SafetyNet now fails again

[klrtk]

Google seems to have pushed out an update to SafetyNet that breaks it on MicroG

[SoaringLake]

Please, fix it, no safetynet android does not make sense :'(

[Exodusnick]

Please, fix it.

[JohnGLFour]

@mar-v-in @ThibG The problem is how it works, not detect.

[ClearlyClaire]

I am aware. I do not know why it fails. And as you may know, DroidGuard is purposefully difficult to understand. I have no time to spend on this for the moment.

[JohnGLFour]

@ThibG Google rewrote the process of how Safetynet works on a new update. @Nanolx mentioned this in his Nanodroid XDA Post.

Take your time, hope you can figure it out.

[TeslaBargain]

So SafetyNet still not working?

I just tried with a fresh installation of LineageOS 16.0 MicroG + latest Magisk on my OnePlus 6, installed DroidGuard using F-Droid (I didn't manage to copy it to /system/priv-app though), DroidGuard is selected in Magisk Hide, and the SafetyNet test fails (ctsProfile: false & basicIntegrity: false). Obviously my Internet bank app fails to start.

[JohnGLFour]

Obviously, due to a new update Google rewrote how it works to Safetynet, it still not working.

[Pinjontall94]

Is there somewhere we can look to help out? Even if it's just bug testing, I'd love to help get this fixed sooner rather than later.

[Nanolx]

Not actually. it's on mar-v-in's agenda, but no ETA.

[smnthermes]

Don't be tracked, pay cash.

[Foorack]

@samantohermes Unserious comment, impractical approach.

[ghost]

+1

[ghost]

Any updates on this situation?

[ghost]

It would be great to know if this issue is known by now and if it'll get fixed or not.

[errorcodevortex]

I managed to pass both safetynet checks with micro-g everything working atleast for past 4 days. Wasn't to exhaustive but did require fxamework. Not sure if anything can be worked in officially from this angle but I hope. Pm'd Setialpha + Mar-V-in on xda, not sure who else to let know.

[ghost]

but did require fxamework

That's the problem. I suppose you used the HiddenCore Module and yes while it passes SafetyNET most apps that block devices without SafetyNET check will still block you out.

[errorcodevortex]

I did have to restore snapchat from Titanium still. Just about everything else working without restore pubg, paypal, maps, my bank app not sure if this is new or not. Only apps that check for x arn't working initially(snap, I guess some high end bank apps, nfc maybe?). Confirmed working on Note 9 and LGV30 roms with pie. Didn't use HiddenCore found a different module did not know about that one but I guess I should try that and see what happens with it, if does something different. Was not aware anyone was able to pass safetynet whatsoever yet.

[ghost]

I did have to restore snapchat from Titanium still.

Ye I would like to use that as well again but I don't have a backup...

[errorcodevortex]

I flashed again with bitgapps real quick just to make a backup earlier and reflashed everything again myself. But I'm a flashaholic, never get very attached, should be possible to make one from another device as well, would have done that but my x86 build doesn't pass safetynet and the backup phone has ubports on it, thought to maybe try it on anbox but didn't want to install it again didn't know if it would work.

[ghost]

I don't really wanna flash again after just setting everything up. And sadly enough I don't have another rooted phone I could use to create a backup :/

[ghost]

Likewise, I'd like to emulate it into working somehow. I've even got twrp backups but I am not sure how to extract the right data.

[errorcodevortex]

Snapchats not really that great imo, that is tragic tho, I do hate reflashing too for 1 small thing like that. Did get it working with but restore was a bit fidgitty installed apk from store first then restored the data on top of it.

Did have a moment to try out hiddencore 1.7. Don't know how I didn't come across it before. It does seem to work for most apps in the same fashion but my screen display does stays on, read in a thread that it is like that for everyone. It seems many are worried it's also untrustworthy, some going as far to say it somehow "silently infiltrated xda". Personally I couldn't say if there is actually anything adherently wrong with it or unsafe some are saying its not connected to internet at all. Should have checked my list of system apps before not 100% sure if anything else gets installed with either.

This is the module I chanced across https://drive.google.com/file/d/1kAEBmqd9DB7HCAaIepfqJ_nTtthVkOeY/view?usp=sharing It is called "safetynet by bdoel" , its package name is com.safetynet.bypass I was sleuthing on youtube and happened to find a video in a foreign to me language that had a link in it, tried it and it worked. Edit: Found the video again https://www.youtube.com/watch?v=hINBMZq7Hf8&t=26s Honestly not sure which is more trustworthy, maybe someone can break it down more than I can. Bdoels module seems a good amount smaller 46kb not activated and 160kb activated compared to hiddencore not activated 455kb, so I think it may be less capable of harm and might do less negative or unnecessary things to your system. It also does not effect my screen display(which did sketch me out a bit, not sure if yours stayed on also or you fixed AON somehow) so I think it might be the best fix available right now. Discovered both do not pass with playstore safetynet checkers besides magisk's but I am assuming that is because of signature spoofing permission doing its thing because I don't seem to be facing any safetynet specific issues.

I wanted to try to avoid checks using Tai-chi magisk xposed but I am facing engine error(I guess cuz of edframeworks but not sure what framework is proper), anyone try this? So I am guessing no known rootcloak, suhide, no device check modules or alternatives working anymore?

[ghost]

I tried different ways to bypass it (mainly for Snapchat). They nearly all passed Magisk SafetyNET test but still failed with Snapchat what is quite sad because Snapchat only checks for SafetyNET before login in. Since I don't have a file backup that doesn't help me though

[jeroenev]

any updates on this? bypass possible without xposed? don't want to root my device. also doubt that com.safetynet.bypass is open source

[ghost]

Even with Xposed it's not easy to trick the Safetynet check. So no without root you won't get anywhere but also with it doesn't help a lot. I guess we just gotta wait till they drop an update for MicroG

[errorcodevortex]

I don't think either fix is fully open source. I do though think it makes a big difference tho, helps a lot. Passing both checks as opposed to failing them both. Seemed pretty easy. I don't use google pay or pokemongo, my bank app is fine most everything is good now, restoring the one app for me isn't any issue. Wasn't going to end up using micro-g at all most-likely was just going to use bitgapps and be bummed about it if I couldn't find some type of decent fix for this. I don't think I could have continued using hiddencore1.7 with the always on display issue, so I hope it helps out others who feel the same way. No bypass yet without xposed or root at least I'm aware of, but I hope some wizards can whip something up. Maybe figure out how to use the spoofing signature trick both above apps use with just magisk, or build it in somehow without actually using xposed which would prevent the check.

[leekzz]

I did have to restore snapchat from Titanium still.

Ye I would like to use that as well again but I don't have a backup...

I have a problem about this. I'm on LineageOS for MicroG 16.0 for OnePlus 6. When I restore my Snapchat backup with oandbackups or Titanium, it's not working.I launch Snapchat, I barely have time to see the camera that it instantly disconnects me from the app. Before it worked very well but since June it doesn't seem to work anymore and I didn't find anything similar on XDA. Do you guys have a fix for this?

[JohnGLFour]

I am using EdXpoaed, and trying to use the bypass safetynet.apk. Hope this worked

[JohnGLFour]

This worked on Magisk. I must say.

[ghost]

@leekzz Do you have Snapchat enabled in Magisk Hide (If you use Magisk obviously :D)

[ghost]

This worked on Magisk. I must say.

And with apps that blocked you out before as well?

[leekzz]

@wilbie Yes he's activated, I'm using Magisk 19.4

[NotesOfReality]

I am using EdXpoaed, and trying to use the bypass safetynet.apk. Hope this worked

I'm using Tai-Chi Xposed, would you please share the link of this APK and its thread/description/Git repo? Do you happen to know if it should work on Tai-Chi Xposed too? Would I have to use Magisk 19.4+ or should Magisk 19.3+ be ok?

[unresolvedsymbol]

I've acquired a successful safetynet request but the payload verification still fails so in total it means nothing to actual applications (Magisk manager doesn't verify the response as all other apps do). Tried both shady closed source safetynet bypass xposed modules with the SandHook variant of the Snapchat EdXposed fork (1.0.3 because I'm not on Q) & the original EdXposed. Tried stable as well as the last preview releases of droidguard. I'm using HavocOS 2.9 (Android 9.0) & Magisk v19.4 (also randomized manager package) on an LG-H872 (G6).

[bennofs]

@Nanolx do you know what the issue is? I would like to work on fixing this, but I am currently a bit lost where to look

[JohnGLFour]

The only solution is in 2 ways,

1. Make a 3rd party Saftynet that is the old version. (microG does allow to use other servers but building one needs time)
2. Rework to work with official SafetyNet.

[bennofs]

@JohnGLFour do you know what exactly changed? Also, can you even run your own SafetyNet? I would assume that attestations have to be signed by a private key that only google possesses.

[JohnGLFour]

From June to now it is 6 months, I still hope to see that this gets resolved soon.

[Nanolx]

It will be fixed eventually, @mar-v-in already ensured that, though no ETA and not highest priority, there are more important things to fix/support in first place (maps, login/auth, firebase support, etc.).

[Kreyren]

@ThibG Do you have any tracking to what is causing this issue so that I don't have to start form the scratch assuming this being a help-wanted issue?

[ClearlyClaire]

No, unfortunately, I don't

[sprainbrains]

It will be fixed eventually, @mar-v-in already ensured that, though no ETA and not highest priority, there are more important things to fix/support in first place (maps, login/auth, firebase support, etc.).

good news. But what about the deadlines?

[Nanolx]

What deadlines?

Am 14. Februar 2020 15:16:05 MEZ schrieb Nikolai Sinyov notifications@github.com:

It will be fixed eventually, @mar-v-in already ensured that, though no ETA and not highest priority, there are more important things to fix/support in first place (maps, login/auth, firebase support, etc.).

good news. But what about the deadlines?

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/microg/android_packages_apps_RemoteDroidGuard/issues/24#issuecomment-586306236 -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

[axelsimon]

But what about the deadlines?

"No ETA" means no deadlines, @sprainbrains. The message you quote gives you all the answers you need: it will be fixed eventually, no ETA, not highest priority. In other words, don't ask when it will be done.

[sprainbrains]

What deadlines? Am 14. Februar 2020 15:16:05 MEZ schrieb Nikolai Sinyov notifications@github.com:

It will be fixed eventually, @mar-v-in already ensured that, though no ETA and not highest priority, there are more important things to fix/support in first place (maps, login/auth, firebase support, etc.). good news. But what about the deadlines? -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #24 (comment) -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

But what about the deadlines?

"No ETA" means no deadlines, @sprainbrains. The message you quote gives you all the answers you need: it will be fixed eventually, no ETA, not highest priority. In other words, don't ask when it will be done.

Oh, sorry for my quuestion. I got it. I'll be waiting.

[jeroenev]

It might become even harder to fix this, if not impossible: "Magisk may no longer be able to hide bootloader unlocking from apps" https://www.xda-developers.com/magisk-no-longer-hide-bootloader-unlock-status/

[mid-kid]

:iphone: :gun: Just kill it. Kill all of it. I am so done with this shit. If not having nice things is their way of welcoming potential users then so be it.

[theo546]

This move from Google prove us once again that we don't even the right to run whatever we want on our devices that we paid for (hence the weird stuff SafetyNet does to verify the device status). I don't get how my Android phone is any less secure than my computer? Applications are sandboxed on Android, not under Windows, so why should a banking app block a rooted device (considering rooting is not something anybody can do), instead of my big, more vulnerable PC? It just doesn't make any sense...

I'm now OK with not running apps that would require me to uninstall Magisk and use the Google Play Services. Fuck the apps that use SafetyNet and fuck Google, they are not getting on my phone. I now understand why this issue was not fixed earlier. This is just a cat 'n mouse game. Anyway, this was a little bit off-topic, but I'm glad nobody worked on this issue, in the end, it's a huge middle finger from Google.

[skid9000]

Off-topic too but all theses moves from Google and the fact that now they want to modulate Android with packages that you have to download from the PlayStore instead of the "old" OTA system is freaking me out... What's next ? All apps from the PlayStore should use SafetyNet ? Banning google accounts that have a rooted/flashed device linked to it ? Ban the device from the PlayStore at the hardware id level ? At some point, we won't be able to run an up to date Android without Google's proprietary garbage or flash any alternative rom at all due to Google moves.

I'm not impacted much by SafetyNet (my banking app only check root) but yeah that's a middle finger from Google for ya.

[Gigadoc2]

I don't get how my Android phone is any less secure than my computer? Applications are sandboxed on Android, not under Windows, so why should a banking app block a rooted device (considering rooting is not something anybody can do), instead of my big, more vulnerable PC? It just doesn't make any sense...

I clam the opposite: Your PC is less vulnerable than the average Android phone, because your PC receives most of the critical updates through Windows Update (or your Linux package manager), while with your phone most of the stuff still needs to go through the OEM who has no financial motivation to actually push those updates through (one might even say the opposite). On a PC, the only thing that is not kept up to date is BIOS firmware, and even that sometimes comes through Windows Update.

But then, banks (and the EU), insurers and more seem to claim that smartphones are more secure, as more and more stuff moves into being "App only". And then SafetyNet prevents you from keeping your phone up to date, which would have been the only thing making your phone actually more secure.

I think what is happening here is that a lot of people a) take end users to be very stupid (there is a point to that, but you can't prevent stupidity through technical measures) and b) think that locking down hardware and adding secure enclaves nets more security than timely updates. Unfortunately I don't have any credentials backing me, but I am very sure that timely updates are more important than locked-down and isolated hardware, in the grand scheme of things. Internally, Google probably knows this (as in, their security engineers know this), but they are obviously a bit biased to favour their Ecosystem over others, so they probably handwave the concerns away with "customers should just buy up-to-date hardware and everything would be fine".