This project is a set of tools that allow researchers to experiment with certificate chain validation issues, mostly centered around the idea of a web service validating a Google SafetyNet payload.
This does not demonstrate any vulnerability with SafetyNet itself, but rather a harmful design pattern that developers may accidentally implement following common advice regarding certificate chain validation.
Some scripts require dependencies which can be installed by a
pip install -r requirements.txt.
mitm-tools/jwsmodify.py, you will find a set of high-level tools for modifying JWS payloads in flight by running their payloads through a mutation function, generating a new self-signed CA certificate and a leaf certificate issued by that CA, and re-bundling the JWS to contain a forged signature, the mutated payload, and the rogue CA and leaf certificates.
mitm-tools/rogue_ca.py, a small set of helper tools to create self-signed CA certificates and associated leaf certificates.
mitm-tools/jwsmodify_mitmproxy_addon.py, there is a
mitmproxy addon that will intercept SafetyNet attestations sent to web services. You can run
mitmproxy with the script enabled like so:
mitmproxy -s mitm-tools/jwsmodify_mitmproxy_addon.py
SafetyNet Flask example
This Flask application exposes an endpoint,
/safetynet/validate, which expects a POST request with a
jws parameter containing a SafetyNet JWS. The certificate chain validation algorithm incorrectly trusts intermediate certificates as though they were trusted roots.
Amassing and Analyzing APKs
Make a copy of
safetynet-analysis/config.template.tomland rename it
Add the name of the S3 bucket that you'll use to store APKs and your AWS credentials
To get the list of Android apps run
a) This will generate a CSV file
To download the apps run
a) This will use
app_ids.csvwill attempt to download APKs first from Apkpure and then from apkmonk
b) The results will be stored in a SQLite database named
chain-of-fools.db. Specifically, they will be in the
Upload the downloaded apks to the S3 bucket detailed in
To analyze the apks, you will need to run
a) The results will be stored in the
This project is not intended as a living project, but bug requests may be accepted via PR.
Issues and Questions
Issues should be filed using GitHub issues.