Latest SafetyNet improvements threaten to finally kill Magisk Hide


Magisk and Google have been playing a game of cat and mouse for years: Google's SafetyNet technology is supposed to be triggered when it notices a rooted device, but Magisk Hide does its best to keep banking apps, Pokémon Go, and other root-despising applications going, no matter what you do with your phone. However, the latest update to SafetyNet, apparently rolling out via the Play Services, seems to put an end to the game permanently. Magisk developer John Wu isn't convinced he'll find a solution that would keep his tool intact once Google fully implements the change.
John Wu describes on Twitter that the recent update properly uses SafetyNet's key attestation API that remotely verifies a device's security status. It looks like Google hasn't utilized this check to its full potential previously. In order to hack the API, developers would either need to find a vulnerability in the Trusted Execution Environment (TEE) in Android, a mini OS responsible for security-relevant tasks, or a hardware vulnerability. Both solutions come with difficulties: TEE could be fixed via a software update, and Google and other manufacturers pay out thousands of dollars to anyone who finds breaches in their hardware, meaning that the companies are pretty convinced they're hard to hack.
For the moment, John Wu and his team should be able to work around the issue. The key attestation is not fully enforced yet — even when the check fails, SafetyNet still isn't triggered. That's probably due to a few OEMs like OnePlus that haven't implemented the key checking feature correctly on their part. Magisk Hide could thus force a key attestation failure to pass SafetyNet. However, John Wu notes that any solution he can currently think of would fail once Google fully deploys the change to SafetyNet that processes the attestation on a Google server, outside of Magisk's reach.
John Wu@topjohnwu
So here we go, after years of fun messing around using Magisk, it seems that Google FINALLY decided to "fix" SafetyNet to something useful, and that is to use key attestation to verify device status (after 3 years since introduced to Android's platform!)
561
10:28 AM - Mar 11, 2020
Twitter Ads info and privacy
132 people are talking about this

Even though Wu's Twitter thread is considerably pessimistic, we shouldn't give up Magisk Hide just yet. The developer has overcome seemingly impossible odds before, and it's certainly thinkable that he can do it again. Even if John Wu doesn't find a solution himself, another intrepid developer might come along and discover one — so far, it has always worked out. Let's hope for the best.

Comments

Post a Comment

Popular posts from this blog

Linktree’s free workaround lets you add multiple links to your Instagram bio

Image
Instagram only gives you one opportunity to link to outside resources inside its photo sharing platform. This might not be a problem for a majority of the users, but for those wanting a little more customization and even more options, it leaves much to be desired. Enter  Linktree , a free tool for Instagram designed to improve traffic to your outside link, be it a blog, portfolio, or store. How it works is fairly straightforward. After connecting Linktree to your Instagram profile, you’ll receive a single link to place in your Instagram bio. Once that link in place, you can customize what it’s linked to within your browser, be it a single website, or a collection of sites you’re looking to direct followers to Say you’re a photographer who’s using Instagram as a marketing tool for your wedding photography. Using Linktree, you can direct Instagram followers to your blog, your portfolio site, and even your other social media accounts. Until now, you would’ve been stuck choosing b
Read more

EVERYTHING WE KNOW ABOUT THE PIXEL 4, THE MOST-LEAKED PHONE EVER

Image
Google’s  Pixel 3 might have been the  most-leaked phone in history . Long before its unveiling, we knew practically everything about it from unboxing videos, photo comparisons, even a full review of the device. Surely, for the Pixel 4, Google would clamp down on leaks to leave some surprises for its debut on  October 15th , right? Let’s just say, if that was the plan, it didn’t exactly work out. We’ve now seen the Pixel 4 XL from every angle and in three different colors. At least seven different sources have touched this phone, many of them confirming the same specs. We not only know which cameras it’ll have, but also what they may be capable of, including air gestures (go figure). That doesn’t even count information Google has already shared  on purpose. So if you want to know almost everything about the Pixel 4 nearly a month before it’s announced, buckle up. We’ve sifted through all of the rumors and information we can find to compile everything we know — and everything we
Read more

Our favorite iOS apps for the iPhone and iPad in 2018

Image
As 2018 comes to a close, it’s time to look at some our favorite apps of the year. While not all of these are brand new, many of them popped up onto our radar for the first time in 2018, and are definitely worth the attention. Others are some of our favorites that are still best-in-class despite having been around for some time now. We aim to do things differently at TNW, and as such you’re not going to find the recommendations you’re probably used to seeing: Gmail, Skype, Dropbox, and the like. Instead, we want to focus on the best-of-the-best that you may not have heard of, and others that are just special enough to warrant a mention. As always, we’d encourage you to share some of your favorites in the comments below, or on Facebook. Enlight Pixaloop (Free Pixaloop  is one of my favorite apps on the market. Unlike typical image editors that allow you to remove red eye or apply a filter, Pixaloop allows you to create stunning photo animations with a few clicks on your
Read more