INSIDE ANDROID'S SAFETYNET ATTESTATION presented at blackhateu 2017

by Collin Mulliner, John Kozyrakis,

Summary : Many app developers often have questions like the following: "Is the device my app runs on reliable and trustworthy?" "Could it be, god forbid, 'rooted'?" It turns out that answering these questions is quite difficult. In an area traditionally dominated by "root detection" products and DIY techniques, Google attempts to respond to this request: "OK Google, what do you think about the device I'm running in?" SafetyNet is the primary security platform used by Google to keep the Android ecosystem in check. SafetyNet Attestation is a service offered by the SafetyNet system to all Android application developers, who can use it to gain some insight into what Google believes is the state of tampering of the operating system and the device.Unfortunately, SafetyNet Attestation is not well documented by Google. How does it work? What checks does it do? Does it really help? How can you implement it in your app without it being trivially bypassable? Taking a perspective useful to both developers and penetration testers, this presentation covers multiple aspects of the system. Part one of this presentation will quickly recap the basics of root detection and tamper detection on Android applications. Part two takes a deep dive into the internals of the SafetyNet system and Attestation specifically, what checks it does and how it is designed, detailing how it different to traditional detection techniques. Part three discusses the different ways the system can be implemented in real world applications and how each method may achieve different level of risk reduction. This is based on the lessons learned from implementing SafetyNet Attestation for several apps with large install bases and will show how an organization's maturity may impact security checks. Finally, part four presents various attacks and bypasses against SafetyNet Attestation which target not only SafetyNet but other similar approaches.