Bad news: it is confirmed that for those who wants to re-lock their bootloader with self signed images (possible on Pixel devices), SafetyNet with HARDWARE-BACKED evaluation will still *NOT* pass CTS check.
45
110
532
Conversation
This is pretty much death penalty for root and custom ROM users who still uses Google Play Services and expect things to work like it used to be.
14
16
347
This Tweet is from a suspended account. Learn more
This Tweet was deleted by the Tweet author. Learn more
It's not a fuse, you can flash a Google signed image and it will pass cts again
1
1
Note that it's only a Google signed image for their own devices like Pixels. Hardware-based attestation provides a signed attestation with the lock state, verified boot state and verified boot key among other things. SafetyNet attestation can use it to check for green boot state.
Hardware-based attestation works for other operating systems like CalyxOS and GrapheneOS. SafetyNet attestation is specifically checking for the stock OS. The only way it would work for other OSes is if they went out of the way to explicitly whitelist aftermarket OS signing keys.
1
Those don't include Play Services anyway and SafetyNet is a Play Services component, so it doesn't really make sense. A banking app that doesn't want to depend on Play Services can use the hardware-based attestation API directly and whitelist specific aftermarket OS signing keys.
2
Show replies