SuperSU and SafetyNet / Android Pay

Chainfire

Moderator Emeritus / Senior Recognized Developer -
Oct 2, 2007
11,440
87,679
263
www.chainfire.eu
This is the place to discuss anything and everything related to SuperSU and SafetyNet / Android Pay.

To clarify, I am not currently actively doing any development on having SuperSU pass SafetyNet detection, or having Android Pay work; the same way I put no effort into beating other root detection methods such as various enterprise security tools.

In case any SuperSU-rooted device passes SafetyNet, that is a bug in SafetyNet, not a feature of SuperSU.

While I may not agree with Google's stance, I'm not about to go messing with payment systems. Is it possible though? Probably yes.

This thread has been created because you guys simply cannot stop talking about this, so these posts can now go here, where I don't ever have to see them.
 
Last edited:

mdamaged

Senior Member
Oct 16, 2013
2,109
1,447
178
South of Heaven
Hey, thanks for your continued support for root on Android, was just wondering, is google making it harder to achieve decent root privileges, as in they don't want rooted devices or are they just unrelatedly changing up things which forces you guys to adapt?

On another note, is there any progress on root without the modded boot? This is by no means an ETA, just wanted to know if you think it's possible or the situation looks rather dire.

Thanks again for your many efforts!
Well, just look at Android Pay, it will not allow one to add a credit card if it detects the device is rooted. So yeah, Google definitely wants to stop root, or at least make sure there is a strong dissuasion towards same. It's not a bad thing persae, as Google is just making the devices more secure for the masses. We 'power users' are lucky to have those such as Chainfire working so hard to get us what they can.
 

androcraze

Senior Member
Jan 11, 2013
2,239
1,646
193
Well, just look at Android Pay, it will not allow one to add a credit card if it detects the device is rooted. So yeah, Google definitely wants to stop root, or at least make sure there is a strong dissuasion towards same. It's not a bad thing persae, as Google is just making the devices more secure for the masses. We 'power users' are lucky to have those such as Chainfire working so hard to get us what they can.
Many banking and financial apps restrict access on rooted devices; it's not just Google.

It makes sense in some ways: root access allows running things in the background to either circumvent, monitor, or interrupt program transactions. They're being paranoid, and I don't blame them.

I don't like the Google Pay concept (or Apple's either); like every other encryption or security system, it's destined to eventually be hacked.
 

jesssiii

Senior Member
Aug 19, 2010
4,942
1,656
0
Southern CA
Well, just look at Android Pay, it will not allow one to add a credit card if it detects the device is rooted. So yeah, Google definitely wants to stop root, or at least make sure there is a strong dissuasion towards same. It's not a bad thing persae, as Google is just making the devices more secure for the masses. We 'power users' are lucky to have those such as Chainfire working so hard to get us what they can.
Yep, I was able to add my debit card but not credit.

VZW LG G4
 

drawde40599

Senior Member
Aug 11, 2010
5,322
1,966
253
Well, just look at Android Pay, it will not allow one to add a credit card if it detects the device is rooted. So yeah, Google definitely wants to stop root, or at least make sure there is a strong dissuasion towards same. It's not a bad thing persae, as Google is just making the devices more secure for the masses. We 'power users' are lucky to have those such as Chainfire working so hard to get us what they can.
http://www.androidpolice.com/2015/0...hy-android-pay-doesnt-support-rooted-devices/
 

Srandista

Senior Member
Sep 19, 2010
273
127
0
Brno
Yet the Note 5 has been rooted for at least a couple of weeks
On Lollipop... And you also have to unlock your bootloader to do that, right? If yes, then you will trip the KNOX, and that mean you will loose some of your device functionality (Samsung Pay for example), without option to take it back. On the Nexus on the other hand, when you want to use Android Pay on Nexus, you can restore your phone to completely stock condition, without any trace of previously used root.

Also, all of this is completely irrelevant to carried device users, since they have a locked bootloaders.
 

shaggyskunk

Recognized Contributor
Nov 22, 2011
19,397
15,780
253
IDK
On Lollipop... And you also have to unlock your bootloader to do that, right? If yes, then you will trip the KNOX, and that mean you will loose some of your device functionality (Samsung Pay for example), without option to take it back. On the Nexus on the other hand, when you want to use Android Pay on Nexus, you can restore your phone to completely stock condition, without any trace of previously used root.

Also, all of this is completely irrelevant to carried device users, since they have a locked bootloaders.
I believe that it's only at&t and Verizon that locks the bootloader - And none in Canada and many other Countries.

Sent From my SM-N910W8 Running SlimRemix V5.1
 

NYZack

Senior Member
Mar 7, 2011
346
125
63
New York
Had an interesting event, on 2.52.

I unchecked "Enable Superuser" in Settings, to attempt to use Android Pay (Android Pay still wouldn't work). Then, when I rechecked "Enable Superuser", the re-installation of the binary failed, and I was prompted to reboot to try again. However, then I got a boot loop (never even got the opportunity to enter my encryption code). The only way I was able to boot was to re-flash the modified boot.img and re-install SuperSU from the zip (no idea whether both steps were necessary).

I have a Marshmallow Nexus 6, encrypted. For what it's worth, I was previously rooted on 5.1.1, and, after updating to 6.0 and until I re-rooted, I always got a "Your device is corrupt" message on startup, despite being all stock.
 
Last edited:
  • Like
Reactions: C5Longhorn

Lrs121

Senior Member
Feb 10, 2012
880
616
123
Moscow, ID
lrsservers.org
Had an interesting event, on 2.52.

I unchecked "Enable Superuser" in Settings, to attempt to use Android Pay (Android Pay still wouldn't work). Then, when I rechecked "Enable Superuser", the re-installation of the binary failed, and I was prompted to reboot to try again. However, then I got a boot loop (never even got the opportunity to enter my encryption code). The only way I was able to boot was to re-flash the modified boot.img and re-install SuperSU from the zip (no idea whether both steps were necessary).

I have a Marshmallow Nexus 6, encrypted. For what it's worth, I was previously rooted on 5.1.1, and, after updating to 6.0 and until I re-rooted, I always got a "Your device is corrupt" message on startup, despite being all stock.
Root doesn't have to be enabled for pay to fail. Any time the system partition is modified pay will not work. There was an xda news article on it. A quick Google search involving Android pay and root should find it.
 

Taomyn

Senior Member
Jul 12, 2006
806
144
0
Luxembourg
Root doesn't have to be enabled for pay to fail. Any time the system partition is modified pay will not work. There was an xda news article on it. A quick Google search involving Android pay and root should find it.
I also found that having an unlocked bootloader will stop Pay working. When MM released I decided to go fully back to stock but kept the bootloader unlocked so I could flash MM. Pay still failed, so I've given up and gone rooted again.

Sent from my Nexus 6 using Tapatalk
 

dabotsonline

Senior Member
Dec 17, 2009
227
79
48
@Chainfire if you actually are able to pull off fully working stable root WITHOUT modifying the /system does that mean you MIGHT have opened the door into having root AND still being able to get OTA's?
Yup, all you'd need to do is reflash stock kernel to pass the boot partition EMMC check, or, we could automate restoring the previous stock kernel, flashing the OTA and then injecting the new stock kernel with root after flashing (à la AnyKernel2 or MultiROM). So many exciting possibilities there where custom recoveries are concerned. :)
Honestly it's not so different from using FlashFire to flash re-flash system, then OTA, then re-root. But it is easier, yes.
This is indeed exciting. However, I noticed that @Chainfire posted this downside on Google+ :

Andrew Morykin 12:24
This should retain Android Pay, right?
Chainfire 12:58
+Andrew Morykin if it does, then it's by accident and not by design, and Android Pay will be updated to block it.
https://plus.google.com/+Chainfire/posts/aJbqUZ8PEP4

also, I was confused by this:

Chainfire said:
- I have not tested with encrypted devices
http://forum.xda-developers.com/showpost.php?p=63197935

Aren't

Nexus 6P / angler

angler-mdb08k-boot-systemless.zip
and

Nexus 5X / bullhead

bullhead-mdb08i-boot-systemless.zip
encrypted out of the box?
 

Chainfire

Moderator Emeritus / Senior Recognized Developer -
Oct 2, 2007
11,440
87,679
263
www.chainfire.eu
This is indeed exciting. However, I noticed that @Chainfire posted this downside on Google+ :
How is that a downside?

It's exactly the same with every other form of root you will ever see. They don't want to support Android Pay (and some other stuff) on rooted devices. If we find a root that allows it, they will update their system to detect and block it. That cat and mouse game will not end as long as Google doesn't want Android Pay on rooted devices.

Maybe someone will make apps/modules that help circumvent this, but it certainly will not be me.

also, I was confused by this:

Aren't

Nexus 6P / angler

and

Nexus 5X / bullhead

encrypted out of the box?
Still can't test what I don't have.
 

osm0sis

Senior Recognized Developer / Recognized Contribut
Mar 14, 2012
14,404
32,368
263
Halifax
Starting with Android 5.0, OTA updates are now block-based rather than file-based, so any modification to the system partition will cause the OTA to fail, even mounting the system partition as r/w.
Just to add to this, it's a whole-partition /system patch OTA if the device launched with Lollipop or later, anything that launched with KitKat is still receiving the old file-based patch OTAs. Modifying Settings.apk would likely trip either method for a lot of OTAs though, since it's a pretty central component.

I use Galaxy s6 G9200 HK with Kernel compiled by me, but i have problem with root 5.1.1 and i think in future too 6.0
These root method is integrated in kernel source or i can integrate with those "boot.img systemless" my selfcompiled kernel?(repack boot.img with kernel compiled by me)
Is possible to work this new root method to android 5.1.1?
I have problem with gain root when i use kernel compiled by me ( STOCK kernel have too this problem BOOTLOOPs and FREEZEs on boot system) and i don't know how slove it :/

I found on chineese forums root integrated in boot.img it working good and isn't comunicat "KERNEL is not SEandroid enforced" but when i try integrate my kernel with this boot.img error with boot system :/
Yup, it's all ramdisk changes so should be workable on any version of Android. Chainfire left instructions outlining the ramdisk changes in the WIP thread if you want to give it a try.

I'm not sure if anyone has specifically mentioned this, but Android Pay still works with this form of on the Nexus 6!!
Yup, seems to be the case with most banking and root-detecting apps... for now. ;)
 

JsChiSurf

Inactive Recognized Developer
Feb 5, 2010
2,416
1,396
113
Hacksville

Attachments

Kirot

Senior Member
Nov 29, 2011
136
34
0
Alajuela
Went ahead and installed su on a stock nexus 5, so far working well, android pay does not work but that was me being stupid and changing the host file and dpi before setting it up
I do notice a little input lag after this, not enough to even make me consider removing root, but it is noticeable, anybody else with this?