Google’s SafetyNet services and APIs allow Android app makers to ensure that they’re running on phones that haven’t been tampered with… at least in theory.

In practice that would prevent you from running some Android apps on phones that have been rooted. But Magisk, the most popular tool for rooting smartphones also includes a “hide” feature that can trick SafetyNet (and other apps, games, and services) from noticing that your device has been rooted.

Or at least that used to be the case. It might not be true for much longer.

Magisk developer John Wu tweeted today that Google has “fixed” SafetyNet so that it uses “key attestation to verify device status.” The good news for folks who aren’t using rooted phones is that this will add a layer of security. The bad news for folks who are using Magisk is that a bunch of apps that rely on SafetyNet may no longer run on rooted phones.

John Wu says it may theoretically be possible to come up with temporary workarounds — but it will be difficult because hackers would have to find hardware vulnerabilities (which are rare) or vulnerabilities in the Trusted Execution Environment (which would likely be patched quickly).

There’s a bit of a grace period for current Magisk users — the feature’s not fully enforced yet. Wu suggests that may be because some devices from phone makers including OnePlus don’t seem to implement the keymaster function appropriately and would therefore fail to pass SafetyNet right now. But once those issues are addressed, the Magisk Hide feature will most likely fail to work.

While that won’t stop all Android apps from running on rooted devices, many popular apps do rely on SafetyNet, including:

  • Netflix
  • Snapchat
  • Pokemon Go
  • Mario Run
  • Android Pay
  • Many banking apps

That said, this isn’t the first time John Wu has sounded an alarm… only to eventually find a workaround after all. It’s too early to know whether history will repeat itself, but odds are that as long as Google continues releasing new versions of Android and its related software and services, hackers will continue probing for ways to work around the limitations.

via /r/Android

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

Join the Conversation

5 Comments

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Google is evil. “Android development” is an oxymoron — the platform serves the primary purpose of selling what we neither need nor want.

  2. On the upside phones these days are rather powerful, so maybe in the future we can have full linux phones that can just run an android emulator to let you have your cake and eat it too. I’m not rooting to steal your credit card information, or to have free tokens in whatever is the current candy crush thing, I’m trying to keep ads away from all the apps with super-strict system level firewall rules. Actually after thinking about it this might be the reason Google is annoyed with rooting.

    1. No.
      Phones are not powerful or advanced enough to run Mobile Linux, and emulate Android. As hardware advances, software requirements increase exponentially (so you pretty much never keep up). The best solution is, and has always been, to use Custom Rom on a carefully chosen device variant. Because we live in the “Darkest Timeline” where no Linux Distro made it’s way into the mainstream (MeeGo and Tizen were close).

      If Android gets more and more restricted, it will just mean the end of the enthusiasts. You will have to choose between a fully-ad and flustering experience. Or an experience where you have root, but lack to use some (crucial) Apps. Basically, it will be like Jailbreaking on iPhones.

  3. Screenshot is a bit random, it should show Magisk Installed but ctsProfile: false, which is how it looks on my Pixel 2.