Bypassing SafetyNet has long been a cat-and-mouse game between Google and the community. The community likes to modify the software on their phone, a process that usually involves unlocking the bootloader as the first step. But this, in turn, triggers SafetyNet, which can prevent several popular apps from running on the phone, some of which are understandable because they rely on a tamper-proof environment to run.
SafetyNet is intended for application developers, but they can choose to use it or not. For a regular end-user, however, you can either ditch the modding potential of Android and pass SafetyNet compatibility testing or remain ostracized by app makers. If you are wondering how to pass SafetyNet even after rooting or installing a custom ROM on your device, this guide should help.
Contents:
What is SafetyNet?
Android is designed to operate without giving the end user any privileged control over the underlying subsystems. In the event that someone using an Android device is able to gain similar access to administrative permissions (AKA “superuser”) as on Linux, they can essentially modify or override Android system apps and settings. From an app developer’s perspective, this means that the device their app is running on can potentially be compromised. There should be some sort of abuse detection system to examine the software and hardware environment of the device and assure app developers that all is well. This is where SafetyNet comes in.
While modding is an integral part of the Android ecosystem, it sometimes takes a high degree of rigor in the OS to satisfy the constraints of security policies. SafetyNet is one such set of abuse detection APIs present in Google Play Services. By calling the SafetyNet Attestation API, third-party applications can verify whether the device’s software environment has been tampered with in any way. The API checks for various things such as bootloader unlock status, superuser binaries signs, etc. to compare the current state of the target Android device and verify the integrity of the environment against a known “safe” value on the server side.
The triggering of SafetyNet and its consequences
A number of exit events from the stock configuration of an Android device ultimately lead to SafetyNet being triggered. Even if you have just unlocked your phone’s bootloader and left the factory-installed OS untouched, you may still get a “CTS profile mismatch” (where CTS stands for the VScompatibility Jis Scontinued) which causes the SafetyNet check to fail. If you root your Android device or replace the stock firmware with a custom ROM, you will pretty much end up with a SafetyNet failed status. Therefore, you cannot use apps and games that use SafetyNet validation on the device. This is especially true for banking apps and other financial apps such as Google Pay, as they strictly rely on the SafetyNet attestation result and do not allow users to use the app in an apparently tampered environment for security reasons.
When it comes to games, developers use SafetyNet to assess device integrity to prevent dishonest gamers from cheating or modifying game variables to gain unfair advantages. Last but not least, you may also come across instances where editors are simply misuse of Google’s sabotage detection mechanism for no practical reason, which is why experienced users want to escape detection routines.
In a nutshell, the modding community will have to choose between having access to root/custom ROMs/kernels/etc. or their favorite apps and games. It may seem like the end of aftermarket development on Android, but there is hope.
How to Pass SafetyNet Attestation on Android Devices
Since Google periodically updates the SafetyNet Attestation API backbone, there is no truly universal way to bypass the checks. Since restrictions depend on a number of factors, you can pass SafetyNet over a modified environment by spoofing the most important settings on legacy devices, but the same trick may not work at all on newer phones. The aftermarket development community has come up with a number of techniques for passing SafetyNet checks, but keep in mind that a generic implementation is not possible due to the constantly evolving nature of the anti-abuse API. It’s a game of cat and mouse – one day you’ll be ahead, the other day you won’t.
With the gradual shift to hardware attestation strategy, Google is relying on the security of the phone’s Trusted Execution Environment (TEE) or dedicated hardware security module (HSM) for tamper detection. Finding a critical security vulnerability in a device’s isolated secure environment and exploiting it to spoof SafetyNet’s client-side response may not be a feasible approach, but there are other ways around the obstacle.
Here are some of the well-known methods to pass SafetyNet:
1. Restoring the original firmware and relocking the bootloader
This may be the easiest way to pass SafetyNet, but it has its own pros and cons. All you have to do is find the right firmware for your Android device, flash it, and finally relock the bootloader. Sure, you’ll lose most of the bells and whistles of Android modding, but it makes sense when you need to use your device in a managed environment with strict security policies or are trying to sell your device.
2. Use Magisk
If you have an older Android smartphone, Magisk is your best bet for passing SafetyNet without too much hassle. Even though the current Canarian Magisk channel no longer offers MagiskHide, you can still stick to the latest stable version (v23.0) and use MagiskHide to hide the root status of apps. Additionally, you can install Magisk modules like MagiskHide Props Config to change the device fingerprint to pass SafetyNet.
Speaking of the Canary Channel, Magisk’s new “DenyList” feature is an interesting development, which allows users to assign a list of processes where Magisk denies further changes and rolls back any changes it has made. With proper configuration, it can also be used to pass SafetyNet in certain scenarios.
Magisk XDA Forums
Finally there is Shamiko – a work in progress module written on Zygisk (Magisk in the zygote process). It reads the list of apps to hide from Magisk’s deny list to hide Magisk root, Zygisk itself, and Zygisk modules to bypass SafetyNet. However, Shamiko can only work after disabling the DenyList feature.
If you installed Magisk for root and want a reliable way to bypass SafetyNet after removing MagiskHide, wait for the “Shamiko” module to be released. It uses the new Zygisk functionality (Magisk in Zygote) and is therefore more powerful than MagiskHide. Another WIP.
— Mishaal Rahman (@MishaalRahman) January 4, 2022
3. Using Universal SafetyNet Fix
Bypassing Google’s hardware-based SafetyNet attestation technique is a little tricky, but it’s not entirely impossible. Senior XDA member kdrag0n’s Universal SafetyNet Fix project cleverly accomplishes this feat by forcing basic attestation on hardware checks.
Notably, Universal SafetyNet Fix depends on Magisk when it comes to passing the basic attestation part. The developer offers two different versions of the patch: the Zygisk variant for Magisk Canary and the Riru variant for stable Magisk.
SafetyNet Universal Patch: GitHub Repository ||| XDA Thread
4. ih8sn
If you don’t want to rely on Magisk to pass the SafetyNet attestation, you can try an experimental add-on named ih8sn. After application, it can spoof a plethora of prop values to bypass SafetyNet controls like the MagiskHide Props Config module, but there’s no dependency on Magisk in the first place.
The ih8sn tool is maintained by several LineageOS developers, but the LineageOS project does not officially endorse it yet. To learn more, take a look at its codebase by following the link below.
GitHub repository ih8sn
Verification
After applying any of the aforementioned SafetyNet success methods, you may want to check the result. The Magisk app comes with an option to launch the SafetyNet check routine right from its main menu, which is really handy. You can also opt for an open source application named YASNAC (short for Yesand Aother SsafetyNet Acertificate VShecker) to check the status and (optionally) examine the JSON response.
This is how you can pass SafetyNet on your phone. With a little time and patience, it’s possible to restore Android’s true modding potential without worrying about SafetyNet attestation failures. We’ll update this guide with more SafetyNet override methods, so check back later!