SafetyNet: What is it, and why doesn’t Android Pay work without it?

Google’s SafetyNet is an API available for developers, to protect device security and provide a health check of the device to an app. An app can then refuse to run if the device health check fails, or disable features. An app known for doing this is Pokemon Go. This was one of the first apps which actively refused to run on a device that has been unlocked or tampered with. A simple API for developers to implement, huge ramifications for the end-user. The intention of SafetyNet is to provide a protection for the end-user and the IP of a company or to prevent cheating in games, but invariably hurts the end-user and, it can be argued, causes more problems than it solves.

What does SafetyNet check?

SafetyNet checks bootloader unlock status, root access and some modifications to /system. Some files such as /etc/hosts are fine to edit, but theoretically, in the future can be detected.  SafetyNet also checks for the existence of /system/xbin/su and /system/bin/su, amongst other root related files. In the case of the bootloader being unlocked, this was simply bypassed by patching the kernel to remove the verified boot state. This is because SafetyNet supports older phones too, ones without verified boot, and thus these cannot supply a bootloader state to SafetyNet. If you fail any of these checks, anything which uses the SafetyNet API will report to the app you fail this test, and any app such as Android Pay won’t work. Sometimes the app will tell you that you failed SafetyNet, or mention something about root, but with the likes of Pokemon Go, you will only be told the game failed to sign in.

The Solution

Funnily enough, the solution to bypassing SafetyNet involves rooting. If your phone is only unlocked and you fail the check, your only two options are to relock your bootloader or flash Magisk. Magisk is a systemless solution for root, placing its binaries in the kernel itself and placing modules in a magisk.img in the /data directory, where SafetyNet doesn’t scan. You can make systemless modifications, where Magisk will create a “mirror” of your system partition, make the changes in RAM and the physical files in /system are untouched. Nearly a year ago, the arms race between Google’s developers and the root community was in a constant back and forth, but since the release of Magisk Google has been silent, with no fixes pushed.

I believe that Google’s encouragement of the SafetyNet API is to be questioned. Android is an open platform, that’s half of its attractiveness, yet with the growing usage of the API, it seems to slowly be closing. Hopefully, this is the end of it, and Google will leave current solutions alone.