Opinion: Why hiding root is eventually a losing game

Recently, it came to light that Google has updated SafetyNet once again. This recent update added some extra root and tamper checks, breaking tools like Magisk. However, the Magisk developer managed to patch the new update almost immediately with their v13.0 beta. While this is good news for Magisk users, it further emphasizes that Google is playing out a cat and mouse game between their SafetyNet checks and root hiding tools like Magisk. A game that Magisk is eventually going to lose.

A must-have for root users

Photo: HighOnAndroid

Ever since Google deployed SafetyNet, root hiding has become an essential tool for root users. SafetyNet allows developers to make use of a single API to check whether a device has been compromised or not. While this is pretty good from a security standpoint, it’s a hassle for most power users, as more and more devs have started using this API. For example, Nintendo uses SafetyNet to check whether their games (Super Mario Run, Fire Emblem Heroes) are running on a tampered phone. Also, Niantic uses the API to block out root users from Pokemon Go.

Other popular apps using SN are Android Pay, Netflix, Snapchat, and others. This does block out hackers and pirates from their Android apps. However, this also affects honest root users which have no intention of messing with these apps. That’s where Magisk comes in. Besides providing systemless root and root hiding, it’s a complete universal systemless interface which allows pretty much any modification without actually touching the system partition.

Doomed to fail

The SuperSU developer, Chainfire, also ranted about root hiding and SN. He released a statement around October 2016 after publishing his own root hiding tool, hidesu. Back then, he said that root hiding tools are eventually doomed to fail. And this couldn’t be truer today, especially seeing how both Magisk and SafetyNet have grown. But why?

The answer is pretty simple: while there will always be a way to hide from SN’s detections, Google will keep adding more and more detections. And Google is currently going all-out against Magisk. More recently, they’ve taken down Magisk Manager from the Play Store. And recent SN updates keep including tighter checks, eventually going against bootloader-unlocked users as well. This bootloader check requires a kernel patch on most phones to pass the CTS check.

As long as Magisk development continues, root hiding will always be possible. And Magisk runs with root privileges, while Google Play Services (which includes SafetyNet) does not. So Magisk currently has total control over what SafetyNet sees. That is unless Google starts messing with low-level code (bootloader, kernel, TPM) in our phones.

Samsung has already taken this approach with KNOX. Once a Samsung phone is tampered with in any kind of way, KNOX gets permanently tripped, breaking features like Samsung Pay. No firmware can save you, either: the only fix is to replace the whole motherboard. According to topjohnwu, Pixel phones have started taking low-level measures. With no ramdisk, enforcing signature requirements and other measures, even patching the boot image is one hell of a process.

So, we can expect Google to come up with a similar tamper check anytime soon, which they’ll probably enforce on their Google Play certification document. And this will make root hiding a thousand times harder.

So, what’s next?

Photo: Android Police

Magisk is still in active development. The latest version, v13.0, will release with Android O. And the next beta update will include bypasses for the most recent SafetyNet checks. So, that’s nothing but good news for the time being.

However, we’ll have to wait until the Pixel 2 release to see whether Google has any more low-level detections. And whether Magisk will be able to work out those. But one thing is certain, and it’s that Google will continue the cat and mouse game against root. And they’re going to play it harder and dirtier than ever.

And Magisk is eventually losing that game.

Source: XDA-Developers

Featured image: Slashgear