Conversation

John Wu
@topjohnwu
So here we go, after years of fun messing around using Magisk, it seems that Google FINALLY decided to "fix" SafetyNet to something useful, and that is to use key attestation to verify device status (after 3 years since introduced to Android's platform!)
89
816
John Wu
@topjohnwu
From what we've seen so far, key attestation doesn't seem to be fully enforced yet, as devices with incompatible, potentially buggy(?) keymaster implementations (e.g. some OnePlus devices) that result in attest key cmd failures still pass SafetyNet regardless.
3
239
John Wu
@topjohnwu
To hack this thing, you have to either find a vulnerability in TEE firmware (which will be patched ASAP once found) or hardware (less likely to happen) to break the cryptography. Breaking TEE won't be easy, which is why many security researchers are actively working on it.
3
265
John Wu
@topjohnwu
We might be able to hack around temporarily by forcing key attestation failure, fake report keymaster version, manipulate cached check results etc, but all of them is meaningless after this change is fully deployed AND properly implemented. Let's face it. Fun is over guys.
24
423
Daniel Micay
@DanielMicay
Replying to
@hacker10241
and
@topjohnwu
No, since the hardware-based attestation is verified on Google's SafetyNet servers, and then the SafetyNet result is supposed to be verified by the app's servers. The only way to bypass it is by signing a fake result with a leaked batch key from exploiting a TEE / SE.
2
67
John Wu
@topjohnwu
Replying to
@DanielMicay
@KennyMacDermid
and
@hacker10241
Yeah, but currently Google seems to always fallback to basic mode if AndroidKeyStore throws an exception. We have tried to just nuke the code handling that by hooking it and it worked. But still, it is just a matter of time for them to fix it "properly".
1
1
Show replies