Bad news: it is confirmed that for those who wants to re-lock their bootloader with self signed images (possible on Pixel devices), SafetyNet with HARDWARE-BACKED evaluation will still *NOT* pass CTS check.
45
110
532
Conversation
This is pretty much death penalty for root and custom ROM users who still uses Google Play Services and expect things to work like it used to be.
14
16
347
This Tweet is from a suspended account. Learn more
This Tweet was deleted by the Tweet author. Learn more
It's not a fuse, you can flash a Google signed image and it will pass cts again
1
1
Note that it's only a Google signed image for their own devices like Pixels. Hardware-based attestation provides a signed attestation with the lock state, verified boot state and verified boot key among other things. SafetyNet attestation can use it to check for green boot state.
1
1
Hardware-based attestation works for other operating systems like CalyxOS and GrapheneOS. SafetyNet attestation is specifically checking for the stock OS. The only way it would work for other OSes is if they went out of the way to explicitly whitelist aftermarket OS signing keys.
Those don't include Play Services anyway and SafetyNet is a Play Services component, so it doesn't really make sense. A banking app that doesn't want to depend on Play Services can use the hardware-based attestation API directly and whitelist specific aftermarket OS signing keys.
2
SafetyNet attestation is only relevant to apps with a hard dependency on Play Services. For apps without one, they can still use attestation via the hardware-backed keystore API and that API fully supports alternate OSes, unlike SafetyNet where it wouldn't really make sense.