NoSafetyNet
NoSafetyNet copied to clipboard
IlyaGulya
FIrst attempt to bypass SafetyNet when Xposed is installed
We need to fake SafetyNet checksum checking of Zygote memory.
Personally i use xposed on my phone (an LG), if it's needed, i could send here some logfile as loggcat.
If some initial cmd line result are needed, tell me what typing and i could make some tests.
maybe of value: https://census-labs.com/news/2017/11/17/examining-the-value-of-safetynet-attestation-as-an-application-integrity-security-control/
edit: this does explicitly list magisk as an attack vector,
should this be possible to return valid attestations? also https://github.com/liamcottle/XposedSafetyNet has a service to return valid attestations, how does that work?
@simonbuehler The only way I can currently think of is that the author somehow got their hands on secret Google keys. If Google have done their part properly (and I assume they have), the data returned by SafetyNet is verified on their server and them cryptographically signed with their keys to prove that the result was actually a success. The only way to fake that would be through getting those keys yourself, otherwise the response won't be accepted by your apps.
Also relevant for this repo: The microG project already has an implementation of SafetyNet that is able to fake a successful result on some devices.
@simonbuehler @Namnodorel
The only way I can currently think of is that the author somehow got their hands on secret Google keys. If Google have done their part properly (and I assume they have), the data returned by SafetyNet is verified on their server and them cryptographically signed with their keys to prove that the result was actually a success. The only way to fake that would be through getting those keys yourself, otherwise the response won't be accepted by your apps.
According to this post: https://github.com/microg/android_packages_apps_GmsCore/issues/181 There is a way to bypass the SafetyNet by making (an app) that "would take over the operating principle of SafetyNet works" (in the words of mar-v-in), but by using the secret keys directly generated by the app, and applying the SN validation process with the internal keys.
Make working this way for all the android system will necessary to isolate immediatly SN stuff(s) at SELinux start, isolating on one side SN and on the other side Xposed, so that as soon as Xposed starts doing its job, then start SN, but given the complexity of both a SELinux flaw to find and a successful implementation of a SN clone, the solution is not at all easy to find.
I do hope that we can bypass SafetyNet.
In absolute terms, it's feasible, but it will not be an easy task to maintain a tool for that.
@DheekeyCarey Have u an idea on how to make that ?
Are you still working on this @IlyaGulya? I could have a previous project that might help you get a start.
Sorry, guys. Currently I'm quite busy on the main work and not sure when I will be able to return to this project. @shivangswain you can still share your project with everyone. Maybe someone else will start before me 🙂
Here's a random thought: what if there were two Zygotes?
Imagine that on boot, a proxy process were created that bind mounts another socket over /dev/socket/zygote. When a message to start an app is sent, the proxy first checks if the app that's about to be started is on a hide list. If it is, then it sends the message to the authentic Zygote. Otherwise, it gets sent to the Xposed Zygote.
@kirbyfan64 Interesting idea. Does anyone know how much more resources it would take to run an additional zygote?
I'm not sure if the thinking from everyone is having Xposed Enabled while it's installed? If this is correct, then what about having it disabled, or hidden just for this purpose, wouldn't this be good enough?
I'm not sure then for all apps needing SafetyNet Passed, if they also need to have Xposed shown as Disabled or Hidden, or this only needs to happen once on the system, I mean passed one time, then it's good from there...
Best way is what @kirbyfan64 proposed. And instead of passing safetynet, xposed can be hidden by itself by sending the message to the zygote. I think that way can actually be of use. No more need for safetynet passing, just a clear hiding.
