How to pass SafetyNet on Android after rooting or installing a custom ROM

How to pass SafetyNet on Android after rooting or installing a custom ROM

SafetyNet bypassing has long been a cat and mouse game between Google and the community. The community loves to modify the software on their phone, a process that usually involves bootloader unlocking as the first step. But this, in turn, trips SafetyNet, which can cause several popular apps to stop working on the phone, some of them understandably so as they rely on a tamper-proof environment for execution.

SafetyNet is meant for app developers, but they can choose to use it or not. For a regular end user, though, you can either give up on the modding potential of Android and pass the SafetyNet compatibility tests, or stay ostracized by the app publishers. If you’re wondering how to pass SafetyNet even after rooting or installing a custom ROM on your device, this guide should help you with that.

XDA VIDEO OF THE DAY

Table of Contents:

What is SafetyNet?

Android is designed to run without giving the end user any kind of privileged control over the underlying subsystems. In case a person operating an Android device is able to gain similar access to administrative (AKA “superuser”) permissions as on Linux, they can essentially alter or replace Android system applications and settings. From the perspective of an app developer, it means the device their app is running on can potentially be compromised. There should be some kind of abuse detection system to examine the device’s software and hardware environment and assure the app developers that everything is alright. This is where SafetyNet comes in.

While modding is an integral part of the Android ecosystem, sometimes you need a high degree of rigor in the OS to satisfy the constraints of security policies. SafetyNet is such a set of abuse-detection APIs present in the Google Play Services. By calling the SafetyNet Attestation API, third-party applications can check if the software environment of the device has been tampered with in any way. The API checks for various things like the bootloader unlock status, signs of superuser binaries, and more to compare the current state of the target Android device and verify the integrity of the environment against a known ‘safe’ value on the server-side.

SafetyNet Attestation API protocol

SafetyNet Attestation API protocol


SafetyNet tripping and its consequences

A number of departure events from the stock configuration of an Android device eventually lead to SafetyNet tripping. Even if you just unlock the bootloader of your phone and leave the factory-installed OS untouched, you may still get a “CTS profile mismatch” (where CTS stands for the Compatibility Test Suite) error that causes the SafetyNet check to fail. If you root your Android device or replace the stock firmware with a custom ROM, you will pretty much end up with a SafetyNet failed status. As a result, you can’t use apps and games that employ SafetyNet validation on the device. This is especially true for banking and other financial apps such as Google Pay, as they strictly rely on the SafetyNet Attestation result and won’t allow users to operate the app on a seemingly tampered environment for the sake of security.

Google Pay SafetyNet checker

When it comes to games, developers use SafetyNet for assessing the device’s integrity so that they can prevent rogue players from cheating or modifying in-game variables for unfair advantages. Last but not least, you can also come across examples where publishers are simply misusing Google’s tamper detection mechanism for no practical reason, which is why power users want to evade the detection routines.

In a nutshell, the modding community will have to choose between having access to root/custom ROMs/kernels/etc. or their preferred apps and games. This might sound like the end of aftermarket development on Android, but there is hope.


How to pass SafetyNet attestation on Android devices

Since Google periodically updates the backbone of the SafetyNet Attestation API, there is no true universal method to bypass the checks. Since the restrictions depend on a number of factors, you may pass SafetyNet on a modded environment by spoofing the most significant parameters on legacy devices, but the same trick might not work at all on newer phones. The aftermarket development community has come up with a number of techniques for passing the SafetyNet checks, but keep in mind that a generic implementation isn’t possible due to the ever-changing nature of the anti-abuse API. This is a game of cat-and-mouse — one day you will be ahead, the other day you will not be.

With the gradual move towards the hardware attestation strategy, Google is relying on the security of the phone’s Trusted Execution Environment (TEE) or dedicated hardware security module (HSM) for tamper detection. Finding a critical security vulnerability in the isolated secure environment of a device and exploiting it to spoof SafetyNet’s client-side response can’t be a feasible approach, but there exist other ways to get past the obstacle.

Here are some of the well-known methods to pass SafetyNet:

1. Restoring the original firmware and relocking the bootloader

This is perhaps the simplest way to pass SafetyNet, but it has its own merits and demerits. All you need to do is find the correct firmware for your Android device, flash it, and finally re-lock the bootloader. Of course, you’ll lose most of the bells and whistles of Android modding, but it actually makes sense when you need to use your device in a managed environment with strict security policies or you’re trying to sell your device.

2. Using Magisk

If you own a legacy Android smartphone, Magisk is your best bet to pass SafetyNet without much hassle. Even though the current Canary channel of Magisk doesn’t feature MagiskHide anymore, you can still stick to last stable release (v23.0) and utilize MagiskHide to hide root status from apps. Furthermore, you can install Magisk modules like MagiskHide Props Config to change the device fingerprint in order to pass SafetyNet.

Talking about the Canary channel, the new “DenyList” feature of  Magisk is an interesting development, which allows users to assign a list of processes where Magisk denies further modifications and reverts all changes it had done. With an appropriate configuration, it can also be used to pass SafetyNet in some scenarios.

Magisk XDA Forums

Lastly, there’s Shamiko — a work-in-progress module written on top of Zygisk (Magisk in the zygote process). It reads the list of apps to hide from Magisk’s denylist to hide Magisk root, Zygisk itself, and Zygisk modules to circumvent SafetyNet. However, Shamiko can only work after disabling the DenyList feature.

3. Using Universal SafetyNet Fix

Bypassing Google’s hardware-backed SafetyNet attestation technique is a tad bit difficult, but it’s not entirely impossible. The Universal SafetyNet Fix project by XDA Senior Member kdrag0n cleverly accomplishes this feat by forcing the basic attestation over the hardware-backed checks.

Notably, Universal SafetyNet Fix has a dependency on Magisk when it comes to passing the basic attestation part. The developer offers two different builds of the fix: The Zygisk variant for Magisk Canary and the Riru variant for stable Magisk.

Universal SafetyNet Fix: GitHub Repo |||  XDA Discussion Thread

4. ih8sn

In case you don’t want to rely on Magisk to pass SafetyNet attestation, you can try out an experimental add-on named ih8sn. After applying, it can spoof a plethora of prop values in order to circumvent SafetyNet checks like the MagiskHide Props Config module, but there’s no dependency on Magisk in the first place.

The ih8sn tool is maintained by several LineageOS developers, but the LineageOS project doesn’t officially endorse it yet. To know more, take a look at its codebase by following the link below.

ih8sn GitHub Repo


Verification

After applying one of the aforementioned SafetyNet passing methods, you may wish to verify the result. The Magisk app comes with an option to initiate the SafetyNet checking routine right from its main menu, which is really handy. You can also opt for an open source app named YASNAC (short for Yet Another SafetyNet Attestation Checker) to check the status and (optionally) examine the JSON response.

YASNAC SafetyNet attestation

YASNAC - SafetyNet Checker

That’s how you can pass SafetyNet on your phone. With a little bit of time and patience, it is possible to restore the true modding potential of Android without bothering about the SafetyNet Attestation failures. We’ll be updating this guide with more SafetyNet passing methods, so check back again in the future!

About author

Skanda Hazarika
Skanda Hazarika

DIY enthusiast (i.e. salvager of old PC parts). An avid user of Android since the Eclair days, Skanda also likes to follow the recent development trends in the world of single-board computing.

We are reader supported. External links may earn us a commission.