This is pretty much death penalty for root and custom ROM users who still uses Google Play Services and expect things to work like it used to be.
Conversation
This Tweet is from a suspended account. Learn more
This Tweet was deleted by the Tweet author. Learn more
It's not a fuse, you can flash a Google signed image and it will pass cts again
1
1
Note that it's only a Google signed image for their own devices like Pixels. Hardware-based attestation provides a signed attestation with the lock state, verified boot state and verified boot key among other things. SafetyNet attestation can use it to check for green boot state.
1
1
Hardware-based attestation works for other operating systems like CalyxOS and GrapheneOS. SafetyNet attestation is specifically checking for the stock OS. The only way it would work for other OSes is if they went out of the way to explicitly whitelist aftermarket OS signing keys.
1
Those don't include Play Services anyway and SafetyNet is a Play Services component, so it doesn't really make sense. A banking app that doesn't want to depend on Play Services can use the hardware-based attestation API directly and whitelist specific aftermarket OS signing keys.
2
There are lots of banking apps without a hard dependency on Play Services. If they decide to use attestation as part of anti-fraud mechanisms (not sure exactly why they find it useful), I'm just explaining that they don't need to introduce a hard dependency on Play Services.
1
1
Instead of using SafetyNet attestation, they can use the hardware-backed keystore attestation API and whitelist devices with the green boot state OR yellow boot state with specific verified boot keys they've chosen to whitelist for OSes preserving the security model they expect.
2
That way they don't depend on Play Services and can still support operating systems without Play Services. There could also be devices with a non-Google attestation root and they'd just need to add that as a trusted attestation root to support another ecosystem of devices.
It's easy to use attestation on the server to verify clients. App developers can use it as generic anti-cheat, anti-fraud and anti-piracy for their server-based functionality. It should be expected that it will be widely used. I'm surprised the lower-level API wasn't widely used.
1
The hardware-based API is mandatory for devices launched with Android 8+. Whether or not Google adopted it for SafetyNet attestation, app developers had the option to use it themselves. Google is just gradually dealing with that for them now via the Play Services API for this.