Conversation

So here we go, after years of fun messing around using Magisk, it seems that Google FINALLY decided to "fix" SafetyNet to something useful, and that is to use key attestation to verify device status (after 3 years since introduced to Android's platform!)

255

816

Replying to

very interesting. Do you have more details on which part of the "device status" are they checking with attestation? I'm curious about how TEE can retrieve info about the overall system in a "trusted" / non hackable way

Replying to

and

I'm curious because even for "basic" things like "getting the real IDs", they need to "creating copies of the device's hardware identifiers that only the Trusted Execution Environment (TEE) can access before the device leaves the factory." ref:

source.android.com

Key and ID Attestation | Android Open Source Project

Replying to

and

ID attestation is an extension to the baseline key attestation functionality. The baseline functionality also requires that the device has it set up in factory and it has been mandatory for every device launched with Android 8 or later. It's a standard feature across the board.

1:03 PM · Mar 11, 2020Twitter Web App

Replying to

and

Look at developer.android.com/training/artic for the developer documentation instead of the security feature page. Alternatively, read attestation.app/about about the Auditor app, which uses key attestation as part of providing hardware-based device security verification / monitoring.

attestation.app

Auditor overview

Overview of the Auditor Android app and associated service.