Systemless SafetyNet bypassing

[IlyaGulya]

Hello! I can't find any discussion related to this subject. Are someone doing any work on it? I would like to participate.

Update

For everyone who interested in participating this topic, please move here: https://github.com/IlyaGulya/NoSafetyNet

[yanghaoxie]

Do you mean magisk? https://forum.xda-developers.com/apps/magisk

[IlyaGulya]

No. When you install Xposed systemlessly using Magisk, it cannot bypass SafetyNet. I'm trying to find people who working on this problem.

[yanghaoxie]

sorry for my mistaken. topjohnwu explain something here https://forum.xda-developers.com/showpost.php?p=73691464&postcount=4200 quote: Systemless Xposed cannot pass SafetyNet!!! SN checks the running Zygote process, it is not as simple as unmounting the files to hide it!

[IlyaGulya]

I know current situation, thank you. What I am trying to find is kind of discussion how to fix this issue. Do someone trying to patch safetynet, for example? As I know, Google play services provides SafetyNet API. We can, for example, hook into it and return good results. That is only two ideas. I think there can be much more. Like reverse-engineering snet executable.

[rovo89]

Do someone trying to patch safetynet, for example?

I guess that would indeed be necessary, but it will be a cat-and-mouse game. I'm too busy with getting Xposed itself running properly, so I don't have any plans to fight against SafetyNet. Maybe someone else will, the Xposed API should offer enough to take care of Java-side checks. This might not help for native checks and results processed on Google's servers though. For some applications, it might be easier to patch what the application does with the check result, instead of trying to make the checks green.

[IlyaGulya]

Okay, if there's no someone who work on this problem, may you keep this thread open for people who will try to find someone? I will begin my own research then.

[xerta555]

Do someone trying to patch safetynet, for example?

In the way of a Luck Patcher being a Warez type application, it would require a clever and experienced hacker to update each new version of its modification technique regardless of the device, the version of Android used and the type of ROM.

As I know, Google play services provides SafetyNet API. We can, for example, hook into it and return good results.

To make that, we will must reverse all the scan process and the result form and i am sure that Google API contain randoom values in certain cases.

If there was only one poor application to edit, i'm sure that someone would have already taken care of it, but in the case of SafetyNet, there is also a whole process of communication with remote servers, therefore several possibilities of answers to take into account.

[IlyaGulya]

Yeah, I'm just found great topic with explanation how SafetyNet actually works. https://koz.io/inside-safetynet/

[IlyaGulya]

Looks like Snet is actually Java class. It is downloaded from google servers in a compiled form. But if it runs in ART, I think we can hook into it.

[IlyaGulya]

We can use this blog post as a roadmap for new SafetyNet heuristic bypass system 😃

[IlyaGulya]

First of all, I'm thinking about way to collect the same data which SafetyNet collects and SafetyNet Attestation result with this data to find out how Google decide to fail or not ctsProfile or basicIntegrity. It will also help to detect changes in future and react to them faster.

[IlyaGulya]

@rovo89 is it okay to use this thread for collecting info and people before I will create separate github repo?

[rovo89]

I'd prefer if you went to a separate repo. Right now, ~400 people are watching the Xposed repo and will get emails for every comment posted. Sure, every single person could unsubscribe from this particular issue, but it would be better if you just post the link here and maybe some significant updates.

[IlyaGulya]

Okay, I will move.

[IlyaGulya]

For everyone who interested in participating this topic, please move here: https://github.com/IlyaGulya/NoSafetyNet