Fix retrieving droidguard binary for different architectures

[ClearlyClaire]

After some testing, only the versionNamePrefix seems to be important to get the right VM code, but I also updated the HTTP User Agent and added SUPPORTED_ABIS to be consistent.

This does not fix the other issues causing attestations to fail.

[ClearlyClaire]

It would probably good to get versions from GmsCore somehow, but as of now:

• Versions sent in the original query to get the blobs and the one used by the package don't need to match
• I believe GmsCore is arch-independent and therefore we would have to cheat a bit to get the correct version code/prefixes?

EDIT: I guess we could get the versionCode and versionString from GmsCore and “patch it” to the “correct” archs

[mar-v-in]

I guess we could get the versionCode and versionString from GmsCore and “patch it” to the “correct” archs

This was mostly what I meant, to use the 12688xxx from GmsCore versionCode to create the 12688yyy and 12.6.88 (zzzzzz-{{cl}}) from it

[ClearlyClaire]

Pushed a commit to use com.google.android.gms's version

[ale5000-git]

Shouldn't there be a check that the com.google.android.gms package is actually installed? I'm just used to expect every possible problem :)

[ClearlyClaire]

@ale5000-git we could, but it's only ever called by GmsCore (which has the com.google.android.gms package name) EDIT: (also, the DroidGuard blobs will require com.google.android.gms to be installed anyway)

[ale5000-git]

I haven't checked but is there a code that actually prevent another app from executing it directly?

Since it is often installed as system privileged app it could actually pose security risks if there isn't; an app can exploit possible bugs.

[ClearlyClaire]

@ale5000-git no, any app with the android.permission.INTERNET permission can call it. But afaik, the non-free blobs will always query com.google.android.gms's version, so not having it installed will fail anyways.

[ale5000-git]

Maybe I'm a bit over-zealous, but depending how the "failing" is handled it could potentially pose security risks if the code doesn't terminate completely but continue (maybe a different part of code that doesn't expect a failure) in a partially failed status.

[ClearlyClaire]

@ale5000-git I'm not too sure what you're suggesting. If com.google.android.gms isn't found, the code I'm proposing will throw an exception before doing anything. No state to clean up.

[ale5000-git]

Then it is OK. I have opened an issue for the other problem: #20

[ale5000-git]

Just for clarity I think that it would be nice to catch PackageManager.NameNotFoundException and log a proper message.

[ClearlyClaire]

@ale5000-git afaik, the only way to “properly” abort the call is by throwing an exception, so we have to throw an exception anyway. In this context, I'm not too sure what exception you would want us to rise.

[ale5000-git]

Maybe a custom one? Example: throw new MissingGmsCore();

Just to see it clearly from the logcat.

[ClearlyClaire]

With the current code, GmsCore not being found will cause PackageManager.NameNotFoundException to be thrown. I see no value in redefining our own exception for this.

[Nanolx]

Seems Google has update the.apk again. SafetyNet attestation crashes any app with the following log

08-13 19:12:44.187  5022  5125 I zygote64: The ClassLoaderContext is a special shared library.
08-13 19:12:44.237  2661  2661 D GmsSafetyNetClientSvc: onBind: Intent { act=com.google.android.gms.safetynet.service.START pkg=com.google.android.gms }
08-13 19:12:44.248  2661  3790 D GmsSafetyNetClientSvc: bound by: GetServiceRequest{serviceId=SAFETY_NET_CLIENT, gmsVersion=7095000, packageName='com.topjohnwu.magisk', extras=Bundle[{}]}
08-13 19:12:44.318  4869  5141 D GmsDroidguardHelper: -- Request --
08-13 19:12:44.318  4869  5141 D GmsDroidguardHelper: DGRequest{usage=DGUsage{type=attest, packageName=com.google.android.gms}, info=[KeyValuePair{key=BOARD, val=msm8996}, KeyValuePair{key=BOOTLOADER, val=unknown}, KeyValuePair{key=BRAND, val=unknown}, KeyValuePair{key=CPU_ABI, val=arm64-v8a}, KeyValuePair{key=CPU_ABI2, val=}, KeyValuePair{key=SUPPORTED_ABIS, val=arm64-v8a,armeabi-v7a,armeabi}, KeyValuePair{key=DEVICE, val=OnePlus3T}, KeyValuePair{key=DISPLAY, val=omni_oneplus3-userdebug 8.1.0 OPM4.171019.021.Y1 51 test-keys}, KeyValuePair{key=FINGERPRINT, val=OnePlus/OnePlus3/OnePlus3T:7.1.1/NMF26F/02072026:user/release-keys}, KeyValuePair{key=HARDWARE, val=qcom}, KeyValuePair{key=HOST, val=devbox2.omnirom.org}, KeyValuePair{key=ID, val=OPM4.171019.021.Y1}, KeyValuePair{key=MANUFACTURER, val=OnePlus}, KeyValuePair{key=MODEL, val=ONEPLUS A3003}, KeyValuePair{key=PRODUCT, val=unknown}, KeyValuePair{key=RADIO, val=unknown}, KeyValuePair{key=SERIAL, val=6e532501}, KeyValuePair{key=TAGS, val=release-keys}, KeyValuePair{key=TIME, val=1534027538000}, KeyValuePair{key=TYPE, val=user}, KeyValuePair{key=USER, val=jenkins}, KeyValuePair{key=CODENAME, val=REL}, KeyValuePair{key=INCREMENTAL, val=51}, KeyValuePair{key=RELEASE, val=8.1.0}, KeyValuePair{key=SDK, val=27}, KeyValuePair{key=SDK_INT, val=27}], versionNamePrefix=12.8.74 (040400-{{cl}}), isGoogleCn=false, enableInlineVm=true, cached=[ByteString[size=20 md5=5e30a549ca81c22d8482a24cabb6499a], ByteString[size=20 md5=048afb3664e83829ebb96a535569282d], ByteString[size=20 md5=e7a41bf1cf9a6c35b733ccfaaa561e90]], currentVersion=3, arch=aarch64}
08-13 19:12:44.448  4869  5141 D GmsDroidguardHelper: Using cached file from /data/user/0/org.microg.gms.droidguard/app_dg_cache/c6f298f70892bfef446378202811f8fee23b76bb/the.apk
08-13 19:12:44.670  4869  5141 D GmsDroidguardHelper: b -> 3603801481263501811
08-13 19:12:44.710  4869  5141 D GmsDroidguardHelper: c -> com.google.android.gms
08-13 19:12:44.817  5022  5022 D AndroidRuntime: Shutting down VM
08-13 19:12:44.819  5022  5022 E AndroidRuntime: FATAL EXCEPTION: main
08-13 19:12:44.819  5022  5022 E AndroidRuntime: Process: com.topjohnwu.magisk, PID: 5022
08-13 19:12:44.819  5022  5022 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String[] java.lang.String.split(java.lang.String)' on a null object reference
08-13 19:12:44.819  5022  5022 E AndroidRuntime:    at com.topjohnwu.snet.SafetyNetHelper.onResult(Unknown Source:26)
08-13 19:12:44.819  5022  5022 E AndroidRuntime:    at com.topjohnwu.snet.SafetyNetHelper.onResult(Unknown Source:2)
08-13 19:12:44.819  5022  5022 E AndroidRuntime:    at com.google.android.gms.common.api.a$a.handleMessage(Unknown Source:33)
08-13 19:12:44.819  5022  5022 E AndroidRuntime:    at android.os.Handler.dispatchMessage(Handler.java:106)
08-13 19:12:44.819  5022  5022 E AndroidRuntime:    at android.os.Looper.loop(Looper.java:164)
08-13 19:12:44.819  5022  5022 E AndroidRuntime:    at android.app.ActivityThread.main(ActivityThread.java:6499)
08-13 19:12:44.819  5022  5022 E AndroidRuntime:    at java.lang.reflect.Method.invoke(Native Method)
08-13 19:12:44.819  5022  5022 E AndroidRuntime:    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
08-13 19:12:44.819  5022  5022 E AndroidRuntime:    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)
08-13 19:12:44.826   880  2108 W ActivityManager: Process com.topjohnwu.magisk has crashed too many times: killing!
08-13 19:12:44.827   880  2108 W ActivityManager:   Force finishing activity com.topjohnwu.magisk/.MainActivity
08-13 19:12:44.832   880  2108 I WindowManager: Failed to capture screenshot of Token{cd8a51f ActivityRecord{2eb40be u0 com.topjohnwu.magisk/.MainActivity t46 f}} appWin=Window{939a758 u0 com.topjohnwu.magisk/com.topjohnwu.magisk.MainActivity} drawState=4
08-13 19:12:44.839   545   705 E BufferQueueProducer: [com.topjohnwu.magisk/com.topjohnwu.magisk.MainActivity#0] queueBuffer: BufferQueue has been abandoned
08-13 19:12:44.840  5022  5038 E Surface : queueBuffer: error queuing buffer to SurfaceTexture, -19
08-13 19:12:44.840  5022  5038 I Adreno  : QueueBuffer: queueBuffer failed
08-13 19:12:44.840  5022  5038 W OpenGLRenderer: swapBuffers encountered EGL error 12301 on 0x7f0467c640, halting rendering...
08-13 19:12:44.858   880  2108 E ActivityManager: Found activity ActivityRecord{2eb40be u0 com.topjohnwu.magisk/.MainActivity t-1 f} in proc activity list using null instead of expected ProcessRecord{54a0970 5022:com.topjohnwu.magisk/u0a112}
08-13 19:12:44.869   880  2108 I ActivityManager: Killing 5022:com.topjohnwu.magisk/u0a112 (adj 199): crash
08-13 19:12:44.876   880   956 W zygote64: kill(-5022, 9) failed: No such process
08-13 19:12:44.926   880  1040 W ActivityManager: setHasOverlayUi called on unknown pid: 5022
08-13 19:12:44.940   880   956 W zygote64: kill(-5022, 9) failed: No such process
08-13 19:12:44.959   880  1323 W InputDispatcher: channel 'f0da3e3 Toast (server)' ~ Consumer closed input channel or an error occurred.  events=0x9
08-13 19:12:44.959   880  1323 E InputDispatcher: channel 'f0da3e3 Toast (server)' ~ Channel is unrecoverably broken and will be disposed!
08-13 19:12:44.985   880   956 W zygote64: kill(-5022, 9) failed: No such process
08-13 19:12:44.985   880   956 I zygote64: Successfully killed process cgroup uid 10112 pid 5022 in 109ms

If you need further infos, just let me know.

[Nanolx]

@ThibG maybe related? The default quota being blocked? See: https://stackoverflow.com/questions/50960332/why-did-safetynet-attestation-stop-working/50960333#50960333

[ClearlyClaire]

@Nanoix maybe. I have a similar issue with com.scottyab.safetynet.sample, but not with Pokémon Go, which requests a SafetyNet attestation without issues.

[ArchangeGabriel]

com.scottyab.safetynet.sample has been updated two days ago for that reason. ;)

[ClearlyClaire]

Still crashes here, though. Maybe we need to update our SafetyNet implementation, but I don't plan to look into that anytime soon.

[ArchangeGabriel]

I can confirm that this fixed SafetyNet for me, although com.scottyab.safetynet.sample still crashes for instance. But the app for which I need SafetyNet to pass is working fine.

[Nanolx]

That's true for several apps, but not all. I, as a Nintendo Fan, can play Fire Emblem Heroes and Super Mario Run with microG, however, Animal Crossing Poket Camp crashes during SafetyNet attestation, just as the SafetyNet Helper Sample.

So I suppose it's related to how an app acts upon an invalid response (which is, what microG currently gives you). So whether this is an issue or not, soley depends on the target application.

[Nanolx]

I'm feeling like we should add a bounty? SafetyNet is used by more and more applications, so that more and more becomes an integral part of microG in the long run...

@ThibG @mar-v-in

[ArchangeGabriel]

Crashes should be fixed by https://github.com/microg/android_packages_apps_GmsCore/commit/b2d696560867cd598a88899eb170b6cec85b6177.

So I guess this PR is everything left required for anyone using verbatim μG (so not talking about root/Magisk/etc) to pass SafetyNet.

[Nanolx]

Yes, everything's fine now with latest upstream microG and this pull request. In a sane world crappy shit like SafetyNet wouldn't exist at all.

Now the usual root/SafetyNet rant follows, you've been warned:

I hate how "everyone" demonizes root and stuff, yet most of them use a Windows PC with active Administrator Account or regularly granting sudo-style elevated rights, what kind of sick double standard is that?!

Imagine Steam or Microsoft would kill your library/software access as soon as your use your Windows' Admin account, yet Google and Crapple not just get away with it, they are even encourage (sic!) to go further. Nintendo incorporated SafetyNet in Super Mario Run, which is not F2P, but a paid app, aswell as in it's crappy Nintendo Online app, which itself is free, but the service you access it is paid, same for Netflix. You pay for this stuff and yet get locked out.

Well, those that really "pirate" and betray, still do it, because SafetyNet won't stop them. LuckyPatcher for example is uneffected. SafetyNet is nothing else than a big pile of Security through Obscurity, which adds nothing to the fact how sick Android's permission handling is.

I mean, I'm not allowed to open up the root access of my device which I payed for, without being witch-hunted by Google. Yet PokemonGo, Fortnite and many other apps do the following

• scan all existing apps
• scan init process for unwanted services
• scan existing libraries for unwanted strings
• scan all of your internal storage in a way you never granted permission to or is applicable by law
• ... much more

all that BY DESIGN, or picture this: the Android Package Manger could be run in background without the user noticing or apps can do addon-data downloads which could be malware or whatever.

But yes, root is the evil root of all security breaches and thus needs to be prevented at all cost. Instead of SafetyNet Google should fix Android Apps from abusing and thus taking the permission system de facto ad absurdum.

Meanwhile I demand the medal of honor for mar-v-in for his work on microG and for topjohnwu for his work on Magisk.

/rant

I feel better now.

[Nanolx]

In case someone stumbles accross this: If you're using Magisk 18.0, you have to add microG DroidGuard Helper to Magisk Hide in order to pass SafetyNet (not required with earlier Magisk versions).

And of course a build with this pull request included.

[skjnldsv]

Hello! Any reason this is not merged? Are everyone failing safety net now?

[Nanolx]

No, I suppose they use my unofficial build, which includes this fix, see https://www.nanolx.org/fdroid/repo/

Since the mar-v-in is active again I guess a new release of microG will come along with a new release of DroidGuard Helper aswell.

[ale5000-git]

@ThibG: Hi, what about keeping GMS_PACKAGE_NAME in Constants.java? Hardcoded text/number isn't usually a good programming practice.

[ClearlyClaire]

@ale5000-git guess I could do that, it's just that it wasn't used anymore until the last commit, and it's unlikely to ever change

[Nanolx]

Seems like today afternoon Google has rolled-out a new DroidGuard binary? Atleast SafetyNet attestation again fails with microG/DroidGuardHelper on both non-rooted and Magisk rooted ROM for me.

Can anyone confirm?

[skjnldsv]

I confirm! I was wondering why safetynet is now failing! Thanks for the heads up @Nanolx

[ClearlyClaire]

It fails for me too since a few hours ago. LineageOS 16 (+ signature spoofing patch) on Fairphone. Haven't tried figuring out why it fails yet (and not sure I'll have a look anytime soon)

[Foorack]

Yes, app requiring SafetyNet worked last week, not working at all now.

[skjnldsv]

@Nanolx any news on this? :)

[Eerovil]

@Nanolx does this mean even ctsProfile will not pass before the issue is fixed? (It doesn't for me, but I'm not sure if the issue is elsewhere)

[jacen05]

@Eerovil: An issue has been opened to track this (#24). For what I can read and what I experience both basicIntegrity and ctsProfile checks fail now. However I suggest other people to confirm that both checks are failing (it could be that my own setup has another problem).

[Nanolx]

@Eerovil just as I said: SafetyNet attestation doesn't work. So it doesn't matter whether your device would pass any of basic or cts, the check itself fails already, so you get false for both.

@jacen05 not required, because it's already known it doesn't work anymore, more people stating the obvious won't make the fix happen faster.

[Justasic]

So I have a log of the safetynet test I used, I am not sure if it's of any use but I see a few unknown field numbers from SafeParcel when it starts the test. Here's my logcat (from logcat-color on linux), I'm not sure if this is useful for diagnosing why it's failing but figured I'd post it anyway. https://del.dog/okavozukel

I have a OnePlus 5 with HavocOS, Magisk 19.4-dd6e55ac, microg 0.2.7.17455-65-mapbox (1e49e95), Riru v19, Riru EdXposed v0.4.5.5_beta(YAHFA). My friend uses the exact same setup on his phone except with Google Play Services instead of MicroG and has it working, but I am willing to try whatever to see if it fixes SafetyNet Attestation.

[Nanolx]

There's nothing you can try to fix SafetyNet attestation, except providing the necessary code changes required.

The new issue is open here: https://github.com/microg/android_packages_apps_RemoteDroidGuard/issues/24