Android - Magisk will fail Safety-Net hereafter. Why?
John Wu (Magisk Developer) posted updates today, which clarifies the reasons.
Earlier, SafetyNet API wasn't fully / correctly implemented, the way it was meant to be :
- Key Attestation
From what we've seen so far, key attestation doesn't seem to be fully enforced yet, as devices with incompatible, potentially buggy(?) keymaster implementations (e.g. some OnePlus devices) that result in attest key cmd failures still pass SafetyNet regardless.
- Attestation was done locally
bootloader reports the device status via kernel cmdlines, and init will reflect them in properties, and apparently SafetyNet was using those values. All those stuff is in userspace, so Magisk can simply manipulate it
Now, with the Feature Preview: SafetyNet Attestation API evaluationType, there will be two types of evaluation, BASIC
and HARDWARE_BACKED
for a complete evaluation with remote validation (as against local) :
HARDWARE_BACKED - When we use the available hardware-backed security features of the remote device (e.g. hardware-backed key attestation) to influence our evaluation.
We’re currently evaluating and adjusting the eligibility criteria for devices where we will rely on hardware-backed security features.
Can this new system be hacked?
Looks very unlikely
- Even if we force validation to use
BASIC
method, it won't be hidden
IMO it is theoretically possible to alter control flow in SafetyNet's code to force it to always use BASIC evaluation by using some hooking framework like Xposed, however these kind of code injection is basically impossible to hide (memory space analysis).
HARDWARE_BACKED
is serious stuff and unlikely to be cracked since it involves TEE or hardware changes leading to cryptographic compromise (Robert also pointed out in comments)
To hack this thing, you have to either find a vulnerability in TEE firmware (which will be patched ASAP once found) or hardware (less likely to happen) to break the cryptography.
Breaking TEE won't be easy, which is why many security researchers are actively working on it.
(Emphasis added in all quotes)
How to check if Google has implemented hardware Attestation for my device?
Edit Magisk canary has been updated to show evaluation status and once the API is implemented, you will see more details (failing SafetyNet). Or, follow instructions on this XDA post to check attestation method using logcat
For more information see SafetyNet's hardware attestation will make hiding root in Magisk really hard
Edited on 16 December 20
And the final nail in the coffin for fooling safety net detection
Johnwu in
- tweet says
HW based evaluation is impractical to "hack" (except tricks to make it fallback to basic), and I lost all interest in improving the current way of hiding.
- Another tweet of 13 Dec 2020
If passing SafetyNet is the only use of Magisk for you, then yeah, bye Face with rolling eyes ( in response to So... magisk is completely useless right now?...)
It appears that Google may have chosen not to enforce this checking, even though it was implemented for a short while (a few days?). At first, the Magisk developer, John Wu, sounded quite pessimistic about it, going even so far as to say that the fun was over.
A few days after the tweets from John Wu that were referenced in the question, however, on March 14, John Wu tweeted again, and this time he said
So apparently CTS is just passing again out of nowhere? Maybe Google is still testing things out?
I'm over it anyways. Google is apparently willing to use key attestation for detection. Since MagiskHide is still there, people can still always use it as usual.
In my own test in late May 2020, with MagiskHide not enabled, SafetyNet failed, but with MagiskHide enabled and targetting my test app, SafetyNet passed, meaning that MagishHide could still defeat SafetyNet. The test was run on a Pixel 3 with android 10.
So, Google may have the capability to detect Magisk, since the boot loader check had been moved into the TEE, but they have somehow stopped doing that, for reasons known only to Google.