Do Not Submit MagiskHide Requests

[topjohnwu]

Any further "MagiskHide" and related root hiding development will no longer be in the official Magisk repo and will not be done by topjohnwu, so all Issues along these lines will be immediately closed.

See: https://topjohnwu.medium.com/state-of-magisk-2021-fe29fdaee458 And: https://twitter.com/osm0sis/status/1431948577627119618

---

You may check this unofficial off-site documentation for any updates going forward: https://www.didgeridoohan.com/magisk/MagiskHide

[liudongmiao]

I'd like to join the discuss for MagiskHide.

However, before discussing, I must know the idea from you:

1. hijack app, then hide.

   The implementation is like this. In this way, as app is hijacked, normally, there is way to find it.

2. hide before hijack.

   If you want to implement this, I will continue.

[topjohnwu]

@liudongmiao welcome :), I've heard many things about you through @vvb2060 如果想加入的話，給我你的電子信箱，我把你邀請到 Slack 群內

[KagefumiMerry]

However, before discussing, I must know the idea from you:

2. hide before hijack. If you want to implement this, I will continue.

The 2nd method seems more reliable, but is there any method making all apps except magisk manager ( obfuscated package itself) in magisk-hided by default (i.e. change from black-list to white-list approach)?

Even It is hard to do so at this moment, as the kernel itself could not prescient the obfuscated manager package in any means.

But anyway, it is strange that apps in Google Store (and Policy) could do anything temper the system to anti-root/modification likely as Trojans and no one could stop that.

[topjohnwu]

@liudongmiao @KagefumiMerry check e6b1254d0d6de7cf8ec60164a2bf30e52e48f884

[ghost]

MagiskHide on any build not working with Google Pay

[liudongmiao]

@topjohnwu I never build succesfully. And I'm lazy to fix the requirements, will just wait for your build.

*** Android NDK: Invalid NDK_TOOLCHAIN_VERSION value: 4.9. GCC is no longer supported. See https://android.googlesource.com/platform/ndk/+/master/docs/ClangMigration.md.

It seems something related with busybox.

[ghost]

Hi @topjohnwu It seems that anyone on the beta version of Google Play Services which is v16 or higher, Magisk fails the SafetyNet checks.

Reminder to everyone, that downgrading or leaving the Google Play Services beta will fix your Magisk SafetyNet failures.

The Verison should be v15, not v16 or higher. Find the APK of Google Play Services on apkmirror and then sideload it (if you don't know how to do that, just Google it!

Thanks,

Slats

[topjohnwu]

@liudongmiao I fixed some build issues, please check again

[Djtrip83]

Hi @topjohnwu It seems that anyone on the beta version of Google Play Services which is v16 or higher, Magisk fails the SafetyNet checks.

Reminder to everyone, that downgrading or leaving the Google Play Services beta will fix your Magisk SafetyNet failures.

The Verison should be v15, not v16 or higher. Find the APK of Google Play Services on apkmirror and then sideload it (if you don't know how to do that, just Google it!

Thanks,

Slats

That I did not know (about the beta version) and it made me check! I did have beta services installed. Not sure if it impacted my issues directly but no harm in testing. Thanks for sharing.

[ghost]

Google pay not working again

[hexdra]

Xiaomi Note 5, Google Play Services 16.0.87 SafetyNet working fine

[microtechton]

@hexdra May I please know what version of Magisk (Stable/Canary) and if safetynet is true throughout the course of using your device? Because some users experience MagiskHide working for sometime, but then fail.

[ghost]

Can anyone please tell me what Magisk Canary or Stable works with what Google Play Services which then works with Google Pay? Right now I'm on the Play Services Beta with the latest Magisk Canary build with magiskhide enabled but doesn't work!

[microtechton]

Magisk Build 17.2 & Magisk Manager 6.1.0 seem to work fine with Google Pay and Google Play Store is certified. It's only the builds later on which are causing problems.

(Edit: Just added an extra line)

[hexdra]

@Slats2 @microtechton Im using magisk Stable 18.1. Maybe try MagiskHide Props Config module.

[ghost]

MagiskHide is detected on UDS and STAT.

[ghost]

Hi,

I've been looking into this, here's what I did and found out:

A few days after updating to 18.2 Canary I tried enabling in-store payments and Google Pay said the phone was rooted or altered. I then wiped /data/data/com.google.android.gms in recovery, and it worked again for approximately 12 hours (with default MagiskHide settings, only "unstable" enabled in the list). I then wiped data again and enabled MagiskHide on all the Play Services + Google Pay, and it worked for several days, so I considered it to be a pass.

I then disabled MagiskHide on Google Pay and it still worked for several days.

Thus:

• the result of the google pay root check is stored in the /data/data/com.google.android.gms folder (Google Play Services data folder), for all other apps Android just wipes the /data/data folder but that's not the case for Play Services as there's a custom UI for deleting data which doesn't seem to remove everything, and obviously, this data isn't removed. You can wipe /data/data/com.google.android.gms in recovery to remove the result of the check.

• the check is done apparently randomly in the span of a day or two. That's probably to achieve what happened in this thread, conflicting reports and people having no idea what triggers the check and how to deal with it.

• the check is done by Google Play Services, but by something other than the "unstable" (SafetyNet) process.

• not sure about this one, but given that Magisk 18.1 and older have imperfect MagiskHide functionality (the hiding can be "raced" and thus defeated with some tricks, according to John himself), it's possible Google is also doing that. Using 18.2 is your best bet as it enables hiding on a process as soon as possible.

I'm now trying to pinpoint which component of play services is doing the check, so the default MagiskHide list can be updated (I'll report on GitHub once I'm sure).

Reporting that renaming com.google.android.gms to com.google.android.gms.bak worked for me. I was able to successfully add a card where before it was detecting root.

Magisk Canary 18.2-945f8810 Magisk Manager 7.0.0-8893cbd6 Magisk Hide on all Google Pay and Google Play Services Google Pay 2.84.237487748 Google Play Services 15.0.90

Nokia 6.1 (2018) February 2019 Security Update Stock Rooted

[Flouzr]

@Slats2 At least credit the person you stole that post from. You didn't do the work, they did. https://forum.xda-developers.com/showpost.php?p=79171459&postcount=469

[ghost]

@Slats2 At least credit the person you stole that post from. You didn't do the work, they did. https://forum.xda-developers.com/showpost.php?p=79171459&postcount=469

I managed to do the same research, but did want to write the whole thing out, I also did change stuff around in it!!!

[ghost]

@Slats2 At least credit the person you stole that post from. You didn't do the work, they did. https://forum.xda-developers.com/showpost.php?p=79171459&postcount=469

So I did use it as a template, so back off! BIG DEAL!

[Didgeridoohan]

@Slats2 Just want to put it on record that copy-pasting someone else's work (and there's nothing changed, nothing, you only added the last part about renaming the folder which you also copy pasted from here: https://forum.xda-developers.com/showpost.php?p=79152118&postcount=340) without giving any kind of credit is a crappy move.

Trying to score some kind of confirmation points by piggybacking off of someone else's hard work and research is a big deal. Don't...

If you really did any kind of research into this, that became null and void as soon as you did this. Your credibility is now zero.

[jancm]

If you're not aware "root beer fresh" (available on Play Store https://play.google.com/store/apps/details?id=com.kimchangyoun.rootbeerFresh.sample) is using a new method to successfully detect Magisk. The new method is "Magisk Unix Domain Socket(UDS) and File Stat Check Added".

It's open source if you want to check it out. https://github.com/KimChangYoun/rootbeerFresh

[liudongmiao]

@jancm

For UDS: I have reported uds to @topjohnwu (via friend) some days ago, it should have been fixed last month. However, if someone are using magisk, it can be detect.

For File Stat Check, I have told friend last year, however, it's unstable for third-party rom. Some ROM would modify file stat after OTA.

And there's maps and mapinfo check. I have reported to @topjohnwu too (via friend). It shouldn't be detected in latest magisk, however, it can be detected if magisk module modify system.

[liudongmiao]

And for those guys want to detect root, you can look for Genuine. It check many things, except root.

[liudongmiao]

@jancm And, /proc/net/unix is unavailable in android q (no permission).

[Ingan121]

Can anyone find out what root detection method is being used by these apps: https://play.google.com/store/apps/details?id=com.hyundaicard.appcard https://play.google.com/store/apps/details?id=com.btckorea.bithumb ? They are using the same security solution, Lockin Company's Liapp(https://liapp.lockincomp.com/ ).

[androidneha]

There is a trick for google pay to work and that is: Go to settings > apps > Google play services > permissions > Turn off the Telephone permission. then install google pay it will work

Or by command

1. magiskhide --add com.google.android.apps.nbu.paisa.user
2. pm revoke com.google.android.gms android.permission.CALL_PHONE

This works in my case.

[Ingan121]

It looks like that those two apps are using UDS method, since it saves all UDS information on (private data)/files/dxshield.map.

[Ingan121]

I made a simple script to bypass UDS detection. It is available here: https://github.com/Ingan121/UDSBypass

[androidacy-user]

I can confirm Magisk hide is working fine on a Moto G7, Android 9 with Magisk v18.1

Google pay is the only thing I've found that using magisk hide on doesn't work, but I don't have NFC so it doesn't effect me. Also absurdly CPU-Z can recognize root

I can confirm apps like Sophos Mobile Security, Capital One, PayPal, etc do not detect root with them in magisk hide. On top of that, Android setting does not recognize my bootloader being unlocked (under OEM unlock it doesn't say bootloader already unlocked)

[androidacy-user]

I can confirm 19.0 beta hide works way better

Thanks for all your hard work @topjohnwu. If I knew more about this stuff, I'd certainly offer to help

[asagichan]

Revue Starlight Re LIVE detect Root with magisk hide

[Newkydawg]

It looks like that those two apps are using UDS method, since it saves all UDS information on (private data)/files/dxshield.map.

Any idea what Snapchat uses to detect root or system changes?

[Ingan121]

It looks like that those two apps are using UDS method, since it saves all UDS information on (private data)/files/dxshield.map.

Any idea what Snapchat uses to detect root or system changes?

When does it detect root? I had no problems while just starting the app.

[Newkydawg]

SC detects something right after starting the app up on my Pixel 3 XL and locks me out. I have a Nexus 6P with the same installed apps, running Pie just like the P3XL, both with the same Magisk Canary builds and settings but the N6P never gets blocked. Thoughts?

[nlburgin]

the decision is that I will ignore all 'hide not working' reports from now on.

Does this just mean you won't be looking into obscure root detection methods used by specific apps, or is Magisk Hide actually not getting any more developer support at all?

Is it still going to be updated to keep passing SafetyNet (at least BasicIntegrity)?

Assuming the Magisk project as a whole is still moving forward, it seems like it would be odd to stop supporting the main thing that sets it apart from the simpler non-masked root solutions (such as Superuser) that don't bother trying to placate root-hating apps.

I don't think that's what this is saying, but it could be read that way and I'm not really sure.

[fox215]

please i want hide Samba banking app.

[Didgeridoohan]

@nlburgin MagiskHide is of course not abandoned and is continuing to improve alongside Magisk. What this means is that any request to look at a specific apps root detection will be ignored.

@fox215 Tested and it was rather easy. Manager repackaged and the app on the Hide list was all it took... https://www.didgeridoohan.com/magisk/MagiskHide#hn_Hiding_root_from_apps

[fox215]

@nlburgin MagiskHide is of course not abandoned and is continuing to improve alongside Magisk. What this means is that any request to look at a specific apps root detection will be ignored.

@fox215 Tested and it was rather easy. Manager repackaged and the app on the Hide list was all it took... https://www.didgeridoohan.com/magisk/MagiskHide#hn_Hiding_root_from_apps

thank you i try but can not open root detected .

[androidacy-user]

@androidneha maybe your method to make pay used to work but now pay won't run if phone permission isn't given to play Services

[marcofugaro]

What about the system apps? Hide does not work on those either, apps such as Youtube Music, Google Play Music, Google Play Film, Google News...

I have a Pixel 3 (blueline) with the May 5th security patch.

[ghost]

Guys i have same issue with google apps i also check from system apps in magisk hide but some apps like chrome not shown.

Like before i also check system apps and there is no way to hide root.

List: youtube and chrome

[towlie]

Please stop trying to hide chrome. I have seen people elsewhere wondering why they can't do that. It's intended: https://github.com/topjohnwu/Magisk/blob/bf9ac8252bea97b8900492a0dafefb1c1ab2bd92/app/src/main/java/com/topjohnwu/magisk/data/repository/MagiskRepository.kt#L95

https://twitter.com/topjohnwu/status/1039528958289760256

And for youtube you should activate "show system apps" but there is no point in hiding youtube.

[hexdra]

With newest Update (19306) Rootbeerfresh cant detect magisk anymore, nice work John Wu.

[Yky]

I was not able to get the following app to work with magisk hide: https://play.google.com/store/apps/details?id=de.direkt1822.tanplus

I followed the tutorial with all options for hiding, but the only thing that made the app work in the end was uninstalling magisk completely.

I tested with both the stable and canary versions of magisk.

[elahn]

With Magisk stable (19.3/7.3.2) and canary (19.4-084b451e (19308)/7.3.3-86481c74 (233)) and recent versions of LineageOS 16, the open-source RootBeer library detects su binary, su exists and root native.

This doesn't occur on older LineageOS 16 builds. Hiding succeeded in LOS 15 and in LOS 16 builds at least until May 2019, but on LOS 16 it required uninstall and reinstall of Magisk after each LOS update.

Logs with canary debug (19.4-084b451e (19308)/7.3.3-86481c74 (233)):2019-09-09_10.08.zip

EDIT: This has been fixed, either by LineageOS 16.0-20190912, or by formatting data (internal storage), wiping all partitions, flash LOS + gapps, reboot system, reboot recovery, flash Magisk canary.

EDIT 2: The fix only lasted a few days, see this post below.

[Drizzt321]

@elahn thanks, I'm on the LOS 16 07-07-19 build. I see in the XDA thread some 09-07 builds, https://forum.xda-developers.com/galaxy-s9/samsung-galaxy-s9--s9-cross-device-development/rom-t3945595/post80222300#post80222300, but don't see any 09-12 builds. Can you reference where you're seeing that build? Can't find it.

I'm running that LOS build, and Magisk canary 7.3.3-f383d11d (234), 19.4-f383d11d (19309). SafetyNet passes, SELinux is disabled (from Magisk), and GooglePay won't setup any CC for NFC payments.

EDIT: And just saw the Rootbeerfresh in this thread, cool. Currently, it sees Root Management Apps, and SELinux flag is enabled fails (as it's disabled).

EDIT2: And now I see a 09-11 build https://forum.xda-developers.com/galaxy-s9/samsung-galaxy-s9--s9-cross-device-development/rom-t3945595/post80235190#post80235190

[elahn]

Hi, @Drizzt321. Unfortunately, after several days on LOS 16.0-20190912, RootBeer started detecting su binary, su exists and root native again.

Magisk canary debug 19.4-f383d11d (19309)/7.3.3-f383d11d (234) and LOS 16.0-20190916 didn't fix it. Logs: 2019-09-19_09.46.zip

This means it was the super clean install that fixed the issue for a short time, not that particular LOS nightly. In that time I updated apps through Play Store and restored some app data using oandbackup. I don't know when I'll be able to, but I'll try a super clean install, then not update or restore anything and see if that lasts; if not, it'll show the issue is endemic to LOS, Magisk or a combination of both.

On my kltedv (Samsung Galaxy S5, SM-G900i) with plain LOS with no apps, no Magisk, RootBeer detects dangerous props and selinux flag enabled. Magisk hides both of those permanently. The RootBeer Sample app is on Play Store and the library is open source on GitHub.

[Drizzt321]

@elahn Blast! That sucks :(

I suspect it might be in part that you probably had to update the Play Store to load apps from it. I suspect I'm so close. I've tried getting my selinux back to enabled, but can't seem to override Magisk, even via doing the config-props module to set the ro.build.selinux back to 1, but that didn't seem to do anything. The Trust setting section still shows it disabled.

Like I said, rootbeerfresh, at least from the App Store, nearly passes everything, just 2 things. So close...

[elahn]

@Drizzt321 Great news, all rootbeer checks are passing!

I uninstalled Magisk using the latest installer in TWRP, updated to lineage-16.0-20191016-nightly-kltedv (dirty flash), cleared cache & dalvik, rebooted into system, rebooted into TWRP, installed Magisk 20.1-59fd38bb (20001)-debug, rebooted into system, installed Magisk Manager 7.3.5-5ffb9eaa (246)-debug, hide Magisk Manager.

Since then I've installed an app through Play Store, rebooted and everything is still perfect. Thank you, topjohnwu & contributers for all your great work!