-379859128 ) and the phone worked. So his phone failed because of microG.

I'm not sure if i is a good idea to post all this in an old thread.

[ArchangeGabriel]

@JonnyTech This is not the reason, but it is deeply linked. As I said in #510, Google started enforcing certification y-day, and this certification relies on SafetyNet to pass. They have probably issued an update to DroidGuard or SafetyNet at the same time they started to enforce certification, which means that μG (as long as communication with Google Servers is involved) is currently OOO, including its SafetyNet implementation.

On my end I’ve installed LOS+Pico OpenGAPPS (and did not register any Google Account) on my old device for the only app I use that is affected while waiting for @mar-v-in to come with a solution.

[Benutzer1234]

Is it possible to install even less Gapps than in pico OpenGapps? As far as I know Pico OpenGapps contains: Google system base, Google Android Shared Services, Google Play Store, Google Calendar Sync, Dialer Framework, Google Package Installer (replaces stock/AOSP Package Installer), Google Play services I coudn't find any information about dependencies between these programs. It looks like SafetyNet requires Google Play services (but I'm not even sure about this).

[ArchangeGabriel]

Yes, I think you can restrict to Google Play services only. I’ve disabled all other apps from my Pico installation and it works. But maybe disabled and not installed isn’t the same.

[gabsoftware]

From my little understanding of things, DroidGuardHelper makes a POST request to https://www.googleapis.com/androidantiabuse/v1/x/create?alt=PROTO&key=AIzaSyBofcZsgLSS7BOnBjZPEkk4rYwzOIz-lTI with "User-Agent: DroidGuard/10084430".

Then it finds an URL in the response: https://www.gstatic.com/droidguard/00F8692B14190D1C406260EA096D996445DEA8D3

The response is a .jar java archive containing libd7EE82C0B4C66.so, which is a ELF 32 bits LSB shared object.

In the URL https://www.gstatic.com/droidguard/00F8692B14190D1C406260EA096D996445DEA8D3 we have 00F8692B14190D1C406260EA096D996445DEA8D3 that is a checksum of an APK. For example if we replace it with C4C74D1D1373D60A118D28109D7FFAECA7A892F4 (found on the net) we get another .jar containing ELF 64 bits LSB shared object "libd219EE8D6C12D.so".

My thoughts are that the URL https://www.googleapis.com/androidantiabuse/v1/x/create?alt=PROTO&key=AIzaSyBofcZsgLSS7BOnBjZPEkk4rYwzOIz-lTI combined with the user-agent DroidGuard/10084430 does not generate the right link and then we do not download the right .jar, leading to force close of DroidGuardHelper. If we modify the user-agent we also get the same wrong URL so maybe it's just that the user-agent is wrong or that there is some missing POST parameters...

[ClearlyClaire]

@gabsoftware if the downloaded droidguard binary isn't the correct one, that is most likely because of the POST data being wrong, not the User-Agent.

For the record, on my Fairphone 2 running LineageOS, I get https://www.gstatic.com/droidguard/322D473B5C6076250D7A2CE450FEF526F05A89C4 which is 32-bit as expected, but gets bitten by SELinux, I'm not sure that should happen:

06-06 11:34:44.115 5161 5161 W Thread-2: type=1400 audit(0.0:42): avc: denied { read } for name="/" dev="tmpfs" ino=7035 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0

Assuming the served binary is not the correct one (as hinted by https://github.com/microg/android_packages_apps_RemoteDroidGuard/issues/18), I'll try to have a look at why that may be the case (keep in mind that I don't really know how SNet/DroidGuard works, so don't get your hopes up)

EDIT: getSystemInfo is missing SUPPORTED_ABIS, which might explain 32b binaries on 64b systems I guess? But adding it does not solve things for me (I have a 32b CPU anyway). There might also be some fields missing in DGRequest, but I'm not too sure about that. Also, maybe that the correct droidguard binary is downloaded and that the issue lies elsewhere…

[jansohn]

My downloaded apk looks like this:

│   AndroidManifest.xml
│   classes.dex
│   libd0D41C1DE5D06.so
│   library.txt
│
└───META-INF
        CERT.RSA
        CERT.SF
        MANIFEST.MF

According to the current source code it will never extract the *.so file to the dgCache-lib folder as there is no lib folder in the apk.

[Chiffon-Pudding]

Safetynet started failing again? I was successful sign in for Pokemon GO yesterday, but now, it's failing.

nexus5 hammerhead (16gb)

• lineage-14.1-20180830-nightly-hammerhead-signed.zip
• microG-unofficial-installer-ale5000-v1.0.31-beta-signed.zip
• NanoDroid-patcher-17.9.20180818.zip
• NanoDroid-fdroid-17.9.20180818.zip
• Magisk-v17.1.zip

I'm sorry for my poor English.

[nyanpasu64]

Hi,

I'm fairly experienced at programming and want to investigate this issue. What kind of technical knowledge would I need to investigate how SafetyNet works, and why it fails? Do I need to test on an unmodified phone (maybe Lineage with OpenGapps would also pass SafetyNet)?

Somehow my older testbed phone has 64GB of space which can comfortably fit two dual-boot OSes.

[ArchangeGabriel]

The issue is fixed in https://github.com/microg/android_packages_apps_RemoteDroidGuard/pull/19 already.

[jansohn]

@ArchangeGabriel for me it's not fixed. I'm testing SafetyNet with Magisk's SafetyNet Check (but maybe that never works?!).

Both core and helper are in priv-apps:

• com.google.android.gms-13280012.apk
• org.microg.gms.droidguard-14.apk

Just updated to latest version 14.1-20180926-falcon (Moto G 1st Gen). Magisk is also latest version v17.2.

Has anybody got this working with a LineageOS v14.1 image?

[ArchangeGabriel]

Does your org.microg.gms.droidguard-14.apk include the linked PR? Can you try with https://play.google.com/store/apps/details?id=com.scottyab.safetynet.sample?

[jansohn]

Yes, it does. SafetyNet Helper Sample app fails for response validation with error message:

ApiException[14] 14:

I also get an app crash the first time I try it. Retries do not crash the app anymore.

[ArchangeGabriel]

OK, that’s an unknown issue to me, sorry.

[nyanpasu64]

Moto g4 plus, LineageMicroG 7.1.

I intermittently got error [14] versus a failed response, not sure what causes it to switch back and forth.

[jansohn]

@jimbo1qaz you mean LineageOS for microG 14.1 (Android 7.1), right? I'm still curious if this is working for someone on LineageOS 14.1...

[ClearlyClaire]

Fairphone 2 on LineageOS 14.1 (going to switch to 15.1 today) and it seems to work. The SafetyNey helper app returns CTS profile match: false, though, but that doesn't prevent me from playing Pokémon Go (the only other SafetyNet-using thing on my phone)

Le 29 septembre 2018 15:25:18 GMT+02:00, jansohn notifications@github.com a écrit :

@jimbo1qaz you mean LineageOS for microG 14.1 (Android 7.1), right? I'm still curious if this is working for someone on LineageOS 14.1...

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/microg/android_packages_apps_GmsCore/issues/482#issuecomment-425645114

-- Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.

[nyanpasu64]

Moto G4 Plus, LineageOS 14.1 microg edition.

I get "microg droidguard helper has stopped", with or without 0.1.0 as a system app (via my custom unreleased magisk module).

MicroG core is 0.2.6.14280-dirty from Git, with a few local hacks related to gmail.

2018-09-29 06:46:24.733 6846-6880/? E/AndroidRuntime: FATAL EXCEPTION: Thread-2
    Process: com.google.android.gms.unstable, PID: 6846
    java.lang.UnsatisfiedLinkError: dalvik.system.PathClassLoader[DexPathList[[zip file "/system/priv-app/microg-droidguard/org.microg.gms.droidguard-4.apk"],nativeLibraryDirectories=[/system/priv-app/microg-droidguard/lib/arm, /system/fake-libs, /system/priv-app/microg-droidguard/org.microg.gms.droidguard-4.apk!/lib/armeabi-v7a, /system/lib, /vendor/lib, /system/lib, /vendor/lib]]] couldn't find "libarthook_native.so"
        at java.lang.Runtime.loadLibrary0(Runtime.java:984)
        at java.lang.System.loadLibrary(System.java:1562)
        at de.larma.arthook.Native.<clinit>(Native.java:22)
        at de.larma.arthook.Native.is64Bit(Native.java:45)
        at de.larma.arthook.ArtHook.<clinit>(ArtHook.java:46)
        at de.larma.arthook.ArtHook.hook(ArtHook.java:75)
        at org.microg.gms.droidguard.SysHook.activate(SysHook.java:52)
        at org.microg.gms.droidguard.DroidguardHelper.guard(DroidguardHelper.java:91)
        at org.microg.gms.droidguard.RemoteDroidGuardService$1$1.run(RemoteDroidGuardService.java:23)
        at java.lang.Thread.run(Thread.java:761)

apparently my "my custom unreleased magisk module" didn't extract the libs right

---

I overrode the system droidguard app with 0.1.0-10-gf64bf69, it either spits out 14 immediately, spins for ~15 seconds, before spitting error 14, exactly once I got a failed response.

Sometimes microG itself crashes.

2018-09-29 07:04:49.986 9103-9120/? D/GmsDroidguardHelper: -- Request --
    DGRequest{usage=DGUsage{type=attest, packageName=com.google.android.gms}, info=[KeyValuePair{key=BOARD, val=MSM8952}, KeyValuePair{key=BOOTLOADER, val=0xB107}, KeyValuePair{key=BRAND, val=Motorola}, KeyValuePair{key=CPU_ABI, val=armeabi-v7a}, KeyValuePair{key=CPU_ABI2, val=armeabi}, KeyValuePair{key=DEVICE, val=athene_f}, KeyValuePair{key=DISPLAY, val=lineage_athene-userdebug 7.1.2 NJH47F 20180926 dev-keys}, KeyValuePair{key=FINGERPRINT, val=motorola/athene_f/athene_f:7.0/NPJ25.93-14/16:user/release-keys}, KeyValuePair{key=HARDWARE, val=qcom}, KeyValuePair{key=HOST, val=c8c1cb588aa5}, KeyValuePair{key=ID, val=NJH47F}, KeyValuePair{key=MANUFACTURER, val=Motorola}, KeyValuePair{key=MODEL, val=Moto G4 Plus}, KeyValuePair{key=PRODUCT, val=lineage_athene}, KeyValuePair{key=RADIO, val=unknown}, KeyValuePair{key=SERIAL, val=ZY223X6H5X}, KeyValuePair{key=TAGS, val=release-keys}, KeyValuePair{key=TIME, val=1537928018000}, KeyValuePair{key=TYPE, val=user}, KeyValuePair{key=USER, val=root}, KeyValuePair{key=CODENAME, val=REL}, KeyValuePair{key=INCREMENTAL, val=69b7b8da18}, KeyValuePair{key=RELEASE, val=7.1.2}, KeyValuePair{key=SDK, val=25}, KeyValuePair{key=SDK_INT, val=25}], versionNamePrefix=10.0.84 (430-, isGoogleCn=false, enableInlineVm=true, cached=[], currentVersion=3, arch=armv7l}
2018-09-29 07:04:49.989 468-468/? I/cnss-daemon: RTM_NEWROUTE Indication
2018-09-29 07:04:49.989 468-468/? I/cnss-daemon: ip type is ipv6
2018-09-29 07:04:50.363 9103-9120/? D/GmsDroidguardHelper: Using provided response data for /data/user/0/org.microg.gms.droidguard/app_dg_cache/261a4e4770eb25c279eacce4a0a58cc95056d1a4.apk
2018-09-29 07:04:50.435 9124-9124/? I/dex2oat: /system/bin/dex2oat -j2 --dex-file=/data/user/0/org.microg.gms.droidguard/app_dg_cache/261a4e4770eb25c279eacce4a0a58cc95056d1a4/the.apk --oat-fd=36 --oat-location=/data/user/0/org.microg.gms.droidguard/app_dg_cache/261a4e4770eb25c279eacce4a0a58cc95056d1a4/opt/the.dex --compiler-filter=speed
2018-09-29 07:04:50.591 9124-9124/? I/dex2oat: dex2oat took 156.341ms (threads: 2) arena alloc=196KB (201072B) java alloc=91KB (93520B) native alloc=508KB (520984B) free=1539KB (1576168B)
2018-09-29 07:04:50.852 9103-9120/? D/GmsDroidguardHelper: b -> 4522138061738393361
2018-09-29 07:04:50.858 9103-9120/? D/GmsDroidguardHelper: c -> com.google.android.gms
2018-09-29 07:04:51.087 957-3716/? I/ActivityManager: Process com.google.android.gms.unstable (pid 9103) has died
2018-09-29 07:04:51.088 957-3716/? D/ActivityManager: cleanUpApplicationRecord -- 9103
2018-09-29 07:04:51.088 445-445/? I/Zygote: Process 9103 exited due to signal (11)
2018-09-29 07:04:51.088 957-3716/? W/ActivityManager: Scheduling restart of crashed service org.microg.gms.droidguard/.RemoteDroidGuardService in 1000ms

2018-09-29 07:07:18.922 9128-9497/? A/art: art/runtime/oat_quick_method_header.cc:55] Failed to find Dex offset for PC offset 0x8beb07bb(PC 0x0, entry_point=0x7414f845 current entry_point=0x7414f845) in java.lang.Class java.lang.ClassLoader.loadClass(java.lang.String)

    --------- beginning of crash
2018-09-29 07:07:18.923 9128-9497/? A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7 in tid 9497 (Thread-2)
2018-09-29 07:07:19.005 9501-9501/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2018-09-29 07:07:19.006 9501-9501/? A/DEBUG: LineageOS Version: '14.1-20180926-microG-athene'
2018-09-29 07:07:19.006 9501-9501/? A/DEBUG: Build fingerprint: 'motorola/athene_f/athene_f:7.0/NPJ25.93-14/16:user/release-keys'
2018-09-29 07:07:19.006 9501-9501/? A/DEBUG: Revision: '0'
2018-09-29 07:07:19.006 9501-9501/? A/DEBUG: ABI: 'arm'
2018-09-29 07:07:19.006 9501-9501/? A/DEBUG: pid: 9128, tid: 9497, name: Thread-2  >>> com.google.android.gms.unstable <<<
2018-09-29 07:07:19.006 9501-9501/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7
2018-09-29 07:07:19.011 9501-9501/? A/DEBUG: Abort message: 'art/runtime/oat_quick_method_header.cc:55] Failed to find Dex offset for PC offset 0x8beb07bb(PC 0x0, entry_point=0x7414f845 current entry_point=0x7414f845) in java.lang.Class java.lang.ClassLoader.loadClass(java.lang.String)'
2018-09-29 07:07:19.012 9501-9501/? A/DEBUG:     r0 00000003  r1 00080100  r2 00000000  r3 afff97bf
2018-09-29 07:07:19.012 9501-9501/? A/DEBUG:     r4 a9c85300  r5 00000001  r6 2ac29bd8  r7 a89d4220
2018-09-29 07:07:19.012 9501-9501/? A/DEBUG:     r8 2ac2d060  r9 a9c85300  sl 2ac31ac0  fp a89ba000
2018-09-29 07:07:19.012 9501-9501/? A/DEBUG:     ip a9c05a05  sp a317e3c0  lr a9c05a11  pc a9c05a54  cpsr 600b0030
2018-09-29 07:07:19.018 9501-9501/? A/DEBUG: backtrace:
2018-09-29 07:07:19.018 9501-9501/? A/DEBUG:     #00 pc 003f3a54  /system/lib/libart.so (_ZN3artL12GoToRunnableEPNS_6ThreadE+31)
2018-09-29 07:07:19.018 9501-9501/? A/DEBUG:     #01 pc 003f3a0d  /system/lib/libart.so (_ZN3art12JniMethodEndEjPNS_6ThreadE+8)
2018-09-29 07:07:19.018 9501-9501/? A/DEBUG:     #02 pc 00000b27  /data/data/org.microg.gms.droidguard/app_dg_cache/261a4e4770eb25c279eacce4a0a58cc95056d1a4/opt/the.dex (offset 0xc000)

2018-09-29 07:27:05.774 7852-7852/? D/SafetyNetHelperSAMPLE: SafetyNet start request
2018-09-29 07:27:05.775 7852-7852/? D/SafetyNetHelper: apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
2018-09-29 07:27:05.775 7852-7852/? V/SafetyNetHelper: running SafetyNet.API Test
2018-09-29 07:27:05.816 7654-8012/? W/GmsDroidguardHelper: java.lang.NoSuchFieldException: BUILD
        at java.lang.Class.getField(Class.java:1549)
        at org.microg.gms.droidguard.DroidguardHelper.createSystemInfoPair(DroidguardHelper.java:169)
        at org.microg.gms.droidguard.DroidguardHelper.getSystemInfo(DroidguardHelper.java:117)
        at org.microg.gms.droidguard.DroidguardHelper.guard(DroidguardHelper.java:64)
        at org.microg.gms.droidguard.RemoteDroidGuardService$1$1.run(RemoteDroidGuardService.java:23)
        at java.lang.Thread.run(Thread.java:761)

EDIT: Lucky patcher or Xposed causes safetynet to fail after 1 second. Uninstalling both leads to the weird behavior above.