Google Pay tests showing SafetyNet status and PINs for online purchases

XDA

Google Pay tests showing SafetyNet status on the home page and protecting Online Purchases with a PIN

By Mishaal Rahman

Published Nov 22, 2019

The latest version of the Google Pay app tests showing a SafetyNet Attestation check on the home page and PIN protecting online purchases.

Google Pay is slowly becoming a full wallet replacement as it adds support for more forms of payment, more banks, and more card types. To satisfy financial institutions and protect users' financial data, the Google Pay app uses the SafetyNet Attestation API to verify that the app isn't running on a device with tampered software. Of course, Magisk root is designed to bypass these checks, but the SafetyNet API checks aren't static and users may accidentally install a mod or edit a file that causes the API to report a failure in attestation. Due to the way that Google Pay checks the SNet status, users may not know that their device no longer passes SNet until they actually go to make a payment. That could change in the near future, however, as the Google Pay app could add a built-in SafetyNet status checker on the home page.

An APK teardown can often predict features that may arrive in a future update of an application, but it is possible that any of the features we mention here may not make it in a future release. This is because these features are currently unimplemented in the live build and may be pulled at any time by the developers in a future build.

SafetyNet Checker

Back in July, we spotted strings for a new attestation check notification in the Google Pay app. This feature is now fully functional in the latest version. Once it goes live, if your device fails the Attestation API check for whatever reason, you'll see a message in the home tab that tells you your phone "can't make contactless payments." If you tap to "check software," you'll receive a more detailed message about why you can't use Google Pay. For instance, I disabled MagiskHide on my rooted Pixel 2 XL and received the following messages:

When this feature goes live, you can check your device's SNet status in the Google Pay app beforehand, so you won't be surprised at the counter when you can't make a contactless payment. There are plenty of third-party apps on Google Play that can do this, not to mention Magisk Manager's own built-in SafetyNet checker, but this is just one more way to check if your device passes.

PIN Protect Online Purchases

This next feature, which was first spotted by Jane Manchun Wong, will allow you to toggle PIN protection for every online purchase you make using your Google Account PIN. I was able to surface this setting, but even after entering my Google Account PIN, I was unable to keep this setting enabled through the Google Pay app.

As usual, these features aren't yet accessible for the general public in the latest version of the app from Google Play. Once these features go live, we'll let you know.

Thanks to PNF Software for providing us a license to use JEB Decompiler, a professional-grade reverse engineering tool for Android applications.