Skip to content

Instantly share code, notes, and snippets.

@liamcottle
Last active August 21, 2024 11:11
Show Gist options
  • Save liamcottle/2db0e954f7262da30596fccd1bfc54ef to your computer and use it in GitHub Desktop.
Save liamcottle/2db0e954f7262da30596fccd1bfc54ef to your computer and use it in GitHub Desktop.
SafetyNet Attestation Bypass

SafetyNet Attestation Bypass

Proof that with a few hours work, you can easily provide aribitrary data to the Google SafetyNet API and receive a valid Attestation signed by attest.android.com.

I've captured the HARDWARE_BACKED flag. Check this comment.

This is only a software backed attestation, as you can see with the evaluationType=BASIC. I don't have any devices that support hardware backed attestations via TEE, however once I do, I'll be taking a look into them 🤠

{
  "nonce": "bGlhbUBsaWFtY290dGxlLmNvbQ==",
  "timestampMs": 1626261636009,
  "apkPackageName": "[email protected]",
  "apkDigestSha256": "bGlhbUBsaWFtY290dGxlLmNvbQ==",
  "ctsProfileMatch": true,
  "apkCertificateDigestSha256": [
    "bGlhbUBsaWFtY290dGxlLmNvbQ=="
  ],
  "basicIntegrity": true,
  "evaluationType": "BASIC"
}
eyJhbGciOiJSUzI1NiIsIng1YyI6WyJNSUlGbFRDQ0JIMmdBd0lCQWdJUkFMN21zSmtiM1RkN0NBQUFBQUJ4WWg0d0RRWUpLb1pJaHZjTkFRRUxCUUF3UWpFTE1Ba0dBMVVFQmhNQ1ZWTXhIakFjQmdOVkJBb1RGVWR2YjJkc1pTQlVjblZ6ZENCVFpYSjJhV05sY3pFVE1CRUdBMVVFQXhNS1IxUlRJRU5CSURGUE1UQWVGdzB5TVRBMU1qQXdOekl4TkRkYUZ3MHlNVEE0TVRnd056SXhORFphTUd3eEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTVJZd0ZBWURWUVFIRXcxTmIzVnVkR0ZwYmlCV2FXVjNNUk13RVFZRFZRUUtFd3BIYjI5bmJHVWdURXhETVJzd0dRWURWUVFERXhKaGRIUmxjM1F1WVc1a2NtOXBaQzVqYjIwd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN1bU1uV2p2R0ZuendMdXJ1SnJoTm1za3JEd0p2Tm0ycjBjRDdxeWF0NkFxSVZ3WkJmZGNYMWpCMGxUK2pzK3pHQzNNUzdac3llbXZSaGRxcERhdkhTVmZ4S3hZREc2dHp1eHh4ZE0wOWVKWFNtSkZLTWVSVWZUVkFBc0x5WWVHOWVHMno5WG5oZ3VkK3N3dVJKTWxJZzE3bnBlQ0toRHNlL1lQaTR5YmhrcXRsOC9NLzNrKzlMVTZrbndGMjRJODNNUjdnVGtMN1doU2RPb2tybnZkWnUrR0poYVhQcGJtaEpiUi9xNlhOQWVNR3hSaGhKRHlrOEhaa005cFJyNndaMFJhQ2Qva1FLNWh4T3hkejR3YU5zNDBiYVVNQU5tcG1UMGxFY1VaMnQxUUNmL3dMcldHNjhDa0V5clNVT2pQVURvalJmVG53YTlVdmFGNTZ1eUI0akFnTUJBQUdqZ2dKYU1JSUNWakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd0V3REFZRFZSMFRBUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVMbFhFSFdWeHZRVEZGM1QvNUQ3NzJpckZMNUV3SHdZRFZSMGpCQmd3Rm9BVW1OSDRiaERyejV2c1lKOFlrQnVnNjMwSi9Tc3daQVlJS3dZQkJRVUhBUUVFV0RCV01DY0dDQ3NHQVFVRkJ6QUJoaHRvZEhSd09pOHZiMk56Y0M1d2Eya3VaMjl2Wnk5bmRITXhiekV3S3dZSUt3WUJCUVVITUFLR0gyaDBkSEE2THk5d2Eya3VaMjl2Wnk5bmMzSXlMMGRVVXpGUE1TNWpjblF3SFFZRFZSMFJCQll3RklJU1lYUjBaWE4wTG1GdVpISnZhV1F1WTI5dE1DRUdBMVVkSUFRYU1CZ3dDQVlHWjRFTUFRSUNNQXdHQ2lzR0FRUUIxbmtDQlFNd0x3WURWUjBmQkNnd0pqQWtvQ0tnSUlZZWFIUjBjRG92TDJOeWJDNXdhMmt1WjI5dlp5OUhWRk14VHpFdVkzSnNNSUlCQmdZS0t3WUJCQUhXZVFJRUFnU0I5d1NCOUFEeUFIY0FmVDd5K0kvL2lGVm9KTUxBeXA1U2lYa3J4UTU0Q1g4dWFwZG9tWDRpOE5jQUFBRjVpTjNTc3dBQUJBTUFTREJHQWlFQW43bFhhSzYxOFFQekJ0RlEwOGlpNWtQblJDK3Vlc1hLQWFwV1B4aldDOFVDSVFEeFRUeVh0TnpNbFBkV3JVeFBLSjEybmlHRm56SFNsa0VlRG9PSVJicnkyUUIzQU83QWxlNk5jbVFQa3VQRHVSdkhFcU5wYWdsN1Myb2FGRGptUjdMTDdjWDVBQUFCZVlqZDBSa0FBQVFEQUVnd1JnSWhBTmJWUnBrZTJYaTZkUy9tcTZCWUVKSFZEYnhuZmxkVklUZC9NTFBEMTRKbEFpRUF3ZU1lbWxiaDNDcS91bUZiYkR5MUlranRxeUJ5TENwbXRvOGY2bGhzRWNJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKN2xrZFdudEEyZjBvM3lzODM4ZlAveFFKY2xEUUM3S0p0WGJRRUZIZXdIZkphUytEZi83WGVHeG5uWFRpOCtUaG5vQm13Q0c0alpqYndTT2g2UXIvSWNtOFB1akJkSzU3ZzFsY1RPeFhsN1hUbmlMT3E1b0JweW1FdThuQy9UY2YvQ3cwWVdkMUJhS1luaVlFamw5eUJnTnJ0RENEYm5HblRNNkl6MlhuVFQrQzhDRTNjNGxKeWdxNHh6R0xhSWVUbmtHTGpDYnI4VlQwOEx6Q29WMDQ3Umg0Rm1XZzBLdmlkamRBSlVyeGgzUitkMDV1S3UvK3h5aWRudnUvOEk0VUo0c2RrbjhmQ2hHbzl5cGJRek1aRmEzaFEvaDB0V0g4S1E5eUN5dEhqc2NkeVNSc3c4WDB5ck1hSEdsSjRZYms0VmlLQ2tOWGNqTy93Z2tRam4xdUE9IiwiTUlJRVNqQ0NBektnQXdJQkFnSU5BZU8wbXFHTmlxbUJKV2xRdURBTkJna3Foa2lHOXcwQkFRc0ZBREJNTVNBd0hnWURWUVFMRXhkSGJHOWlZV3hUYVdkdUlGSnZiM1FnUTBFZ0xTQlNNakVUTUJFR0ExVUVDaE1LUjJ4dlltRnNVMmxuYmpFVE1CRUdBMVVFQXhNS1IyeHZZbUZzVTJsbmJqQWVGdzB4TnpBMk1UVXdNREF3TkRKYUZ3MHlNVEV5TVRVd01EQXdOREphTUVJeEN6QUpCZ05WQkFZVEFsVlRNUjR3SEFZRFZRUUtFeFZIYjI5bmJHVWdWSEoxYzNRZ1UyVnlkbWxqWlhNeEV6QVJCZ05WQkFNVENrZFVVeUJEUVNBeFR6RXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEUUdNOUYxSXZOMDV6a1FPOSt0TjFwSVJ2Snp6eU9USFc1RHpFWmhEMmVQQ252VUEwUWsyOEZnSUNmS3FDOUVrc0M0VDJmV0JZay9qQ2ZDM1IzVlpNZFMvZE40WktDRVBaUnJBekRzaUtVRHpScm1CQko1d3VkZ3puZElNWWNMZS9SR0dGbDV5T0RJS2dqRXYvU0pIL1VMK2RFYWx0TjExQm1zSytlUW1NRisrQWN4R05ocjU5cU0vOWlsNzFJMmROOEZHZmNkZHd1YWVqNGJYaHAwTGNRQmJqeE1jSTdKUDBhTTNUNEkrRHNheG1LRnNianphVE5DOXV6cEZsZ09JZzdyUjI1eG95blV4djh2Tm1rcTd6ZFBHSFhreFdZN29HOWorSmtSeUJBQms3WHJKZm91Y0JaRXFGSkpTUGs3WEEwTEtXMFkzejVvejJEMGMxdEpLd0hBZ01CQUFHamdnRXpNSUlCTHpBT0JnTlZIUThCQWY4RUJBTUNBWVl3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01CSUdBMVVkRXdFQi93UUlNQVlCQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSmpSK0c0UTY4K2I3R0NmR0pBYm9PdDlDZjByTUI4R0ExVWRJd1FZTUJhQUZKdmlCMWRuSEI3QWFnYmVXYlNhTGQvY0dZWXVNRFVHQ0NzR0FRVUZCd0VCQkNrd0p6QWxCZ2dyQmdFRkJRY3dBWVlaYUhSMGNEb3ZMMjlqYzNBdWNHdHBMbWR2YjJjdlozTnlNakF5QmdOVkhSOEVLekFwTUNlZ0phQWpoaUZvZEhSd09pOHZZM0pzTG5CcmFTNW5iMjluTDJkemNqSXZaM055TWk1amNtd3dQd1lEVlIwZ0JEZ3dOakEwQmdabmdRd0JBZ0l3S2pBb0JnZ3JCZ0VGQlFjQ0FSWWNhSFIwY0hNNkx5OXdhMmt1WjI5dlp5OXlaWEJ2YzJsMGIzSjVMekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBR29BK05ubjc4eTZwUmpkOVhsUVdOYTdIVGdpWi9yM1JOR2ttVW1ZSFBRcTZTY3RpOVBFYWp2d1JUMmlXVEhRcjAyZmVzcU9xQlkyRVRVd2daUStsbHRvTkZ2aHNPOXR2QkNPSWF6cHN3V0M5YUo5eGp1NHRXRFFIOE5WVTZZWlovWHRlRFNHVTlZekpxUGpZOHEzTUR4cnptcWVwQkNmNW84bXcvd0o0YTJHNnh6VXI2RmI2VDhNY0RPMjJQTFJMNnUzTTRUenMzQTJNMWo2YnlrSllpOHdXSVJkQXZLTFdadS9heEJWYnpZbXFtd2ttNXpMU0RXNW5JQUpiRUxDUUNad01INTZ0MkR2cW9meHM2QkJjQ0ZJWlVTcHh1Nng2dGQwVjdTdkpDQ29zaXJTbUlhdGovOWRTU1ZEUWliZXQ4cS83VUs0djRaVU44MGF0blp6MXlnPT0iXX0.eyJub25jZSI6ImJHbGhiVUJzYVdGdFkyOTBkR3hsTG1OdmJRPT0iLCJ0aW1lc3RhbXBNcyI6MTYyNjI2MTYzNjAwOSwiYXBrUGFja2FnZU5hbWUiOiJsaWFtQGxpYW1jb3R0bGUuY29tIiwiYXBrRGlnZXN0U2hhMjU2IjoiYkdsaGJVQnNhV0Z0WTI5MGRHeGxMbU52YlE9PSIsImN0c1Byb2ZpbGVNYXRjaCI6dHJ1ZSwiYXBrQ2VydGlmaWNhdGVEaWdlc3RTaGEyNTYiOlsiYkdsaGJVQnNhV0Z0WTI5MGRHeGxMbU52YlE9PSJdLCJiYXNpY0ludGVncml0eSI6dHJ1ZSwiZXZhbHVhdGlvblR5cGUiOiJCQVNJQyJ9.EnoaJJcMSdVJdiuo91eq227Aa9NFxsL0wj0Z2qhLG-fJ_WtEoLFfYURqPKw_loxVre1_lZ6PUC7FdFIGUEaryFE2UWRZBEosqoimwjLlrOTZ45DrrW3yga5R1einNb_NEll5jB0D7PZpckQBAIWqzdPSyllmH_-GXj7xnkwaPDtdBP_o3AQ3E0_XDk0z-lR3Ta0pB2wn3wPdkgfy7PK5rzDJHK0-UikJRE3sgWB-hye-rOrjF0LemQ0ssStwOMxBadIsdtzkggxQ1Xcs-VityOaje8CU-zJAZp5fcqXUB-bGhDdGKjjeEQmbmlMH6vww89YOgzSeYLYIxYlckN-ujA
@apkunpacker
Copy link

may you describe detail approach how you did this and decoded response ?

@xAffan
Copy link

xAffan commented Apr 22, 2023

Can you detail the procedure so I can create a magisk module to bypass this?

@bytes-as
Copy link

Can you describe the process?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment