Latest SafetyNet improvements threaten to finally kill Magisk Hide


Magisk and Google have been playing a game of cat and mouse for years: Google's SafetyNet technology is supposed to be triggered when it notices a rooted device, but Magisk Hide does its best to keep banking apps, Pokémon Go, and other root-despising applications going, no matter what you do with your phone. However, the latest update to SafetyNet, apparently rolling out via the Play Services, seems to put an end to the game permanently. Magisk developer John Wu isn't convinced he'll find a solution that would keep his tool intact once Google fully implements the change.
John Wu describes on Twitter that the recent update properly uses SafetyNet's key attestation API that remotely verifies a device's security status. It looks like Google hasn't utilized this check to its full potential previously. In order to hack the API, developers would either need to find a vulnerability in the Trusted Execution Environment (TEE) in Android, a mini OS responsible for security-relevant tasks, or a hardware vulnerability. Both solutions come with difficulties: TEE could be fixed via a software update, and Google and other manufacturers pay out thousands of dollars to anyone who finds breaches in their hardware, meaning that the companies are pretty convinced they're hard to hack.
For the moment, John Wu and his team should be able to work around the issue. The key attestation is not fully enforced yet — even when the check fails, SafetyNet still isn't triggered. That's probably due to a few OEMs like OnePlus that haven't implemented the key checking feature correctly on their part. Magisk Hide could thus force a key attestation failure to pass SafetyNet. However, John Wu notes that any solution he can currently think of would fail once Google fully deploys the change to SafetyNet that processes the attestation on a Google server, outside of Magisk's reach.
So here we go, after years of fun messing around using Magisk, it seems that Google FINALLY decided to "fix" SafetyNet to something useful, and that is to use key attestation to verify device status (after 3 years since introduced to Android's platform!)
132 people are talking about this

Even though Wu's Twitter thread is considerably pessimistic, we shouldn't give up Magisk Hide just yet. The developer has overcome seemingly impossible odds before, and it's certainly thinkable that he can do it again. Even if John Wu doesn't find a solution himself, another intrepid developer might come along and discover one — so far, it has always worked out. Let's hope for the best.

Comments

Popular posts from this blog

Linktree’s free workaround lets you add multiple links to your Instagram bio

EVERYTHING WE KNOW ABOUT THE PIXEL 4, THE MOST-LEAKED PHONE EVER

Stable Android 10 starts hitting the Galaxy Note10 and Note10+ (Update: Canada)