Magisk Manager unable to pass SafetyNet check with AdGuard enabled

[ianmacd]

Steps to reproduce

1. Create an exception for Magisk Manager under Apps Management. Uncheck 'Enabled'.
2. Start Magisk Manager with AdGuard enabled
3. Tap on 'Tap to start SafetyNet check'.

Expected behavior

SafetyNet check should pass.

Actual behavior

"The response is invalid."

4. Now disable Adguard completely.
5. Tap again on 'Tap to start SafetyNet check'.

Now Safety Net check will pass.

• Adguard version: 2.12.34
• Adguard filtering mode: Proxy (auto)
• Device model: S9+, also S3 Tab
• Operating system and version: Android 8.0
• Rooted or not? Yes

Possibly the problem is related to the fact that Magisk Manager downloads an extra package to perform the Safety Net check, and invokes this as com.topjohnwu.snet. But this plug-in cannot be found under Apps Management in AdGuard, so it is impossible to disable filtering for it.

[Revertron]

Some new data:
If I disable AdGuard and start one time SafetyNet Check, then it says "Success".
If I then enable AdGuard and filtering for Magisk, it will say "Success" again.

It seems, that our root proxy mode is interfering with installation of snet.apk, not connections o_O.

[Revertron]

Then, if I disable and re-enable Wi-Fi network, it will get an error again...

And every time there is no connections in our full-log. Weird...

[Revertron]

Okay, this time I have no problems to check SafetyNet on my phone. But one thing changed - I've rebooted it yesterday.

So, @ianmacd, try to make these steps:

1. Disable AdGuard protection
2. Check SafetyNet in Magisk
3. Reboot your device
4. After reboot enable AdGuard protection
5. Check SafetyNet in Magisk once more

Does Magisk still show an error on step 5?

[ameshkov]

@ianmacd is there still an issue with this?

[Samitinjaya]

I have replicated the steps listed by @Revertron.

Adguard Ver 2.12.247
DNS On - DNS requests blocking on
HTTPS Filtering - on
Filtering Mode - Local HTTP Proxy - Rooted
HTTPS Filtering for Magisk - Off

Internet Connectivity - Wireless
Safety Net- Response is invalid
Turn Off Adguard
Reboot
Turn on Adguard
Safety Net - Pass

Turn LTE On Wireless Off
Safety Net - Reponse is invalid
Turn Off Adguard
Reboot
Turn on Adguard
Safety Net - Response is invalid
One more try - Pass

After one hour either on Wireless or LTE
Safety Net - Response is invalid

For every app which doesn't work, the above procedure works when you are on a specific Internet connectivity, right after reboot. The moment you change especially from Wireless to LTE, things stop working till you turn off Adguard and reboot and turn it back on. However there is no consistency in the success of the same.

[MZGSZM]

I can confirm this is an issue for me as well. AdGuard app version 2.12.247 on Android 9. My phone is the OnePlus 5 running the Pixel Experience ROM.

It seems this affects a few other apps for me as well.

Pokémon GO: Sign in doesn't work unless AdGuard is completely disabled. Nothing is listed as blocked in AdGuard
Stash: Throws an error at startup that says "Something went wrong. Please verify that you are using the latest version, then try again". Nothing shows as blocked in AdGuard and completely disabling it is the only way to get the app to work.
Snapchat: This one behaves much in the same way as PoGO in that sign in doesn't work and an error is thrown until AdGuard has been completely disabled.

Thankfully I don't use any of these apps very often.
Let me know if there's any other information that would be helpful for diagnosing this problem.

Thanks!
~Nathan

[freezewind]

I confirm this in vpn mode also if I move the certificate to system store.
version 2.12.247
pixel 2 xl android 9

[ameshkov]

@MZGSZM @freezewind guys, how exactly did you move the certificate? Did you do it in AdGuard settings or using a Magisk module?

[MZGSZM]

@MZGSZM @freezewind guys, how exactly did you move the certificate? Did you do it in AdGuard settings or using a Magisk module?

I tried to move it with the app but had no success so I used the "Move Certificates" module by "yochananmarqos" from the Magisk repo.

[freezewind]

I also use "Move Certificates" module too.

[toneillAU]

Not sure if it worsens ad blocking, but adding googleapis.com to Settings > HTTPS Filtering > Whitelist appears to fix it.

[MZGSZM]

Not sure if it worsens ad blocking, but adding googleapis.com to Settings > HTTPS Filtering > Whitelist appears to fix it.

I may have to try that, though I'd be interested to hear how that will affect ad blocking if anyone here knows.

[ameshkov]

Not sure if it worsens ad blocking, but adding googleapis.com to Settings > HTTPS Filtering > Whitelist appears to fix it.

Hm, this is interesting! However, I'd better have HTTPS filtering of this domain disabled for a specific app and not for all apps. Any idea which app connects there?

[nkartyshov]

I disabled https filtering from app com.google.android.gms and SafetyNet check succeeds

[ameshkov]

@nkartyshov well, I guess we need to figure a way how to disable HTTPS filtering for googleapis.com requests sent from com.google.android.gms.

[ameshkov]

Maybe we should extend the current HTTPS filtering exclusions list format and allow specifying app name there?

[nkartyshov]

@ameshkov yes, we can support $app options to the HTTPS filtering exclusions list. But it needs implement in proxy corelibs because we pass ssl whitelist and ssl blacklist to the configuration corelibs.

[MZGSZM]

It appears this problem is resolved in the beta 3.0 release [3.0.241B (1.3.142cl) specifically]. I haven't been able to test it extensively, but haven't had issues with Magisk Manager being unable to check SafetyNet status since I installed this update.

[ameshkov]

Awesome, thank you for testing it!

[freezewind]

I also tried 3.0.241B, but it doesn't resolve this problem for me if I reset the HTTPs Whitelist( I added googleapis.com to Whitelist by myself ).

[ameshkov]

Well, in the current version we disabled HTTPS filtering for Google Play Services (com.google.android.gms). If you have enabled it manually, it will mess with the fix.

In the next build, we'll use a better solution, disable HTTPS filtering for googleapis.com connections which are made by com.google.android.gms. This type of exclusions is not yet supported in the first beta

[nkartyshov]

Added the googleapis.com domain to the ssl exclusions for the com.google.android.gms app.
Commit: AdguardTeam/HttpsExclusions@272fd84