Android - Magisk will fail Safety-Net hereafter. Why?

John Wu (Magisk Developer) posted updates today, which clarifies the reasons.

Earlier, SafetyNet API wasn't fully / correctly implemented, the way it was meant to be :

  • Key Attestation

From what we've seen so far, key attestation doesn't seem to be fully enforced yet, as devices with incompatible, potentially buggy(?) keymaster implementations (e.g. some OnePlus devices) that result in attest key cmd failures still pass SafetyNet regardless.

  • Attestation was done locally

bootloader reports the device status via kernel cmdlines, and init will reflect them in properties, and apparently SafetyNet was using those values. All those stuff is in userspace, so Magisk can simply manipulate it

Now, with the Feature Preview: SafetyNet Attestation API evaluationType, there will be two types of evaluation, BASIC and HARDWARE_BACKED for a complete evaluation with remote validation (as against local) :

HARDWARE_BACKED - When we use the available hardware-backed security features of the remote device (e.g. hardware-backed key attestation) to influence our evaluation.

We’re currently evaluating and adjusting the eligibility criteria for devices where we will rely on hardware-backed security features.

Can this new system be hacked?

Looks very unlikely

  • Even if we force validation to use BASIC method, it won't be hidden

IMO it is theoretically possible to alter control flow in SafetyNet's code to force it to always use BASIC evaluation by using some hooking framework like Xposed, however these kind of code injection is basically impossible to hide (memory space analysis).

  • HARDWARE_BACKED is serious stuff and unlikely to be cracked since it involves TEE or hardware changes leading to cryptographic compromise (Robert also pointed out in comments)

To hack this thing, you have to either find a vulnerability in TEE firmware (which will be patched ASAP once found) or hardware (less likely to happen) to break the cryptography.

Breaking TEE won't be easy, which is why many security researchers are actively working on it.

(Emphasis added in all quotes)

How to check if Google has implemented hardware Attestation for my device?

Edit Magisk canary has been updated to show evaluation status and once the API is implemented, you will see more details (failing SafetyNet). Or, follow instructions on this XDA post to check attestation method using logcat

enter image description here

For more information see SafetyNet's hardware attestation will make hiding root in Magisk really hard

Edited on 16 December 20

And the final nail in the coffin for fooling safety net detection

Johnwu in

  • tweet says

HW based evaluation is impractical to "hack" (except tricks to make it fallback to basic), and I lost all interest in improving the current way of hiding.

  • Another tweet of 13 Dec 2020

If passing SafetyNet is the only use of Magisk for you, then yeah, bye Face with rolling eyes ( in response to So... magisk is completely useless right now?...)


It appears that Google may have chosen not to enforce this checking, even though it was implemented for a short while (a few days?). At first, the Magisk developer, John Wu, sounded quite pessimistic about it, going even so far as to say that the fun was over.

A few days after the tweets from John Wu that were referenced in the question, however, on March 14, John Wu tweeted again, and this time he said

So apparently CTS is just passing again out of nowhere? Maybe Google is still testing things out?

I'm over it anyways. Google is apparently willing to use key attestation for detection. Since MagiskHide is still there, people can still always use it as usual.

In my own test in late May 2020, with MagiskHide not enabled, SafetyNet failed, but with MagiskHide enabled and targetting my test app, SafetyNet passed, meaning that MagishHide could still defeat SafetyNet. The test was run on a Pixel 3 with android 10.

So, Google may have the capability to detect Magisk, since the boot loader check had been moved into the TEE, but they have somehow stopped doing that, for reasons known only to Google.

Tags:

Rooting

Magisk

Safety Net

Related

Android - Is it allowed to offer incentives for 5 star ratings on the Google Play app store? Android - Disabling the clipboard history on Samsung devices Android - Google just EOLed the original Pixel. How long until it's a brick? Android - How to call my own phone with a loud ringing tone (in order to find it in my house) even if it is in silent mode? Android - Are Android updates signed with Google's private key or other signing techniques? Android - How do certain apps show new notifications when internet access is restricted to them? Android - How do I switch profiles in Chrome for Android? Android - How to change photo storage path for LineageOS 16's Camera app? Android - How to disable dm-verity on Android with "user" build type ROM? Android - How to determine which app is causing vibration? Android - How to reinstall an accidentally uninstalled app through ADB? Android - Is this Android phone Android 9.0 or Android 6.0?

Recent Posts