Ability for integrators to disable SafetyNet checks #1971
Comments
mar-v-in
added
🔒 Integrity
TODO after fixed: SafetyNet: microg/GmsCore#1971 Geocoder: microg/GmsCore#1972 Signed-off-by: Tad <tad@spotco.us>
|
After further investigation, I figured:
So instead of disabling all UI for SafetyNet via microg.xml, I think it makes more sense to just disable local DroidGuard execution. That said, given the large amount of devices supported by DivestOS, how do you know that SafeyNet/DroidGuard won't pass on any of them? Privileged access is not strictly required (at least not on all devices) to pass SafetyNet. |
That is a good approach.
I completely remove the default/stock OS fingerprints that LineageOS uses, it was a prereq for actually supporting delta/incremental OTA updates. |
The device profile feature in microG can be used to spoof fingerprints to DroidGuard to pass SafetyNet when needed. |
|
I did actually try the self test on both clark/17.1 (can't be relocked) and taimen/20.0 (relocked bootloader and verified boot enforcing) and both said "CTS profile match failed" iirc. |
|
I don't say it's going to work for all devices easily. Pixel devices are harder and unlocked bootloader generally doesn't work without kernel patch that hides the bootloader state (which is trivial though). Anyway. With 4772008 there is now an boolean option in |
|
Thank you for these additions! |
Is your feature request related to a problem? Please describe.
I'd like to add optional opt-in unprivileged microG support to DivestOS, however SafetyNet both won't ever succeed on it nor do I want my users needlessly running the proprietary DroidGuard executables.
Describe the solution you'd like
An option in the microg.xml settings override to force disable and hide any function that directly downloads/executes more proprietary code.
The text was updated successfully, but these errors were encountered: