Question about the future of SafetyNet Bypassing: Play Integrity API

[DavidBerdik]

Yesterday, I received the November 2021 Google Play newsletter in my inbox. While scrolling through it, this caught my eye:

Needless to say, this intrigued me given my interest in bypassing SafetyNet, so I clicked on the button. Doing so redirected me here. This was my first time hearing about this, and unsurprisingly, it has made me a bit concerned about the future of SafetyNet bypassing. I realize that this post might be pointless, especially given that this API is still in an experimental stage, but I thought I would try asking here if anyone has any ideas about how this will impact the future of bypassing SafetyNet and in general, how this will impact the user experience on modified devices.

[Didgeridoohan]

Bypassing SafetyNet (or its replacement) has always been a temporary thing (although with an undetermined end date). As soon as Google starts to enforce the use of hardware backed key attestation (currently they allow devices to pass with basic attestation, which is why mods like this works) it is extremely unlikely that there will be any kind of bypass.

[DavidBerdik]

I was afraid that this was going to be the answer I was going to receive. ☹️

Here's hoping that this turns out to not be true. 🤞

[Didgeridoohan]

I'd say hoping for it not to be true is a hopeless activity... Take a look at this tweet as an example (and note the occupation of it's author).

[DavidBerdik]

Yeah I pretty much figured that it is a hopeless activity, but let me dream! 😂 As for the Tweet you referenced, I have actually seen it before. Thanks for sharing though. 🙂 If anything, I posted here because I wanted to see if people more knowledgeable than me (who don't work for Google) had something worth sharing.

[undermark5]

I'd like to chime in my two cents here. Which may be completely worthless... Anyway, while hoping to that we will be able to bypass the Play Integrity API checks may be a lost cause, I don't think we have yet to give up on hoping it will be a better experience as Google may perhaps provide better education as to what the purpose of the Play Integrity API is for rather than developers adding it in as an easy "one size fits all fix" that safetynet has seemingly become. Personally, the application that I develop for my job was performing root checks using Rootbeer, but we have since decided to remove for a couple of reasons, one, it was super easy to bypass even without hiding root (assuming you know what rooting does and allows you to do and a basic understanding of basic application persistence), and two, the risk involved in allowing rooted users to use the application is primarily in an increased number of crashes, there is little if not nothing that they could do that wouldn't eventually result in some flags on the backend cropping up for that user. I pointed out that in the documentation and implementation guide for both safetynet and Play Integrity (we were considering implementing safetynet checks) were not to be used simply as root detection mechanisms but rather as a part of a larger analysis, one which we currently were not planning on doing.

So, while my two cents may not be worth much, I hope that with the eventual deprecation of Safetynet for Play Integrity developers and product managers are properly educated on the purpose that the API serves, providing a data point about the integrity of the system the application is running on, and ultimately recognize that simply disallowing a user access to the application/features because of a single data point is improper.

[DavidBerdik]

So, while my two cents may not be worth much, I hope that with the eventual deprecation of Safetynet for Play Integrity developers and product managers are properly educated on the purpose that the API serves, providing a data point about the integrity of the system the application is running on, and ultimately recognize that simply disallowing a user access to the application/features because of a single data point is improper.

While I hope you are right, I honestly am not sure if I understand how it will help the rooting community if you do turn out to be right.

[undermark5]

It isn't something that we will benefit from as in we will be able to bypass the check or anything like that, it is instead developers and companies will actually implement proper security rather than just shoving a one size fits all "solution" where it doesn't belong, resulting in fewer applications preventing you from using them simply because you've rooted your device/unlocked your bootloader. This might just be my hopeful thinking, but Google has indicated in the overview of both Safetynet and Play Integrity that these checks are not to be used in a standalone manner, so hopefully education takes a higher priority this time.

[StakFallT]

Personally, I find the whole no-root allowed thing to be disgusting and distasteful. Who is -anyone- to tell anyone how to run their "computer". I mean think about it, it's like telling someone that bought a PC they are NOT allowed to have administrator access to their own machine and if they somehow have a means to achieve administrator access then sites will stop accepting payment, etc. It's so dumb and makes little sense. Oh, so Amazon.com and other e-commerce sites won't let me be an admin on my own workstation? Oh kay... I guess I'll just suck it up and allow them power to dictate how I use my own device. Stupid. Just plain stupid.

[andre-caldas]

We should not rely on technology to bypass. A few years ago we were simply mocking them because we would always find a way to circumvent.

We do not need an app or a technique. What we really need is the law. But that is not easy, either...

[PeterNjeim]

Hello, I remember when the Play Integrity API was first announced and I watched the little video that came long with it. I wasn't convinced by it and I formulated a way to bypass it (in my mind). I'll try to state what I was thinking those months ago here, and you can tell me if it makes any sense or if it's garbage lol.

As seen here, step 3 is the important step. This is where you want to send spoofed data to Google Play, so that it returns a good result. You can't modify it after step 4 since it'll be signed and encrypted at that point according to the video. Another way to bypass it is to send data from a Play Integrity-passing device and send it to the server in step 5, using the unique ID of the non-Play-Integrity-passing device. What's probably going to happen is it will use hardware-based key attestation and detect unlocked bootloaders, which might still be bypassable.

• Binary Integrity
  The intention of the binary integrity check is to make sure a modified app isn't being used to pass PI, since a modified app could mean mods or other tools are enabled. The details of how the integrity is verified is not known to me. As such, there may be ways to patch the app to do what we want without PI detecting it. Since I don't know how to works, I can't comment on it.

• Unique ID
  The intention of the unique ID is to disallow a separate, unrooted, PI-passing device to make a request on the rooted device's behalf, since the unique ID's in the responses would be different between them and can't be changed due to the signing, thereby allowing the server to reject the verdict.

  • Packet Sniffing
    The ID that the server sends back to your phone could possibly be sniffed, depending on whether the app enables certificate pinning or not.

    Certificate pinning disabled:

    • Man in the Middle
      The ID can be intercepted using a MITM proxy. If you sniff the ID, you could send it to an unrooted device which could then initiate a PI request. However, the PI request would need to be sent from the same app, and PI will check the integrity of the app's binary (the details are unknown for this procedure).

      • Defer to Unrooted Device
        An unrooted device that passes PI can make a PI request from the app and send the passed verdict to the rooted device. However, telling the rooted device to send this alternative verdict to the app's server instead of the real, failed verdict, and to receive the response from the app's server and use it in the app as intended is a challenge.

        App can be patched without failed binary verdict:

        • On-Demand PI Request with Unique ID
          If patching is possible without triggering a PI failure, the unrooted device can initiate a PI request on-demand. Modify the app to create a button that when pressed will send a PI request. Alternatively, create an activity that when started (via adb), will send a PI request. Make it so that the unique ID can be entered as well. Or, create an app from scratch with the same app ID that has the functionality needed (however this will most definitely trigger a failed binary integrity check).

          • Patch App to Send Unrooted Verdict to App Server
            Patching the rooted device's app (no need to ensure the binary verdict passes as PI has already been taken care of) to change the code that sends the real verdict to instead send the unrooted verdict to the app's server would nullify PI. The complexity of this is beyond my imagination though. Without the source code of the app, I doubt you could accomplish this, though I may be mistaken.

          • Packet Edit Verdict Sent to App Server
            Arguably easier to implement than patching the app, though still difficult and requires huge maintenance, as this would need to be implemented on an app-by-app basis. The most popular apps would probably be best supported, but it would be a cat-and-mouse game. You would need to know which API request URL's an app uses to send the PI verdict to the server, and store a list of these URL's so that a packet editor can detect them and change the payload to send the unrooted verdict instead.

        Patching app causes failed binary verdict:

        • Manual PI Request to Obtain Desired Response from App's Server
          If the patching required to make on-demand PI requests causes failed binary integrity checks, you must instead manually perform the same actions you want to perform on the rooted device on the unrooted device. This way you can obtain the intended response without needing to pass it on the rooted device itself.

          • Modify Server's HTTP Response with Intended Response
            Perform the action that requires PI to pass on the rooted device, it will fail but stop the failed response from the app's server from reaching the app. Perform the same action on the unrooted device (do this at the same time preferably), it will pass, but take the good response from the app's server and use something like Charles' Rewrite Tool to modify the bad response that the rooted app was about to receive with the good response from the unrooted device.

    Certificate pinning enabled:

    • Frida
      I've never used Frida but from what I've heard, you can intercept and modify HTTP data using it, and bypass certificate pinning as well. Follow the methods above but use Frida instead of a proxy.

• Spoof Device Attributes
  If using a separate, unrooted device is unfeasible, or you don't want to share your unique ID to a third party unrooted device server to process it for you, then bypassing PI the hard(er) way is necessary. This means you'll need to hide an unlocked bootloader and/or root (and software key attestation if you're using an emulator or virtual machine).

  Disclaimer: my knowledge on this section is quite low. Please verify this information.

  • Google Play Services
    If using an unmodified Google Play Services, you'll need to spoof everything on your own.

    • Root
      In order to spoof your root status, simply use Magisk, in combination with Universal SafetyNet Fix (Universal Play Integrity Fix amirite or amirite), and Shamiko to hide Zygisk.

    • Unlocked Bootloader
      Since the Play Integrity API is new, I assume it will only work on newer Android versions, specifically those that released after hardware-based attestation became widespread. Thus, I don't believe Play Integrity API will fallback to software-based attestation if hardware-based attestation fails. Since that could be the case, hiding an unlocked bootloader would be extremely difficult, I'm not quick in concluding that it's impossible, though others are. Due to hardware-based key attestation, you cannot spoof the status of the bootloader, unless you compromise the Trusted Execution Environment (TEE), which currently has a $250K USD bounty by Google, though that is for remote code execution vulnerabilities. In our case, we want to deliberately make ourselves "vulnerable", no remote access needed. One option is to emulate a TEE, projects such as Open-TEE and OP-TEE do just that. We also need a working "TrustZone", which OP-TEE does implement. However, that only creates an "isolated" environment, which isn't enough. It must also be "trusted", where a "root of trust" is established. Luckily on ARM, there is no real "root of trust", unlike AMD and Intel processors which use TPM 2.0 to do so. ARM simply uses a random hardware generated key (or in some cases hard-coded and software generated) stored securely on the device in the TrustZone. Now my knowledge starts to wane. Maybe you can use OP-TEE with a hard-coded, software key? How one implements this into Android I do not know, it runs as a virtual machine I'm pretty sure. Open-TEE had a working Android implementation for Android 5.0 to 5.1.1. Regardless, more research on my part (and possibly yours) is needed, to see if we can "compromise" ourselves to spoof the bootloader status, without resorting to software-based attestation.

    • Software-Based Key Attestation
      I am unaware if there is any way to spoof the type of attestation being used.

  • microG
    Maybe microG or another project could make its own Play Integrity implementation where it spoofs everything. Considering PI isn't open source, I doubt it.

• Vulnerabilities
  Another hope is that we discover an exploit or vulnerability within Android, the TEE, the Linux Kernel, or an SOC, as John Wu has stated:

  • A kernel exploit that gives us root
  • A bootloader bug that allows us to trick TEE/SE or load custom images
  • Leak TEE/SE private keys
  • Find a hardware bug in the SOC

• Decrypt Verdict
  If we discovered the private key Google uses, or miraculously brute force it and get it, we're home free for some time (this is practically impossible).

[paolo-caroni]

Considering that microG have implememted safetynet, that is not opensource too, I'm positive.
However microG don't spoof anything, except the signature, if you have a locked bootloader microG don't hide it.

[DavidBerdik]

@paolo-caroni I was not aware that microG had implemented SafetyNet, but even so, I think it's a safe assumption for me to make that their implementation only passed basic attestation.

[DavidBerdik]

@foxjaw There was a (very) brief period when there was a way to spoof hardware-backed attestation for Play Integrity, but needless to say, Google patched the exploit very quickly. Other than that, the best we can do is basic attestation, and although there certainly are apps that require hardware attestation, we are fortunately still not at a point where it's a huge concern. You don't necessarily have to give up right now, but you do have to accept that there will be some apps out there that are not going to work for you. 🙂

[paolo-caroni]

@DavidBerdik Sure, no CTS, but for play at Pokémon Go until first feb 2024 was enought (I've never installed an app that need more).

@foxjaw I don't use microG for anything important as the bank account, only for things taht I can live without, Whatsapp and Pokémon Go for example. The problem is that the FOSS Community have created alternative of much of the proprietary library/API of Google, but is less used/implemented by the apps developer (see unifield push vs Google's push notification).

[PeterNjeim]

If you don't want or can't use an unrooted phone as a server, you could also leave your phone unrooted, and use something like twoyi as a rooted sub-environment. Though with this method you'll have limitations on what you can do with the root. Potentially you could even use your unrooted "host" environment as the "server" to intercept PI requests from the rooted sub-environment, though I personally don't know what is shared between the environments, as I haven't yet tried it.

[DavidBerdik]

Out of curiosity, do you have any proof-of-concept developed for this? Or is this just theory for now?

[PeterNjeim]

As stated in the message you replied to, I haven't tried it yet so I don't know what is and isn't shared between the container and the host.

[DavidBerdik]

Oh yeah. Sorry. I'm trying to do multiple things at the moment and missed that point.

[PeterNjeim]

Looks like the bypass was was easier than expected: 73c8587

[DavidBerdik]

Maybe for now it is. Unfortunately, it's only a matter of time before hardware attestation becomes common enough for this to be not all that useful. ☹️ Still, it's awesome that it works for now! 😁

[MulverineX]

Very quickly hardware attestation requirement is being rolled out to apps. Google Wallet for instance supports credit cards without it, but once you try to use new features like their State ID system, it refuses to proceed. Ideally a way can be found & implemented to spoof some side of this protocol to make it appear that STRONG_INTEGRITY has passed. Surely with root access and the several modding tools at our disposal there is a way to at least make the app think its recieved a valid result?

[DavidBerdik]

Even if there is another exploit found, it will unfortunately be patched.

[robbins]

For a very brief period of time, there was an exploit that made it possible to pass strong integrity, but needless to say, Google patched it.

Is there any information on how that exploit worked?

[MulverineX]

@robbins there was a kernel vulnerability on the Asus Gaming phone

[MulverineX]

@foxjaw the difference here is that the android modding community isn't willing to pay for the kind of dedication required here. The iOS homebrew developers are being compensated for their work, no one on Android is.

[DavidBerdik]

Is there any information on how that exploit worked?

I haven't gone digging to see if the author published any documentation on it or how it worked, but the Displax fork of this module released a version that used it here. Perhaps digging through the module source can turn up something about how it worked.

For a day or so, I enjoyed the satisfaction of having a working hardware-backed attestation, but sure enough, it went as quickly as it came.

[StakFallT]

The whole thing is just absolutely preposterous since it's exactly the same thing as telling someone that bought (or built) their computer to tell them, they are not allowed to log in as administrator. Even under Linux you can still use root for making system-wide changes. Maybe I value my privacy and don't want my phone collecting shit (listening on the mic without any indicator -- apps definitely seem to do this, and Facebook got caught with messenger doing that) and sending it off to who knows where. I didn't agree that "you" could do that. Where's my cut? It's disgusting and just flat out wrong. At this point, I stand on just principle of it now. I've learned that a lot of tweaks can create instability on my daily driver phone and that instability can lead to me having headaches and so I tend to not really do many tweaks anymore. But again, that's MY choice.

What about patching the apps either dynamically / run-time / on-the-fly or patching the odex files. Someone could reverse the app (using one of the many tools available), locate the bytes necessary to do a patch, create a diff and package that up and host it on a server that another app (like magisk) can download and use against that app. I don't know enough about how the integrity API framework works, but I feel like a repository of "cracks" could be made unless it's the hardware that shuts down the app and the app's checksum is found stored in the data of the file table of the partition. In which case, I feel like a shim library could be made to intercept the call to the OS and feed the hardware a bogus checksum. I know dmverity verifies modifications to a file by checking metadata stored with the file in the file table, so maybe it would come in a two part crack (one to patch the app, and then one to feed the hardware a checksum of what it -should- be). Obviously, the two part would be more thorough and likely to work (depending on if the app does its own checking as well), but even the interception of the file checksum could perhaps be sufficient (if the app just trusts what the hardware tells it -- and why shouldn't it? :P )

[MulverineX]

The TEE (trusted execution environment) or StrongBox hardware that is physically separate from the SoC and is not currently rootable, has its own dedicated route through to the device modem. Once it has determined a PASS or FAIL to STRONG_INTEGRITY it directly communicates this with Google Services. Google Services then directly integrates with 3rd party servers to communicate the integrity state. At which point, when you open the app, any web access-dependent features can be denied by the 3rd party server, and there's nothing we can do about that. The problem is that more and more features of your phone are happening in the cloud; not on your device, memory hacking is not going to help here.

Here are the only two ways around this:

• An unpatched vulnerability within the internal device kernel (not flashable) that allows you to take control of the TEE/StrongBox.
• An unpatched vulnerability within the TEE/StrongBox firmware that allows you to spoof the Google SSL Certificates and host a fake certification server (similar to the iOS Jailbreak community).

Honestly, in my book, I have more hope that a FOSS Wallet app will be released eventually without the Play Integrity check. The best we can all hope for is an organization like FUTO or its representative Louis Rossman to take notice of this problem and step in.

[MulverineX]

Games, DRM, and banking apps, they have won this war. There is nothing that we can realistically do here. Owning your Android device, modding apps, rooting in general, is dead.

[lunaynx]

An unpatched vulnerability within the TEE/StrongBox firmware that allows you to spoof the Google SSL Certificates and host a fake certification server (similar to the iOS Jailbreak community).

To be clear, iOS jailbreakers never had to bypass SSL certificate verification, as TSS (Tatsu Signing Server) requests generally go through plain HTTP for some reason, even today. But this replay attack method died out a long time ago when Apple introduced the ApNonce.

It's still possible to replay if you can set the nonce, but that generally requires jailbreaking in the first place, and a fully local custom restore tool is now used for this instead of a third party TSS server.

[DavidBerdik]

@foxjaw This is off-topic here, but in my experience, I find Google Pay harder to use than just pulling out the plastic card anyway!

That said, it's my phone. I should have the right to use Google Pay on it just like I have the right to use whatever software I want on my computer. Of course, there's really no point in me stating this. We're all here because we feel the same.

[DavidBerdik]

@foxjaw Yes, unfortunately I know that this is the counterargument. 🫤

Anyway, at least for now, GPay still works with basic attestation (except for state IDs), so enjoy it while it lasts!