Why Does XPosed Always Trip SafetyNet?

Search This thread
By:
Advanced…
G

gudenau

Senior Member
Apr 19, 2014
98
10
www.gudenau.net
I'd like to know exactly why XPosed trips the SafteyNet checks even when running as a Magisk module. Is there a change that's easy to detect? Is it not possible to isolate the changes to certain apps? I want all the technical details about this issue.
 
  • Like
Reactions: idoybh, Ger$$on and gothicVI
K

kabso5

Senior Member
Aug 29, 2015
126
25
What I'm aware of after talking to some of the devs and reading in the forums
That google play service downloads Safteynet XML file which executes and checks for Xposed File modifications
 
L

loguhn

Senior Member
Dec 15, 2016
57
8
Avon
I think its due to Xposed modifying the /system folder, and as magisk is "systemless", it doesnt do that.
 
aer0zer0

aer0zer0

Recognized Contributor
Sep 20, 2013
3,319
2,559
Cortland NY
Google Pixel 8 Pro
Google Pixel Watch 2
cthulhu1987 said:
I don't get how a root-level app can't fool a non-root level app such as Google Play into thinking nothing's rotten in Denmark :crying::crying:
Click to expand...
Click to collapse

I'm sure if they could spoof the zygote, or force it back as a pass like the bootloader and kernel, they would have done it already. Root is not exactly the entire solution
 
  • Like
Reactions: cthulhu1987
G

gudenau

Senior Member
Apr 19, 2014
98
10
www.gudenau.net
  • Like
Reactions: gothicVI
CosmicDan

CosmicDan

Senior Member
Jun 19, 2009
5,906
7,746
37
Sydney
Xiaomi Poco X3 Pro
gudenau said:
Sure it checks it, but what does it look for? I want to know exactly what it does, as I said in the first post.
Click to expand...
Click to collapse

I believe if anybody actually KNEW this answer, they'd be able to spoof it. It could be some kind of tamper-detection stuff on the level that serious hackers use (e.g. measuring execution time of an arbitrary method), or it could be specifically design to detect Xposed (it is opensource after all).

This is one of those things where if you have to ask the question, the answer is probably beyond your expertise.
 
  • Like
Reactions: saviola123, paulomario77 and JRJ442
L

lssong99

Senior Member
Jul 15, 2005
414
279
I think topjohnwu already explained well enough. Since SN checks not the "file integrity" of Zygote but the integrity of the running Zygote process in memory, it makes the spoof very difficult.

Since Zygote is loaded very early during boot and is actually the base of all system and app process (this is also why XPosed is so powerful by modifying Zygote), so it's always running and it's not so easy to spoof the memory contents (including code and data area) of a running process from another process, so there SN is tripped always.

However since there Zygote is modified by XPosed, maybe someone can modify the Zygotes in such a way that will pretent the integrity and thus will not trip safety net (like some root kit for Windows) but how and if this can be done is entirely beyond my knowledge...
 
CosmicDan

CosmicDan

Senior Member
Jun 19, 2009
5,906
7,746
37
Sydney
Xiaomi Poco X3 Pro
lssong99 said:
I think topjohnwu already explained well enough. Since SN checks not the "file integrity" of Zygote but the integrity of the running Zygote process in memory, it makes the spoof very difficult.

Since Zygote is loaded very early during boot and is actually the base of all system and app process (this is also why XPosed is so powerful by modifying Zygote), so it's always running and it's not so easy to spoof the memory contents (including code and data area) of a running process from another process, so there SN is tripped always.

However since there Zygote is modified by XPosed, maybe someone can modify the Zygotes in such a way that will pretent the integrity and thus will not trip safety net (like some root kit for Windows) but how and if this can be done is entirely beyond my knowledge...
Click to expand...
Click to collapse

I'd like to discover some technical details too. I wonder if it's possible to compile a ROM with modified zygote binary that chain-loads Xposed stuff or something like that. But I'd need to first find out what exactly Xposed Zygote does differently, and go through trial and error with modifying zygote sources to find what actually trips it.
 
You must log in or register to reply here.

Similar threads

rovo89
  • Locked
Xposed - Legacy thread. Don't panic, Xposed is still here.
Replies
12K
Views
8M
rovo89
rovo89
rovo89
  • Locked
  • Sticky
[OFFICIAL] Xposed for Lollipop/Marshmallow/Nougat/Oreo [v90-beta3, 2018/01/29]
Replies
49
Views
8M
rovo89
rovo89
rovo89
[DISCUSSION] Xposed for Lollipop
Replies
13K
Views
4M
lenoid
lenoid
romracer
[UNOFFICIAL] Systemless Xposed for Android 5.1/6.0 - v86.1 / 20160928 / SDK22/SDK23
Replies
7K
Views
3M
D
Deleted member 11604687
wanam
  • Locked
[UNOFFICIAL][5.1/6][v87.1][28 Nov]Xposed for Samsung Lollipop/Marshmallow
Replies
6K
Views
2M
wanam
wanam

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 5
    Jacte
    Jacte
    Nice thread going on here. Hope someone could explain the anathomy of SafetyNet and how does it check Zygote.
    View
    3
    G
    gudenau
    I'd like to know exactly why XPosed trips the SafteyNet checks even when running as a Magisk module. Is there a change that's easy to detect? Is it not possible to isolate the changes to certain apps? I want all the technical details about this issue.
    View
    3
    CosmicDan
    CosmicDan
    gudenau said:
    Sure it checks it, but what does it look for? I want to know exactly what it does, as I said in the first post.
    Click to expand...
    Click to collapse

    I believe if anybody actually KNEW this answer, they'd be able to spoof it. It could be some kind of tamper-detection stuff on the level that serious hackers use (e.g. measuring execution time of an arbitrary method), or it could be specifically design to detect Xposed (it is opensource after all).

    This is one of those things where if you have to ask the question, the answer is probably beyond your expertise.
    View
    2
    Thaodan
    Thaodan
    I'm watching this talk from 34c3.
    Maybe this would explain/help on under standing saftynet.
    https://media.ccc.de/v/34c3-8725-inside_android_s_safetynet_attestation_attack_and_defense
    View
    1
    aer0zer0
    aer0zer0
    gudenau said:
    That doesn't tell me anything about what part of Xposed trips the checks though.
    Click to expand...
    Click to collapse

    safetynet checks the zygote, which xposed modifies to work, thats why it trips, be it system or systemless, it didnt used to. Safetynet has evolved
    View

New posts