In part one of this article, we discussed SafetyNet attestation API and it’s working. In this article, we will do a deeper analysis and cover some more technical grounds.
Bypassing SafetyNet Temper Detection
One of the main disadvantages of rooting your android system is that some useful applications like banking apps and payment related apps refuse to run on it. Additionally, some gaming and government apps also abort their execution the moment they detect a tempered state of the device. So, Android enthusiasts and independent researchers keep making attempts to break the security and sometimes their work pays them off. With the introduction of Android Marshmallow, researchers found a new method of rooting called “system-less root”. In the early days of this method, Android Pay (a payment app from Google) surprisingly started working on rooted devices.
Some well-known developers like Magisk and Chainfire have been claiming to bypass SafetyNet check from time to time on forums. In 2015, Chainfire released an app called Suhide-lite to hide the root which could actually bypass the SafetyNet check. Many updated versions were released after that. This was something to scare off the app developers and security professionals. We wanted to discover if it can beat SafetyNet check on Android Nougat so we carried out a test inside our lab.
In our tests, we included some demo apps specifically designed to check SafetyNet API. Alongside, we included some apps made for UPI payment. The SafetyNet API was checked on a device running Android Nougat 7.1.2. There were two observations:
- basicIntegrity and ctsProfileMatch returned ‘false’ when checked without Suhide-lite on a tempered device i.e. SafetyNet API worked as it was designed and implemented.
- Both parameters returned ‘true’ when checked with Suhide-lite. The SafetyNet failed to detect the tampered state of the device.
We also observed that different demo apps produced different results under same conditions, leaving us to confusion. However, the UPI payment apps were quite persistent with their behavior and made us summarise our test results with confidence. We were able to perform operations on UPI payment apps when we installed Suhide-lite and configured it that otherwise would not have been possible.
At the end of our tests, we concluded in our report that Suhide-lite could successfully beat the SafetyNet attestation API, at least till 11 November 2017.
The risk factor for developers
With the test results shown above, one can pre-assume that the risk factor has gone higher but before making any assumptions we should take a look at some facts. As per an antivirus research study, 7.6 % of total Android users root their android system, all around the world. Also, India is not among the top 10 countries where users root their Android. Certainly, it is a big relief for the developers who develop the apps to be used only in India.
Another fact, 51.8 % of total Android devices around the world use Marshmallow or later versions of Android. This fact should cut your worries in half as the SafetyNet bypassing methods do not work successfully on previous versions of Android, most likely. In other words, the developers need not worry about almost half of the Android population. Android’s official developer website presents these facts with a note implying the results to be accurate until 9th November 2017. Also, we shall emphasize on the word ‘device’ when we consider 51.8 % users use updated Android versions as this fact includes Android wearable, Android TVs etc. along with the phone. Hence, the risk factor significantly reduces for the app developers targeting their apps to be used only in India on a phone.
The final words
We see the SafetyNet attestation API failing and perceive the facts presented above. For now, the SafetyNet API fails to detect tampered device but there will be many updates to the API and same goes for the Chainfires’ Suhide-lite-lite. Even though it fails for now (not effortlessly), it is always a wise idea and best practice to include this API in the code. The thumb rule says better be safe than sorry.
Authored By - Sourabh Jain
TCS Cyber Security Practice