SafetyNet API #181
Comments
|
So that was it. Can’t get past the login too. |
|
Same problem here. Would love to see stubs around the SafetyNet thing. |
|
Unfortunately, just stubs wouldn't do it, as SafetyNet has a part that is done server-side and is signed: https://koz.io/inside-safetynet/ |
|
@ThibG Does the app check the signature of what is returned with some static library? If there's no way to spoof the signature by modifying some file in the system, I guess this feature is out of the scope of microg and should be handled by patching the app itself. |
|
@mid-kid If it is done correctly, the response should be forwarded to Niantic's servers to be checked there. Thus, modifying the game won't help you. You would need to reimplement SafetyNet closely enough to “fool” Google into issuing a correct reply. That's quite involved, but might be within the scope of microg (can't talk for @mar-v-in) |
|
I should read the blog you linked. Thanks for responding. |
|
IMHO this is not in the scope of microg. safetynet was designed to be unhackable in the long run. any success will quickely be squashed by google. fooling safetynet is applicable outside of microg and is a different effort. microg cannot implement safetynet unless a hacking solution already exists. IMHO, apps that use safetynet should be shunned and thats it. a successful hack of safetynet probably requiers a server running secret code (same as the google approach) to doctor measurements in a secret way, so that google cannot immediately see how to detect the hack. this runs contrary to free software ideals. i believe that microg's support of safetynet should involve (if possible) denying the transaction and informing the user that SN is being used (maybe even killing the app) so that the user can uninstall it. in the long run, SN will help free software users get rid of propietary services via the learnt pain of loss functionality caused by updates. |
|
Imho, any apps relying on google play services (and thus, microg) should be shunned if possible. Microg is there to allow you to run them anyway if you so desire, while still being a bit more free than when having gapps installed. As such, I think this includes SafetyNet as well as everything else google play services might include in the future. |
SafetyNet requires DroidGuard for full functionality, see #181
|
SafetyNet is not a problem itself, the problem is that it depends on DroidGuard, which is based on a native binary blob. |
|
I don't really understand how SafetyNet works, but it's it possible to build an emulated clean Android VM (EDIT: or Java/execution/chroot environment) and run SafetyNet in there? At this point I think I will quit Pokemon Go. They deserve to lose all their users. |
|
@mid-kid, i don't agree with you at all, and your overly simplified way of thinking (safetynet is part of gapps) makes you confuse stuff:
correct: microg is a gapps replacement. a perfect reimplementation of SN, including contacting google and running the downloaded 'spy' code, should always return NOT PASS, as this is by definition the correct behavior of the SN API in any case in which microg is running. in fact, with this in mind, implementing SN in microg is entirely feasible. the problem is confusing implementing SN with tampering or defeating SN, which is whole different ball game, and applicable to any case where SN is used. in particular, the same hypothetical attack to SN could be used with any implementation of SN, be it gapps, microg, or you-name-it. gapps is a set of APIs. SN is a tamper-proof authenticated service that can and will be upgraded the second it is exploited. this is one big difference. clients of gapps just want some services rendered, and presumably don't care who renders them at all. clients of SN want a particular tamper-proof attestation service and very much care who renders the service, as they have to trust the attestator. this is the other big difference. these big differences are what puts defeating SN outside the scope of microg. your "i want it to work" simplifying train of thought is the only argument you put forward to the contrary and does not hold scrutiny. if somebody ever defeats SN (IMHO wont happen), then by all means, distribute microg with that hack integrated already. but putting that project under the microg umbrella is nonsense for obvious reasons. |
|
@jimbo1qaz,
in theory, yes. but you would have to run Pokemon there too! and Pokemon should see the same restricted environment (no interaction with anything in the "real" android). in practice, no. red pill/blue pill research has shown so far that it is a practical impossibility to emulate a complex machine to the point that is indistinguishable from the real thing to ANY AND ALL possible software running on it. make a successful emulator and the other camp will create new detection code. in SN terms, distribute the emulator and google will upgrade SN within hours to kill it. finally, the emulator having network links to untrusted systems means that simple timing detection solutions can be used to spot the emu.
absolutely. but eff pokemon! the real problem will be for instance, banks. and the solution would be the same: ditch the bank because it doesnt provide functional online access. |
|
SN is a horrible can of worms and may be too hard to crack. it is an anti-competitive measure and should IMHO be banned by law, but most surely won't. it seems that the only correct solution to SN is to attack the force behind it, Google. some technologically viable solutions could be illegal: for example, constantly and sucessfully DDoSing SN would naturally force all clients to refrain from using it; problem solved. other legal solutions may not be viable: recognizing google as an attacker to you and your community justifies boycotting google. if everybody thought this way and stopped using goog's services, their revenue would plummet and they would swiftly give in and kill SN. of course expecting people to act this way is delusional. |
|
As I heard, the snet.jar downloadable is not obfuscated so if you were to implement the part that downloads and checks it, (hopefully with some url/cert overrides in dev options) someone else could make a blob that would just return what google wants to hear.. Also, when it comes to dependencies, it should always be simpler to return a static result rather than iterating the file system and so on.. I'm sure google will try to run some intelligent analysis on their answers.. In the end I suppose tamper detection could be fooled while more innocent analytics were kept real so that google couldn't fingerprint it as easily.. This would have to be optional because I still don't want that spy :( When it comes to the idea of running it in a fake environment, the idea is somewhat flawed because usually it''s easy to detect a fake environment and hard to mask the signs real cat and mouse game.. But I think some of us actually want to play it What do you think? I'm considering replacing gms with your version (microg) because I'm tired of having the snet spy in my system.. The darn thing actually tracks and transmits any changes you make in /system |
|
Of course, playing the game is not an end game, but when you piss off programmers & hackers, you deserve to get both boycotting and spoofing attempts thrown at you. I did come here because I realized that to tamper with safetynet, one would have to tamper with GMS first ;) And you guys have come a very long way |
|
Please note there are two distinct things in play services that are relevant here: SafetyNet and DroidGuard. SafetyNet is a considerable well-documented system that checks the system for root binaries etc. It is what is used by Pokemon Go and several banking apps. However there is one part of SafetyNet that is neither documented nor analyzed properly (afaik) and that is its dependency on DroidGuard. b33e43c already provides a very basic implementation of SafetyNet (without downloading blob updates from Google servers), which does not work for now because of its dependency on DroidGuard (possible other reasons. DroidGuard is a highly obfuscated system (including string encryption, stack validation, etc) that uses a native, device-specific binary. I don't know of any proper public documentation of what DroidGuard actually does (which might also be because you just can't Google that term). But for now it seems impossible to implement DroidGuard without using the device-specific binary. I am currently working on running the binary in an isolated process, so that you can optionally use DroidGuard with microG, but I can't say how good this is going to work. |
|
Wow, that is awesome! |
|
When using original Google Play Services they will be placed in |
|
OK so they download some package. Then they do This file looks like encrypted instructions. At least they need some kind of post processing. It contains two symbols: oatexec, oatlastword. Apparently this is normal for oat files. Should be possible to get deeper into this It looks like a library loader that just takes care to load and return the library so file. It seems to contain these java functions: com.google.ccc.abuse.droidguard.DroidGuard.runNative/ssNative/closeNative/entryHelperNative I'll try to get back with more but now I'm really curious how the file ended up on my phone, and what information google used to decide which binary I was sent... |
|
The play services does a request to I have a working implementation of both systems and just got a valid SafetyNet response on my test environment (no isolated process yet). Expect an implementation in microG soon™ |
|
I think it merely needs the information to compile it serverside. Apparently the oat file is java compiled to native code. But I think I know enough assembly to recover something meaningful... |
you cant. the whole point is that analisis is done server side and you dont know what google is looking at. plus its a moving target: google can up their checks any time you successfully fool them. and only if they need to grab more raw info to up the checks, they will upgrade the client spying code.
but you automate google's work! now they just need to bump the spy code version instead of actually playing cat and mouse with us. to win you actually need to run googles code in a sandbox that spoonfeeds lies. but it will be a very very short lived win.
they HAVE lots of money. we ve given it to them, and now they are using it against us. the real solution is having most phones fail the check so that developers wont use it. how? well CM is not big enough to matter. also chinese non-google phones are not big enough. DoS is illegal. a virus hacking phones to trip SN is worse than the evil itself. maybe the only solution is microg: companies selling google free android compatible phones with microg that fail SN. would companies want? yes! they want the search and market revenue. would they be able? not likely because of the anticompetitive all or nothing deal with google to license playstore (u cant make any non playstore device if you want to make any plsystore device at all). note that even samsung and amazon tried this and they lost. it seems like google will win this one unless hackers go illegal at google, but how long can they keep it up? then our only remaining chance is EEF.org: can they fight SN in court on antitrust grounds for being essentially a competitor lockout system? |
|
@Lanchon Of course the analysis is done on server side, but it is done with data provided from the client. If you fool them, of course they will up their checks, but you can figure out what the checks are before even running them. You'll be able to stay ahead in this game.. |
|
And "now they just need to bump the spy code version instead of actually playing cat and mouse with as." |
|
Anyway when this cat and mouse game is over, yeah I will abandon any apps that require safetynet and are hard to bypass |
|
that was my initial recommendation. abandon apps. services like banks will be harder to tackle though... |
|
I'm just curious for how long faking snet will be feasible ;) Currently I think it totally can be done |
|
The relevant point I think will be something else: microG has not a relevant number of users. As long as this is the case, they probably do not really care. This is already the reason why we can implement microG at all and especially things like cloud messaging etc. and I don't see why it should be different for SafetyNet. The way microG is about to spoof SafetyNet is probably completely different from Xposed modules and malware, so even if they block out some tools, it might be that microG will still continue to run. We are not going to play a cat and mouse game a long time. If Google wants to stop us, they can. If they add a feature like SafetyNet they probably don't have microG or alike in mind, they care about security of "regular" users. I don't think it's a problem for them if we bypass SafetyNet on our devices. |
|
this is a good insight indeed. yes, they can block some features like GCM if they wanted, but not the rest of microg: to do that they need to enlist app dev help (check signatures etc) and app devs are not interested in blocking microg. but they havent blocked GCM, ok. but will they block SN? i think so. first, any solution in microg can be generalized to exposed, etc. but most of all, SN's very selling point is its tamper proof nature. allowing some tampering undermines their market position. google wants a portable KNOX competitor with this, and being able to sell to many customers, including corp IT departments. google has incentives to block SN that does not exist for GCM. unfortunately i think google will swiftly and mercilessly crack down on this effort here. let's see... oh and by the way, kudos for trying. actually forcing google to take a step here is an important prerequisite to any later social and legal battle. |
|
@ale5000-git ART isn't supported for ARMv6 phones |
|
@evildog1: Well KitKat isn't supported on my phone but I still use it. |
|
@ale5000-git The SafetyNet implementation spoofs SELinux, I did not add specific code to spoof SELinux to DroidGuard because I did not find it accessing any relevant data (which doesn't mean anything, I still miss a lot of information about what DroidGuard does). + @mid-kid ART on KitKat is not supported. @mid-kid every solution that requires root is not suitable imho. PRoot looks like a syscall hooking based approach, which is not to far away from what I do right now (I do method hooking based on Java calls done from the binary blob). My idea for a more sophisticated approach is based on syscall hooking as well, but this means a lot more work than the current approach. I doubt it is possible to freely control cgroups on Android, although admittedly never tried. |
|
@mar-v-in did you check my log bro? does it mean that microG simply won't work on my phone or did i do something wrong? i uninstalled and re-installed everything but still the same. |
|
@Real-Vivacity disable Greenify for DroidGuard Helper |
|
There is a useful documentation about safetynet here: https://koz.io/inside-safetynet/. This lists all safetynet checks. |
|
@julianwi |
|
OK, so I’ve finally been able to make it work. Thanks again @mar-v-in for this great work. For the record and in case there are still people trying to make it work with Xposed/CM13/root, I’m running an OPO (not really important) under CM13 (that’s the important part). CM13 comes with root by default, so you have to remove the su binaries. Also, if you’re using Xposed (for signature faking for instance), like @mar-v-in said, you need the systemless version using Magisk. So, starting from CM13+Xposed, i did the following:
Regarding 6, I’m not sure if that is needed at all if you don’t care about root, but I wanted to access Magisk Manager and check whether root was correcty disabled — I’ll probably try to remove it soon and report. |
|
I was thinking about fooling SafetyNet by formatting Sdcard as ext4 and copy system folder of original ROM in sdcard. Modify Google Play Services to read path in sdcard to make SafetyNet think that the ROM is not rooted or modified. Decompile Google Play Services, change path to external sdcard and compile. And enable selinux on Android device if disabled. Do you think that it will work? :) |
|
@mid-kid Why do you think this? Where is this ".so library"? |
So it doesn't really work on my device. I use Xposed with three modules (FakeGapps, WebViewGoogle and XposedGmsCoreUnifiedNlp) and I don't see any new one after installing DroidGuard Helper. Should it appear there? Also, it could be that it simply fails CTS profile match, as I'm using AOSP 6.0 on Galaxy S3, but posting it just in case it could be something else (not really sure how to differentiate it from logs alone). Anyway, thanks for dealing with it :) I have a question though, @mar-v-in: does the isolated binary run all the time, or only when the SN call is made by some app? |
|
@dos1 your droidguard has been installed correctly, and no it should not appear in xposed modules.. |
|
@dos1 On your device the Xposed detection went positive. Try using Magisk based systemless Xposed if possible. Failing CTS will give you a bright red screen in the SafetyNet tester app. The DroidGuard Helper Xposed module was removed again because it was causing more harm than it helped. The service containing the isolated binary will be closed after the SN certification, but Android might decide to keep the binary in memory. If it would start a new thread (the current version does not, but a future version might), this thread might stay alive a bit longer than that. |
|
@mar-v-in I tried it with a Nexus 5X and OmniROM 6.0.1 (which should have a CTS profile) and still receive the following error: I used Chainfire's su with systemless mode and suhide. To be extra sure (thanks @mid-kid) I renamed /su/bin/su to su.bak (nothing in /su/xbin/) without success. I tried both 0.1.0 and 0.1.0-3 for the DroidGuard Helper. For my Nexus 4 with the exact same setup (if I didn't miss anything) the log looks different: So this could be caused by the missing CTS profile. |
|
@mar-v-in i passed the safetynet succesfully, big thanks to you, that was awesome. 👍 💯 i have one last question though, based on what i searched. i can conclude that microG is not compatible with mock locations? i mean gps spoofing apps won't work? google map works perfectly though. |
|
@Real-Vivacity I don't consider mock locations an important feature and never tried to use them with microG. And srsly, you are not asking me for help with Pokémon Go cheating, right? |
|
okayy was just asking. i use mock locations for something else lol. |
|
Hello, @mar-v-in Big thanks for your work ! I confirm that SafetyNet check succeed only after removing /system/{x}bin/su binary from my device. (Like @ArchangeGabriel said earlier). I will check later, but is it possible to dump what Google is checking on my phone ? |
|
Hello, "microG DroidGuard Helper" has stopped. And Safetynet resquest: fail |
|
@daiten7 try uninstalling droidguard, reboot then re-install. |
|
@daiten7: Install DroidGuard Helper 0.1.0. |
|
Thanks ! Safetynet resquest: success Error Msg: |
|
@daiten7 What device, ROM, version? Are you rooted (if so, with what), do you use xposed, magisk? |
|
Hello, package com.google.android.snet;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
import java.util.Stack;
class FileFinder
{
private static final String[] FILE_NAMES = { "/system/bin/su", "/system/xbin/su" };
static List<FilesInfo> findFiles()
{
ArrayList localArrayList = new ArrayList();
if (!SeLinuxCheckerSingleton.INSTANCE.canStatSystemExecutables()) {}
for (;;)
{
return localArrayList;
String[] arrayOfString = FILE_NAMES;
int j = arrayOfString.length;
int i = 0;
while (i < j)
{
String str = arrayOfString[i];
File localFile = new File(str);
FilesInfo localFilesInfo = new FilesInfo();
localFilesInfo.filename = str;
localFilesInfo.present = localFile.exists();
localArrayList.add(localFilesInfo);
i += 1;
}
}
}
...@mar-v-in, could you please try to spoof this function. I can't test it myself, because my device is on KitKat. |
|
Blissrom 6.4, android 6.0.1 r43, rooted with supersu 2.78 sr1, xposed 86.2, i don't have magisk |
|
This thread is drifting away from a useful conversation and thus I locked it. Here is a summary of the current state:
I will post a new update and unlock the conversation once I think it is useful again. |
As of version 0.37 Pokemon Go uses GMS's safetynet feature and I for one can't get past login.
What is the implementation status on safetynet, is this out of scope for microg?
The text was updated successfully, but these errors were encountered: