SafetyNet vs MagiskHide: what's the status now in mid 2020?

Question

As widely reported on different sites, and also discussed on this site (here and here), earlier this year, Google made changes to SafetyNet so that it could detect bootloader/verified boot status even with MagiskHide enabled. The developer of Magisk, John Wu, at that time tweeted that because Google was using the Trusted Execution Environment (TEE), its check on bootloader status could not be defeated. For example, he wrote:



this new update utilizes hardware-based key attestation. It will send an unmodified keystore certificate to SafetyNet servers, verify its legitimacy, and check certificate extension data to know whether your device have verified boot enabled (bootloader status)


Unless there is serious implementation bugs in your ARM TrustZone (or security co-processor like Google's Titan M), you cannot break the cryptography.



He basically concluded:



Let's face it. Fun is over guys.



Yet, on March 14, John Wu tweeted:



So apparently CTS is just passing again out of nowhere? Maybe Google is still testing things out?


I'm over it anyways. Google is apparently willing to use key attestation for detection. Since MagiskHide is still there, people can still always use it as usual.



And another tweet from him on April 3 that I didn't quite understand:



THE BIG GOOGLE HAMMER IS BACK!
Say bye bye to SafetyNet, we'll (not) miss you...



Did that mean Google would somehow be removing SafetyNet, or at least not utilizing its capabilities to detect bootloader status?


So there was some doubt beginning to surface in mid March. In my own test in late May 2020, with MagiskHide not enabled, SafetyNet failed, but with MagiskHide enabled and targetting my test app, SafetyNet passed, meaning that MagishHide could still defeat SafetyNet. The test was run on a Pixel 3 with android 10.


So, Google may have the capability to detect MagiskHide, and it was working out in the field with real devices, but they have somehow stopped doing that? Does anyone know what is going on with SafetyNet? Was the feature temporarily reverted? Will it be coming back to SafetyNet, and if so, when?


auspicious99 | Sources

Answer

(29 June 2020) It looks like Google is just being cautious, and preparing a new field in the SafetyNet response.


According to the SafetyNet API Clients Team



We have started rolling out a new feature that will provide developers with insight into the types of signals/measurements that have contributed to each individual SafetyNet Attestation API response.


Our JWS responses now have a new optional field named evaluationType.
The value of this field will be a list of comma-separated string tokens, where each token represents an enum-like value.


Currently, the following string tokens may be indicated::



  • BASIC - When we use typical signals and measurements along with reference data during our evaluation.

  • HARDWARE_BACKED - When we use the available hardware-backed security features of the remote device (e.g. hardware-backed key attestation) to influence our evaluation.


Examples of field values that you may expect:



  • { “evaluationType”: “BASIC” }

  • { “evaluationType”: “BASIC,HARDWARE_BACKED” }


We’re currently evaluating and adjusting the eligibility criteria for devices where we will rely on hardware-backed security features. So please do not use the presence or value of this field as a signal by itself (for now).


Note that this feature has not been officially documented yet. Presently, we’re only communicating it to this announcement-list to collect feedback.


We encourage you to use our feedback form based on your experience with this new feature as well as the overall service.


Thanks & Regards,
SafetyNet API Clients team



So once testing for this new feature is completed, it looks like hardware-backed key attestation will be put in place. Which means, from then on, SafetyNet would be able to detect bootloader/verified boot status even with MagiskHide enabled.


John Wu is still fighting back


(updated on 29 June 2020)


John Wu is trying to persuade Google to not blindly apply SafetyNet hardware-backed attestation across the board. He tweeted:



I advocate
@AndroidDev
to restrict hardware-backed SafetyNet evaluation to "real" security sensitive apps. Developers should go through an application process to qualify this level of API access. It is ridiculous for McDonalds to refuse to run on a bootloader unlocked device.



Meanwhile, it appears that the SafetyNet checks will still fail even if the bootloader is re-locked, as we see here, tweeted 3 July 2020



Bad news: it is confirmed that for those who wants to re-lock their bootloader with self signed images (possible on Pixel devices), SafetyNet with HARDWARE-BACKED evaluation will still NOT pass CTS check.



(Updated on 13 Dec 2020) John Wu now tweets



Let me get this out of the way: since I have a full time job now, I don't have much time for Magisk; I need prioritization. HW based evaluation is impractical to "hack" (except tricks to make it fallback to basic), and I lost all interest in improving the current way of hiding.



auspicious99 | Sources

Q & A

Possible to transfer songs from iTunes (on Mac) to Android phone?
Android update on HTC Desire 628
Disable proxy configuration on android
Can't add second google account to google calendar app
Change language of chrome translation
app for better calls
Why Swiftkey not visible in OxygenOS 3.1 Search?
How to access and modify previous commands (bash history) in Termux
How to change default keyboard on Android N?
What is the difference between MiraCast, MirrorShare, Google Cast and Chromecast?
Remote control widget
What are the correct specs of Tecno W3 smart phone?
No alarm sound after update from CM 11 to CM 13
Unable to automate disabling mobile data via Tasker plugin Secure Settings on CM 13
How to uninstall Rooms App?
send fake accelerometer or multitouch signal to an application on Android x86
Turning off vibration on Huawei P9 lite
How to find the screen-size-in-points of a Samsung Galaxy S7
How to automate command line when specific application is launched?
Broke front camera on Nexus 5 and can't use any camera app

Topics

2D Engines   3D Engines   9-Patch   Action Bars   Activities   ADB   Advertisements   Analytics   Animations   ANR   AOP   API   APK   APT   Architecture   Audio   Autocomplete   Background Processing   Backward Compatibility   Badges   Bar Codes   Benchmarking   Bitmaps   Bluetooth   Blur Effects   Bread Crumbs   BRMS   Browser Extensions   Build Systems   Bundles   Buttons   Caching   Camera   Canvas   Cards   Carousels   Changelog   Checkboxes   Cloud Storages   Color Analysis   Color Pickers   Colors   Comet/Push   Compass Sensors   Conferences   Content Providers   Continuous Integration   Crash Reports   Credit Cards   Credits   CSV   Curl/Flip   Data Binding   Data Generators   Data Structures   Database   Database Browsers   Date &   Debugging   Decompilers   Deep Links   Dependency Injections   Design   Design Patterns   Dex   Dialogs   Distributed Computing   Distribution Platforms   Download Managers   Drawables   Emoji   Emulators   EPUB   Equalizers &   Event Buses   Exception Handling   Face Recognition   Feedback &   File System   File/Directory   Fingerprint   Floating Action   Fonts   Forms   Fragments   FRP   FSM   Functional Programming   Gamepads   Games   Geocaching   Gestures   GIF   Glow Pad   Gradle Plugins   Graphics   Grid Views   Highlighting   HTML   HTTP Mocking   Icons   IDE   IDE Plugins   Image Croppers   Image Loaders   Image Pickers   Image Processing   Image Views   Instrumentation   Intents   Job Schedulers   JSON   Keyboard   Kotlin   Layouts   Library Demos   List View   List Views   Localization   Location   Lock Patterns   Logcat   Logging   Mails   Maps   Markdown   Mathematics   Maven Plugins   MBaaS   Media   Menus   Messaging   MIME   Mobile Web   Native Image   Navigation   NDK   Networking   NFC   NoSQL   Number Pickers   OAuth   Object Mocking   OCR Engines   OpenGL   ORM   Other Pickers   Parallax List   Parcelables   Particle Systems   Password Inputs   PDF   Permissions   Physics Engines   Platforms   Plugin Frameworks   Preferences   Progress Indicators   ProGuard   Properties   Protocol Buffer   Pull To   Purchases   Push/Pull   QR Codes   Quick Return   Radio Buttons   Range Bars   Ratings   Recycler Views   Resources   REST   Ripple Effects   RSS   Screenshots   Scripting   Scroll Views   SDK   Search Inputs   Security   Sensors   Services   Showcase Views   Signatures   Sliding Panels   Snackbars   SOAP   Social Networks   Spannable   Spinners   Splash Screens   SSH   Static Analysis   Status Bars   Styling   SVG   System   Tags   Task Managers   TDD &   Template Engines   Testing   Testing Tools   Text Formatting   Text Views   Text Watchers   Text-to   Toasts   Toolkits For   Tools   Tooltips   Trainings   TV   Twitter   Updaters   USB   User Stories   Utils   Validation   Video   View Adapters   View Pagers   Views   Watch Face   Wearable Data   Wearables   Weather   Web Tools   Web Views   WebRTC   WebSockets   Wheel Widgets   Wi-Fi   Widgets   Windows   Wizards   XML   XMPP   YAML   ZIP Codes