SafetyNet’s hardware attestation feature is here to stay
Back in May 2020, Google surprised the Android modding community by silently introducing hardware-backed attestation for SafetyNet responses on some devices. Due to the fact that Google’s servers didn’t entirely stop accepting “BASIC” evaluation reports to check the integrity of the software environment of remote devices, the advent of hardware-backed key attestation seemed like more of an experiment. At that time, however, Google said they were “…evaluating and adjusting the eligibility criteria for devices…,” indicating the potential of a wide scale rollout. Well, Google is finally doing exactly that.
According to a recent post on the Google Group for “SafetyNet API Clients,” the “evaluationType” field in the SafetyNet Attestation API response has now become an officially supported feature. For a developer, it means you can utilize Google Play Services to send an unmodified keystore certificate generated using the device’s Trusted Execution Environment (TEE) or dedicated hardware security module (HSM) to SafetyNet servers every time you want to verify if the software environment of the device has been tampered with in any way. However, one shouldn’t overuse the facility, as it is solely intended for apps that already use the “ctsProfileMatch” parameter and which require the highest level of device integrity guarantees, as suggested by the official documentation.
There were signs of this happening a few weeks ago when people noticed that Google Play Services had started giving preference to hardware attestation for CTS profile validation in many cases, even when basic attestation was selected. Keep in mind that it might still be possible to exploit the opportunistic nature of the hardware attestation routine and pass basic attestation in such scenarios. While this is not a permanent fix (and none before it have proven to be), it should allow people to bypass SafetyNet until Google decides to abandon basic evaluation altogether. Nevertheless, it is a shame to our enthusiast and developer community that Google is taking these steps in the first place.
If Google continues enforcing hardware-backed attestation, this might mean the end of the days where power users could run Google Pay and other SafetyNet-based apps in conjunction with root access by employing masking techniques. Since the situation is still developing, things might be more complex than what they appear on the surface. We will keep our readers posted if there are new developments on the matter.
Thanks to XDA Member Some_Random_Username for the tip!