Bad news: it is confirmed that for those who wants to re-lock their bootloader with self signed images (possible on Pixel devices), SafetyNet with HARDWARE-BACKED evaluation will still *NOT* pass CTS check.
45
110
532
Conversation
This is pretty much death penalty for root and custom ROM users who still uses Google Play Services and expect things to work like it used to be.
14
16
347
This Tweet is from a suspended account. Learn more
This Tweet was deleted by the Tweet author. Learn more
It's not a fuse, you can flash a Google signed image and it will pass cts again
1
1
Note that it's only a Google signed image for their own devices like Pixels. Hardware-based attestation provides a signed attestation with the lock state, verified boot state and verified boot key among other things. SafetyNet attestation can use it to check for green boot state.
1
1
Hardware-based attestation works for other operating systems like CalyxOS and GrapheneOS. SafetyNet attestation is specifically checking for the stock OS. The only way it would work for other OSes is if they went out of the way to explicitly whitelist aftermarket OS signing keys.
1
Those don't include Play Services anyway and SafetyNet is a Play Services component, so it doesn't really make sense. A banking app that doesn't want to depend on Play Services can use the hardware-based attestation API directly and whitelist specific aftermarket OS signing keys.
2
There are lots of banking apps without a hard dependency on Play Services. If they decide to use attestation as part of anti-fraud mechanisms (not sure exactly why they find it useful), I'm just explaining that they don't need to introduce a hard dependency on Play Services.
Instead of using SafetyNet attestation, they can use the hardware-backed keystore attestation API and whitelist devices with the green boot state OR yellow boot state with specific verified boot keys they've chosen to whitelist for OSes preserving the security model they expect.
2
That way they don't depend on Play Services and can still support operating systems without Play Services. There could also be devices with a non-Google attestation root and they'd just need to add that as a trusted attestation root to support another ecosystem of devices.
1
Show replies