Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Magisk Manager unable to pass SafetyNet check with AdGuard enabled #1894

Closed
ianmacd opened this issue May 31, 2018 · 22 comments
Assignees
Labels
Milestone

Comments

@ianmacd
Copy link

@ianmacd ianmacd commented May 31, 2018

Steps to reproduce

  1. Create an exception for Magisk Manager under Apps Management. Uncheck 'Enabled'.
  2. Start Magisk Manager with AdGuard enabled
  3. Tap on 'Tap to start SafetyNet check'.

Expected behavior

SafetyNet check should pass.

Actual behavior

"The response is invalid."

  1. Now disable Adguard completely.
  2. Tap again on 'Tap to start SafetyNet check'.

Now Safety Net check will pass.

  • Adguard version: 2.12.34
  • Adguard filtering mode: Proxy (auto)
  • Device model: S9+, also S3 Tab
  • Operating system and version: Android 8.0
  • Rooted or not? Yes

Possibly the problem is related to the fact that Magisk Manager downloads an extra package to perform the Safety Net check, and invokes this as com.topjohnwu.snet. But this plug-in cannot be found under Apps Management in AdGuard, so it is impossible to disable filtering for it.

@ameshkov ameshkov added this to the 2.12 milestone May 31, 2018
@Revertron

This comment has been minimized.

Copy link
Member

@Revertron Revertron commented May 31, 2018

Some new data:
If I disable AdGuard and start one time SafetyNet Check, then it says "Success".
If I then enable AdGuard and filtering for Magisk, it will say "Success" again.

It seems, that our root proxy mode is interfering with installation of snet.apk, not connections o_O.

@Revertron

This comment has been minimized.

Copy link
Member

@Revertron Revertron commented May 31, 2018

Then, if I disable and re-enable Wi-Fi network, it will get an error again...

And every time there is no connections in our full-log. Weird...

@Revertron

This comment has been minimized.

Copy link
Member

@Revertron Revertron commented Jun 5, 2018

Okay, this time I have no problems to check SafetyNet on my phone. But one thing changed - I've rebooted it yesterday.

So, @ianmacd, try to make these steps:

  1. Disable AdGuard protection
  2. Check SafetyNet in Magisk
  3. Reboot your device
  4. After reboot enable AdGuard protection
  5. Check SafetyNet in Magisk once more

Does Magisk still show an error on step 5?

@ameshkov ameshkov modified the milestones: 2.12, 3.0 Sep 18, 2018
@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Nov 8, 2018

@ianmacd is there still an issue with this?

@Samitinjaya

This comment has been minimized.

Copy link

@Samitinjaya Samitinjaya commented Nov 29, 2018

I have replicated the steps listed by @Revertron.

Adguard Ver 2.12.247
DNS On - DNS requests blocking on
HTTPS Filtering - on
Filtering Mode - Local HTTP Proxy - Rooted
HTTPS Filtering for Magisk - Off

Internet Connectivity - Wireless
Safety Net- Response is invalid
Turn Off Adguard
Reboot
Turn on Adguard
Safety Net - Pass

Turn LTE On Wireless Off
Safety Net - Reponse is invalid
Turn Off Adguard
Reboot
Turn on Adguard
Safety Net - Response is invalid
One more try - Pass

After one hour either on Wireless or LTE
Safety Net - Response is invalid

For every app which doesn't work, the above procedure works when you are on a specific Internet connectivity, right after reboot. The moment you change especially from Wireless to LTE, things stop working till you turn off Adguard and reboot and turn it back on. However there is no consistency in the success of the same.

@MZGSZM

This comment has been minimized.

Copy link

@MZGSZM MZGSZM commented Jan 25, 2019

I can confirm this is an issue for me as well. AdGuard app version 2.12.247 on Android 9. My phone is the OnePlus 5 running the Pixel Experience ROM.

It seems this affects a few other apps for me as well.

Pokémon GO: Sign in doesn't work unless AdGuard is completely disabled. Nothing is listed as blocked in AdGuard
Stash: Throws an error at startup that says "Something went wrong. Please verify that you are using the latest version, then try again". Nothing shows as blocked in AdGuard and completely disabling it is the only way to get the app to work.
Snapchat: This one behaves much in the same way as PoGO in that sign in doesn't work and an error is thrown until AdGuard has been completely disabled.

Thankfully I don't use any of these apps very often.
Let me know if there's any other information that would be helpful for diagnosing this problem.

Thanks!
~Nathan

@freezewind

This comment has been minimized.

Copy link

@freezewind freezewind commented Jan 30, 2019

I confirm this in vpn mode also if I move the certificate to system store.
version 2.12.247
pixel 2 xl android 9

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Jan 31, 2019

@MZGSZM @freezewind guys, how exactly did you move the certificate? Did you do it in AdGuard settings or using a Magisk module?

@MZGSZM

This comment has been minimized.

Copy link

@MZGSZM MZGSZM commented Jan 31, 2019

@MZGSZM @freezewind guys, how exactly did you move the certificate? Did you do it in AdGuard settings or using a Magisk module?

I tried to move it with the app but had no success so I used the "Move Certificates" module by "yochananmarqos" from the Magisk repo.

@freezewind

This comment has been minimized.

Copy link

@freezewind freezewind commented Jan 31, 2019

I also use "Move Certificates" module too.

@toneillAU

This comment has been minimized.

Copy link

@toneillAU toneillAU commented Feb 3, 2019

Not sure if it worsens ad blocking, but adding googleapis.com to Settings > HTTPS Filtering > Whitelist appears to fix it.

@MZGSZM

This comment has been minimized.

Copy link

@MZGSZM MZGSZM commented Feb 4, 2019

Not sure if it worsens ad blocking, but adding googleapis.com to Settings > HTTPS Filtering > Whitelist appears to fix it.

I may have to try that, though I'd be interested to hear how that will affect ad blocking if anyone here knows.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 4, 2019

Not sure if it worsens ad blocking, but adding googleapis.com to Settings > HTTPS Filtering > Whitelist appears to fix it.

Hm, this is interesting! However, I'd better have HTTPS filtering of this domain disabled for a specific app and not for all apps. Any idea which app connects there?

@ameshkov ameshkov closed this Feb 4, 2019
@ameshkov ameshkov reopened this Feb 4, 2019
@ameshkov ameshkov assigned nkartyshov and unassigned Revertron Feb 4, 2019
@nkartyshov

This comment has been minimized.

Copy link
Contributor

@nkartyshov nkartyshov commented Feb 5, 2019

I disabled https filtering from app com.google.android.gms and SafetyNet check succeeds

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 5, 2019

@nkartyshov well, I guess we need to figure a way how to disable HTTPS filtering for googleapis.com requests sent from com.google.android.gms.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 5, 2019

Maybe we should extend the current HTTPS filtering exclusions list format and allow specifying app name there?

@nkartyshov

This comment has been minimized.

Copy link
Contributor

@nkartyshov nkartyshov commented Feb 5, 2019

@ameshkov yes, we can support $app options to the HTTPS filtering exclusions list. But it needs implement in proxy corelibs because we pass ssl whitelist and ssl blacklist to the configuration corelibs.

@MZGSZM

This comment has been minimized.

Copy link

@MZGSZM MZGSZM commented Feb 19, 2019

It appears this problem is resolved in the beta 3.0 release [3.0.241B (1.3.142cl) specifically]. I haven't been able to test it extensively, but haven't had issues with Magisk Manager being unable to check SafetyNet status since I installed this update.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 19, 2019

Awesome, thank you for testing it!

@freezewind

This comment has been minimized.

Copy link

@freezewind freezewind commented Feb 20, 2019

I also tried 3.0.241B, but it doesn't resolve this problem for me if I reset the HTTPs Whitelist( I added googleapis.com to Whitelist by myself ).

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented Feb 20, 2019

Well, in the current version we disabled HTTPS filtering for Google Play Services (com.google.android.gms). If you have enabled it manually, it will mess with the fix.

In the next build, we'll use a better solution, disable HTTPS filtering for googleapis.com connections which are made by com.google.android.gms. This type of exclusions is not yet supported in the first beta

@nkartyshov

This comment has been minimized.

Copy link
Contributor

@nkartyshov nkartyshov commented Feb 28, 2019

Added the googleapis.com domain to the ssl exclusions for the com.google.android.gms app.
Commit: AdguardTeam/HttpsExclusions@272fd84

@zzebrum zzebrum closed this Mar 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
9 participants
You can’t perform that action at this time.