[Update] SafetyNet CTS Profile Error Probably Permanent

PixelPro

PixelPro

Senior Member
Sep 25, 2019
202
205
0
Mar 11, 2020 at 5:19 PM
For those of us with unlocked or rooted devices, I have some bad news to report. Some very, very bad news!!!

John Wu, @topjohnwu, the creator of Magisk, just confirmed that the current SafetyNet CTS Profile error issue is probably permanent, and that it's unlikely to be fixed anytime soon because Google has significantly strengthened SafetyNet. He's confirmed that Google is now utilizing hardware-backed cryptography, specifically hardware-level key attestation, leveraging the device CPU's Trusted Execution Environment (TEE) for additional security.

John Wu's Twitter Post on SafetyNet Failure Issue

If you know a little about cryptography, you will appreciate that, if properly implemented, hardware-backed cryptography is almost IMPOSSIBLE to break. This means that all of our previous SafetyNet fixes will now be obsolete since Google will now be rigorously checking the validity of the source of our cryptographic keys.

What is Android Keystore Key Attestation

Google is now verifying that the cryptographic keys it relies on to validate our devices are kept in a secure, hardware-backed keystore on each device, making key extraction near-impossible, and nullifying all our previous validation hacks. This will, for example, prevent spoofing of device certification (CTS Profile) as we currently do with our custom ROMs, and our devices will now appear in the Play Store app as "not certified."

What this means is that the unrestricted freedom we once enjoyed with our custom ROMs has now come to an end. It's easy for us hobbyists to feel victimized by Google, but we're not the target since we're a very small minority of the more than 2 billion Android users worldwide. The aim, instead, is to protect the security of the Android platform by restricting the activities of hackers and criminals who use rooted or otherwise-compromised Android devices to perpetrate their criminal activities.

Unfortunately, it's no longer business as usual. I don't know how this will end, but I don't see it ending well for us in the custom ROM community. To repeat John's final words of his twitter post, "Let's face it. Fun is over guys."

 
  • Like
Reactions: zlata
PixelPro

PixelPro

Senior Member
Sep 25, 2019
202
205
0
Mar 11, 2020 at 8:00 PM
Thanhbat said:
No more bank apps, no more Netflix on rooted. What a sad really don't want say good bye to rooted nor those apps
Click to expand...
Hi Thanhbat. I feel sad too. This is not a good situation. Presently, all we can do is wait and see what happens, and hope for the best. People are actively trying to find a solution, but right now it doesn't look good.

 
D

Dust3k

Member
May 4, 2016
11
0
0
Mar 12, 2020 at 9:18 AM
Hi to all i've Magisk installed on my device and i have not this problem. This appear randomly on some device or this is someting that will happend in the near future?
I Use a Redminote 7 Global, with last global firmware and pixelexperience.
 

Attachments

T

Thanhbat

Senior Member
Apr 27, 2018
398
176
0
Hanoi
Mar 12, 2020 at 12:54 PM
Dust3k said:
Hi to all i've Magisk installed on my device and i have not this problem. This appear randomly on some device or this is someting that will happend in the near future?
I Use a Redminote 7 Global, with last global firmware and pixelexperience.
Click to expand...
Wait until March security patch come
 
JJcoder

JJcoder

Senior Member
May 13, 2020
260
22
0
Jul 23, 2020 at 3:48 AM
PixelPro said:
For those of us with unlocked or rooted devices, I have some bad news to report. Some very, very bad news!!!

John Wu, @topjohnwu, the creator of Magisk, just confirmed that the current SafetyNet CTS Profile error issue is probably permanent, and that it's unlikely to be fixed anytime soon because Google has significantly strengthened SafetyNet. He's confirmed that Google is now utilizing hardware-backed cryptography, specifically hardware-level key attestation, leveraging the device CPU's Trusted Execution Environment (TEE) for additional security.

John Wu's Twitter Post on SafetyNet Failure Issue

If you know a little about cryptography, you will appreciate that, if properly implemented, hardware-backed cryptography is almost IMPOSSIBLE to break. This means that all of our previous SafetyNet fixes will now be obsolete since Google will now be rigorously checking the validity of the source of our cryptographic keys.

What is Android Keystore Key Attestation

Google is now verifying that the cryptographic keys it relies on to validate our devices are kept in a secure, hardware-backed keystore on each device, making key extraction near-impossible, and nullifying all our previous validation hacks. This will, for example, prevent spoofing of device certification (CTS Profile) as we currently do with our custom ROMs, and our devices will now appear in the Play Store app as "not certified."

What this means is that the unrestricted freedom we once enjoyed with our custom ROMs has now come to an end. It's easy for us hobbyists to feel victimized by Google, but we're not the target since we're a very small minority of the more than 2 billion Android users worldwide. The aim, instead, is to protect the security of the Android platform by restricting the activities of hackers and criminals who use rooted or otherwise-compromised Android devices to perpetrate their criminal activities.

Unfortunately, it's no longer business as usual. I don't know how this will end, but I don't see it ending well for us in the custom ROM community. To repeat John's final words of his twitter post, "Let's face it. Fun is over guys."
Click to expand...
https://youtu.be/LiQor-mXNq8 ;)
 
You must log in or register to reply here.

New posts

Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone