GmsCore icon indicating copy to clipboard operation
GmsCore copied to clipboard
verified publisher icon microg

Contents of DroidGuard binary blob

Open doug-leith opened this issue 5 years ago • 7 comments

Has anyone managed to figure out what the content of the binary blob returned by DroidGuard (and sent to Google servers) actually is? The stuff I find online is mostly quite old now, and v limited. Thanks.

doug-leith avatar Aug 09 '20 11:08 doug-leith

No, we don’t know. You would have to do reverse-engineering for that. And if we knew, we could probably circumvent SafetyNet.

ArchangeGabriel avatar Aug 09 '20 11:08 ArchangeGabriel

Thanks. I’m interested in the privacy implications, if any, i.e. does it contain any device/user identifiers. Reverse engineering DroidGuard is not so easy of course, but surely not impossible either.

On 9 Aug 2020, at 12:26, Bruno Pagani [email protected] wrote:

No, we don’t know. You would have to do reverse-engineering for that. And if we knew, we could probably circumvent SafetyNet.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

doug-leith avatar Aug 09 '20 11:08 doug-leith

I’m interested in the privacy implications, if any, i.e. does it contain any device/user identifiers.

Likely, but we don’t know for sure.

ArchangeGabriel avatar Aug 09 '20 12:08 ArchangeGabriel

Some insight about the blob itself can be found in this article: https://habr.com/en/post/446790/
It depends on the specific request itself, but in most cases I have seen your Google device ID along with the package signature will be used to sign requests, e.g. in https://github.com/microg/android_packages_apps_GmsCore/blob/master/play-services-core/src/main/java/org/microg/gms/snet/SafetyNetClientServiceImpl.java . Afaik DroidGuard itself does not send the request to the server, but is only used by SafetyNet and other services (e.g. FirebaseAuth: https://gist.github.com/Romern/e58e634e4d70b2be5b57d7abdb77f7ef ) to sign the requests.

Romern avatar Aug 09 '20 15:08 Romern

Some insight about the blob itself can be found in this article: https://habr.com/en/post/446790/

Very interesting reading, thanks!

ArchangeGabriel avatar Aug 09 '20 15:08 ArchangeGabriel

Thanks, yes I saw that already and sent them an email too (am hoping I’ll not have to redo that painful reverse engineering!)

On 9 Aug 2020, at 16:42, Bruno Pagani [email protected] wrote:

Some insight about the blob itself can be found in this article: https://habr.com/en/post/446790/

Very interesting reading, thanks!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

doug-leith avatar Aug 09 '20 15:08 doug-leith

https://www.romainthomas.fr/publication/22-sstic-blackhat-droidguard-safetynet/ Here is a whitepaper about the way DroidGuard works.

squeaktoy avatar Dec 23 '24 23:12 squeaktoy