Google’s SafetyNet services and APIs allow Android app makers to ensure that they’re running on phones that haven’t been tampered with… at least in theory.
In practice that would prevent you from running some Android apps on phones that have been rooted. But Magisk, the most popular tool for rooting smartphones also includes a “hide” feature that can trick SafetyNet (and other apps, games, and services) from noticing that your device has been rooted.
Or at least that used to be the case. It might not be true for much longer.
Magisk developer John Wu tweeted today that Google has “fixed” SafetyNet so that it uses “key attestation to verify device status.” The good news for folks who aren’t using rooted phones is that this will add a layer of security. The bad news for folks who are using Magisk is that a bunch of apps that rely on SafetyNet may no longer run on rooted phones.
John Wu says it may theoretically be possible to come up with temporary workarounds — but it will be difficult because hackers would have to find hardware vulnerabilities (which are rare) or vulnerabilities in the Trusted Execution Environment (which would likely be patched quickly).
There’s a bit of a grace period for current Magisk users — the feature’s not fully enforced yet. Wu suggests that may be because some devices from phone makers including OnePlus don’t seem to implement the keymaster function appropriately and would therefore fail to pass SafetyNet right now. But once those issues are addressed, the Magisk Hide feature will most likely fail to work.
While that won’t stop all Android apps from running on rooted devices, many popular apps do rely on SafetyNet, including:
- Pokemon Go
- Mario Run
- Android Pay
- Many banking apps
That said, this isn’t the first time John Wu has sounded an alarm… only to eventually find a workaround after all. It’s too early to know whether history will repeat itself, but odds are that as long as Google continues releasing new versions of Android and its related software and services, hackers will continue probing for ways to work around the limitations.