Google being Goolag - SafetyNet
Stub - expect rewrites, additions, & stuff
Last updated : 27/5/2021
What is SafetyNet?
In theory, SafetyNet is meant to be an anti-abuse software that allows poorly made apps to "assess" the overall "integrity & security" (not necessarily root) of an Android device the app's on.
Inherent issues with SafetyNet
- First things first - it's basically DRM (Digital Restriction Management) masquerading as security feature (or is it a security feature that apparently also doubles as DRM?). Regardless, as a security feature, it embraces the dysfunctional "security by obscurity" approach .
- SafetyNet requires Play Services to function, essentially closing off custom ROM users who refuse to use GApps. microG users don't fare better, as SafetyNet is broken for them.
Even if SafetyNet were to be freed from its Play Services dependency, it still doesn't excuse the fact that it's DRM.
- Google (or Goolag in this context) has full control over SafetyNet, complete with the ability to add & remove restrictions.
- Making the workaround to pass SafetyNet is a cat & mouse game.
For example, prior to Magisk 20.4, MagiskHide is enabled by default (and it works for basic attestation on both microG & GApps ROM at that time). Goolag enables hardware-based attestation (which for now is opportunistic - when possible, it'll do it), Magisk 20.4 (and beyond for now) is released with MagiskHide disabled, kdrag0n releases a module to bypass hardware attestation, and Goolag eventually makes hardware attestation mandatory, completely defeating this new fix & perhaps even block out PDA users without hardware attestation support.
- It's open to abuse by soydevs who don't necessarily need them.
A good example would be Pokemon Go. In a misguided attempt to block cheat abusers, they ended up also blocking legit users with unlocked bootloaders, custom ROMs, and/or root.
Another example would be banking apps (or money-related apps) - instead of trying to make good security measures for their customers, regardless of their device; they instead used DRM that blocks legit users running anything that's not stock ROM. However, nothing's preventing you from banking through the browser (assuming it's supported of course).
Here's an actually matching example - Netflix. They put DRM on the videos so that nobody from certain nations get to watch them without VPN (even with VPN, there's always a chance of Netflix blocking them), and DRM on the app (SafetyNet) so no actual users (not the "Netflix & chill" normie useds) get to use the app.
What can we do?
Back to top
- First & most obvious - reject anything that demand SafetyNet & don't be dependent on SafetyNet. This obviously also means you have to stop using those apps as soon as you could. Of course, if you cannot live without those apps, you gotta start asking questions on how dumb your life decisions are. You could always get an iPhone & be used by those apps while also being stuck in Apple's prison, but I won't recommend it for obvious reasons.
Using their website services (or web apps) are probably better, assuming that they're provided & you can find them. But still, they may still mistreat you through various means, such as nonfree / proprietary software, surveillance (for example, giving away location for the service), etc.
- Pester the app's "developers" to remove this DRM from their apps, if you ABSOLUTELY MUST use their DRM-laced app. At this point, let me also remind you to reflect on how did you get so dependent on those apps (and get to work on fixing it wherever possible).
This approach might be the least effective, so prepare to mention sensible alternatives for SafetyNet if you have to.
- If you're one of those who believes that the world's constantly getting worse & you think you could make it better, you could always develop some kind of SafetyNet bypasser... that will eventually fail. I don't recommend this, obviously.
- If you really have to do banking stuff on your PDA, you could always use a browser to do so - just bookmark the page. However, if your bank don't support browser banking, I guess it's time to switch to another bank with browser banking support, or just cancel them all & store your savings in your hands. Sure, there's always the chance of losing them, but at the very least your cash is in your hands.