SafetyNet now fails again

[OrionMoonclaw]

Google seems to have pushed out an update to SafetyNet that breaks it on MicroG

[theo546]

I think you misunderstood, I was saying that my Android phone was claimed to be "unsecure" by banking apps and SafetyNet just because it doesn't pass this stupid test, while on my computer, I have no test to pass BUT I still can access my bank website, it just doesn't make any sense. I gotta agree with you that OEM are lazy to react and patch security issues, but literally any process on your PC can read another process memory without any issues, there is good and bad in both sides.

[smnthermes]

Applications are sandboxed on Android, not under Windows

Native applications aren't sandboxed on Windows, but websites are sandboxed on browsers.

[mimi89999]

How many apps are affected actually? Is anything besides Snapchat and several banking apps using SafetyNet?

[jeroenev]

Mcdonalds app, pokemon Go, Bancontact (the main mobile payment app used in my country), google pay.

[skid9000]

com.md.macdonalds.gomcdo ? I still have it on my phone and it seems to work fine without SafetyNet 🤔

[532910]

google pay!

[ghost]

Yuka

Le 29 avril 2020 13:38:30 GMT+02:00, sergio notifications@github.com a écrit :

google pay!

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/microg/android_packages_apps_RemoteDroidGuard/issues/24#issuecomment-621146656 -- Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.

[0x5ECF4ULT]

@errorcodevortex I reverse engineered the app you provided a download link to (was an early version of NoDeviceCheck over here) as well as the other "safetynet bypasses" in the XPosed repo. All of them are harmless (do not send any data, etc). All they do is block specific paths (eg su, xposed) and return true for basicIntegrity and ctsProfileMatch. This may lead to letting you login to apps that doesn't check the signature provided in the JWT response. But apps that check the signature on their own server/app like Snapchat, Netflix, banking apps and probably some others will see that the response has been tampered with.

[HanabishiRecca]

According to recent news: just forget about it. If you are not playing by Google rules you will not be able to pass SafetyNet. That's it. https://www.xda-developers.com/safetynet-hardware-attestation-hide-root-magisk/

[sprainbrains]

According to recent news: just forget about it. If you are not playing by Google rules you will not be able to pass SafetyNet. That's it.

https://www.xda-developers.com/safetynet-hardware-attestation-hide-root-magisk/

It’s a very sad news ( Well... we will live with this

[0x5ECF4ULT]

Alrighty then we'll need a hardware hacker that gets the hardware attestation keys... But to my knowledge this hardware attestation thingy is nothing more than future dreams. This will go in prod in 2 years earliest but then then 99% of Android users will be mad at Google for blocking out legit, unmodified phones. That 1% are those people which change their phone every 2 years. IMO SN with forced hardware attestation will be a thing in 10+ years

[axelsimon]

Alrighty then we'll need a hardware hacker that gets the hardware attestation keys...

Just to be clear, you are suggesting someone decap a SoC on a phone, and use an electron microscope to get that SoC's private key?

Also, i'm not sure you realise that the private key is not shared between devices, but unique to each chip. They are part of a chain of trust that goes back up to the manufacturer's root certificate. So even if you get one from one device, that does nothing for all the other devices. This is by design.

From the documentation:

If the device supports hardware-level key attestation, the root certificate within this chain is signed using an attestation root key, which the device manufacturer injects into the device's hardware-backed keystore at the factory.

So no, you don't just need "a hardware hacker that gets the hardware attestation keys", you need to either get the root certificate, at the end of the certificate chain, or to break that SoC's implementation of TrustZone, which is what is used on Android devices so far.

This says nothing of the future, where TrustZone is likely to be replaced by something better designed, that will incorporate the lessons of these past few years (Intel's SGX has suffered quite a few blows, you can imagine Google and ARM will not want to replicate that).

I'm quite curious as to why you think this "hardware attestation thingy is nothing more than future dreams", it's actually well under way and unlikely to not be in most devices in the near future.

Also, where do you get the stat that 1% of people change their phone every 2 years? In Europe, for instance, the average lifespan of a device is 21,6 months, in the USA 22.7 months (stats from 2016).

[0x5ECF4ULT]

@axelsimon I apologize. Maybe I've been writing stuff before drinking my coffee. I've opened a PR that works in the emulator. I hope those changes will be sufficient for the time until Google enforces hardware-backed attestation.

[ArchangeGabriel]

Can we get an APK build from the latest tag? I can’t find it in the microG F-Droid repo.

[Nanolx]

I made a build, feel free to give it a try. Of course it's got a different signature than the original, so first uninstall the official build (if any).

• https://nanolx.org/fdroid/repo/DroidGuard_0.apk

[tpaniaki]

I made a build, feel free to give it a try. Of course it's got a different signature than the original, so first uninstall the official build (if any).

• https://nanolx.org/fdroid/repo/DroidGuard_0.apk

In my case (MicroG 0.2.10.19240-dirty with root / Magisk hide) still Response payload validation failed.

[0x5ECF4ULT]

@jfk88 please follow #29 and #30 for clarification

[mtthidoteu]

I made a build, feel free to give it a try. Of course it's got a different signature than the original, so first uninstall the official build (if any).

• https://nanolx.org/fdroid/repo/DroidGuard_0.apk

In my case (MicroG 0.2.10.19240-dirty with root / Magisk hide) still Response payload validation failed.

@jfk88 please follow #29 and #30 for clarification

Installed the last one @Nanolx replied with two days ago, and I'm getting that same error. What exactly are the steps to fix it (If, like i understood, it's working again)? Thanks

[0x5ECF4ULT]

@mat789456 yep you're right. SN seems to be working again (at least Google signs the response). The only issue left is that the apk hashes aren't included in the payload which causes the request to fail. Stay tuned!

[BugGlitchy64]

Wow the progress so far! I'm still waiting tho.

[0x5ECF4ULT]

@CRTComputer thanks for the feedback. Unfortunately I currently don't have time to continue the development of the fix. Watch #30 for updates.

[Funatiker]

@CRTComputer thanks for the feedback. Unfortunately I currently don't have time to continue the development of the fix. Watch #30 for updates.

@0x5ECF4ULT I added some lines from a log file to the comments of that log file. I hope, it was the right place.

[werdahias]

I recently did a full reinstall of LOS 17.1 , but SN fails of course. Is there anything I can do to help debugging? Or has Google hardened the validation, making it impossible to pass?

[unresolvedsymbol]

No, this sandbox hasn't been updated for the new DroidGuard. If you want to pass SafetyNet install pico gapps, I'd assume you don't care about your privacy anyway if you're using a proprietary app that validates this.

[werdahias]

I do care about privacy, or else I wouldn't be using Lineage in the first place. I have three apps that require SN. It would be great if I could run these.

[Master0ne]

@CountOmega can you name those three apps? I am using several "critical" banking apps that need Magisk Hiding, but I have not come across an app that requires SafetyNet so far.

[0x5ECF4ULT]

@CountOmega thanks for your offer, but unfortunately there's nothing where debugging could be of help. The main and (hopefully) only issue atm is that DroidGuardHelper (the sandbox DroidGuard runs in) doesn't return values that are signed by Google. Please watch #30 for updates. For the hardening part: Google implemented key-vault-based (TPM, SE, ...) attestation which could prevent users with unlocked devices to pass SN in the future. However, this is not enforced yet. YMMV but it's only a matter of time IMO. Atm you can force BASIC attestation which is software based and not guarded by a key-vault.

[0x5ECF4ULT]

@unresolvedsymbol in fact it has been updated. Please watch #29 and #30.

[werdahias]

Thank you for your explanation what the current state of things is. I already read about #29 and #30. I also installed @Nanolx' build of DroidGuard but I still get an error. If I need SN, should I just install pico Gapps atm? I really appriciate all the work you have done.

[0x5ECF4ULT]

@CountOmega pico GApps are the better idea atm. Thanks for your kind words but it has not only been me. Marvin has been a huge help on my way there ;)

[werdahias]

Ok, thank you. I will reinstall Lineage with PicoGapps. Keep up the good work.

[ladislavkrivy]

@CountOmega If you have time to spare there is one thing worth trying. Some apps only check safetynet during first login/initialization so after doing that you can reboot, back them up, flash clean rom, restore and hope they keep working. (Make sure to magisk hide and hide magisk on the new rom too, not to trip some system checks. After some trip-up I was able to restore from backup again and the app luckily kept working, even survived some updates.)

[werdahias]

So did a reset and voilá, it works. CTS profile match is still false, but all relevant stuff seems to work.

[unresolvedsymbol]

@0x5ECF4ULT I've reviewed some of the last commits, however, are you sure the DroidGuard binary hasn't received any updates since July? GPS certainly has received many. I'd also say the result not being signed is a very critical flaw, and would result in any app with a proper SN implementation to disregard if the so called CTS profile and basic integrity were true. (Magisk Manager doesn't show this)

@CountOmega Tried clearing GPS (Google Play Services) data and restart the app you're testing SN with?

[0x5ECF4ULT]

@unresolvedsymbol Yes the DG binary hasn't been updated since July but there's also a 1/10 chance that this binary gets invoked. The binary you mean is the offline DG. For online signage by Google the newest binary is downloaded and directly invoked. For the signage part: please take a good look at all the logcat outputs in the PRs. Google signs the requests. The only issue is that the response is not handed down to the app which requested the signage.

[mcdoe]

@0x5ECF4ULT are you passing SN w this?

[0x5ECF4ULT]

@mcdoe I got indicators that Google sends back signed responses (no response was the original problem) but I'm not passing SN yet. First because I'm using an emulator and second because the code isn't fully functional yet.

[mcdoe]

@0x5ECF4ULT got it. As far as you know, is there a way to pentest android apps in an emulator while passing safetynet?

[0x5ECF4ULT]

@mcdoe no there's no way to achieve that using mG. You can try to install something like OpenGApps and fake your device properties to get CTS passing. Another method would be to mock everything using Frida and pray for the app to not verify the signature by phoning home.

[unresolvedsymbol]

Lately I've been using microG with apps that I thought(?) verified safetynet like snapchat, my banking apps, cashapp, revoult, etc without issues on 0.2.17.204714 with magiskhide enabled on said apps. Make of it what you will.

[0x5ECF4ULT]

That's weird. The only reason this could have happened is by authenticating to said apps prior to installing mG. What's your device?

[unresolvedsymbol]

That's weird. The only reason this could have happened is by authenticating to said apps prior to installing mG. What's your device?

Using crDroid 7.4(?) on a OnePlus 7 Pro, no trace of gapps at all. And no, I can re-login to all said apps just fine. I don't use titanium backup.

Also if it makes a difference I self build nanodroid's microG metapackage and install it from storage with Magisk.

[Master0ne]

@unresolvedsymbol I'm using quite some banking and other sensitive apps myself (including Revolut and Revolut Business) and none of these require SafetyNet to pass, only Magisk Hide. Even the overly annoying DKB TAN2go app can be tricked by "freezing" Magisk first and in fact I haven't come across any app that requires SafetyNet to pass so far.

BTW I'm using ArrowOS 11 with Magisk v22.1 and microG v0.2.18.204714 with Google SafetyNet: Off, but nonetheless I really would like to see that issue resolved, just in case.

[0x5ECF4ULT]

@unresolvedsymbol also on crDroid here :D could you by any chance capture your logcat output while logging in to Snapchat for example? This could eventually help resolving your mystery and this issue overall.

[unresolvedsymbol]

@0x5ECF4ULT https://a.pomf.cat/bktmgu.7z nothing much interesting as far as I can tell. cleared data + relogged into snap with keepassdx magikeyboard (then stripped some stuff, probably missed some but eh)

[Nanolx]

Not all apps may using SafetyNet or some may have changed to accept api failures when request itself was sent succesfully, because you know no recent Huawei device can attest SafetyNet, but those apps like Instagram, Snapchat & Co. still want those users' data/interactivity. Also there are some apps which only restrict certain functionality behind SN, like my banking app only dissallows fingerprint unlock or app-to-app tan, everything else works normally.

I don't know, it's just a wild guess.

[theo546]

So, this whole Huaweï trade ban thing may be a good thing for us after all, maybe we'll see more apps doing this, that can be a very nice solution.

[jeroenev]

Well, it might be but the response from every single app from my country has been "we don't give a shit", "the market is too small", "we might re-evaluate in the future"

[jeroenev]

Huawei seems completely dead after the ban, you barely see any Huawei phones any more unless they're 2+ years old. obviously in china they're still massive, but in Europe they seem completely dead.

[kondors1995]

@unresolvedsymbol are you still able to use those apps after recent safey net changes since new changes broke CTS even for unrooted phones with costom rom