Get the OnePlus 6 early at a pop-up event in your city →
Remove All Ads from XDA

Android Pay & SuperSU & Xposed: works for me

1,365 posts
Thanks Meter: 1,169
 
By moneytoo, Recognized Developer on 15th January 2018, 03:37 PM
Post Reply Email Thread
I have just made successful transaction via Android Pay on my rooted & Xposed Samsung Galaxy S7.

I'm curious to know what is the actual reason for working as I was under impression that Android Pay is guarded by SafetyNet.

My Samsung Galaxy S7 runs Android 7.0 (G930FXXU1DQIC - patch level 8/2017), good old CF-Auto-Root and latest Xposed framework (no systemless root or Magisk). I started using S7 year and half ago and I am rooted from the very beginning. CF-Auto-Root disabled device internal memory encryption (after the last reinstallation). I only use two my own Xposed modules and YouTube AdAway. I block ads via AdAway. (I also disable any system/provisioning updates, security checks, unused system apps - but without using of any 3rd party software or hacks)

As I was thinking Android Pay won't work on my S7, I setup payment card on Samsung Galaxy S5 which I have reinstalled (from LineageOS) to the latest stock ROM (without rooting). Then I gave try my S7 and confirmed the same card for use on that device as well.

First I tried reading card info using "Credit Card Reader NFS (EMV)" which worked fine on both phones in either way so I tried using S7 today in a shop (two days after setup)... and it just worked.

Android Pay version: 1.36.177845727

Click image for larger version

Name:	Screenshot_20180115-150103.jpg
Views:	1252
Size:	42.8 KB
ID:	4390041 Click image for larger version

Name:	Screenshot_20180115-155446.jpg
Views:	1248
Size:	122.8 KB
ID:	4390042
 
 
15th January 2018, 07:35 PM |#2  
Senior Member
Thanks Meter: 15
 
More
Interesting
Could you please share your android pay apk? I would like to try
But I have magisk and a lot of modules with xposed, anyway I'll try

Enviado desde mi SM-G930F mediante Tapatalk
15th January 2018, 10:18 PM |#3  
moneytoo's Avatar
OP Recognized Developer
Thanks Meter: 1,169
 
Donate to Me
More
The version (name/code) I use is the same as here: https://www.apkmirror.com/apk/google...-apk-download/

Before running any SafetyNet checks on my working S7, I will try replicating the setup on rooted S5 first.

EDIT (day later):

After rooting S5, Android Pay reports the "Android Pay can't be used on this device" message. However I used older image for rooting (as I had some issues with latest but will try again). It further confirms that there's some quirk in my setup/configuration that makes it work on S7.

S5 gave me that error shortly after trying reading card via "Credit Card Reader" app - so it seems like a perfect verification without the need to use a real terminal in a shop.

I don't have much time lately but I will be digging deeper...

EDIT (18th January):

Made second payment via Android Pay, this time above the limit requiring unlocking. It still works.

Still no luck with S5 - all SafetyNet checks fail. I'm too scared to actually run any SafetyNet checks on S7 but I guess I could snoop the network and compare the local SafetyNet logs/dbs inside GMS...
The Following 2 Users Say Thank You to moneytoo For This Useful Post: [ View ]
13th February 2018, 02:53 AM |#4  
itandy's Avatar
Senior Member
Hong Kong
Thanks Meter: 1,331
 
More
Quote:
Originally Posted by moneytoo

The version (name/code) I use is the same as here: https://www.apkmirror.com/apk/google...-apk-download/

Before running any SafetyNet checks on my working S7, I will try replicating the setup on rooted S5 first.

EDIT (day later):

After rooting S5, Android Pay reports the "Android Pay can't be used on this device" message. However I used older image for rooting (as I had some issues with latest but will try again). It further confirms that there's some quirk in my setup/configuration that makes it work on S7.

S5 gave me that error shortly after trying reading card via "Credit Card Reader" app - so it seems like a perfect verification without the need to use a real terminal in a shop.

I don't have much time lately but I will be digging deeper...

EDIT (18th January):

Made second payment via Android Pay, this time above the limit requiring unlocking. It still works.

Still no luck with S5 - all SafetyNet checks fail. I'm too scared to actually run any SafetyNet checks on S7 but I guess I could snoop the network and compare the local SafetyNet logs/dbs inside GMS...

Just curious, is there any progress on this? I'm using latest Magisk with Xposed. One of my local payment app refused to work after a recent Google update. I think Google has strengthened the SafetyNet checking again. I wonder if your S7 is still working after the recent update.
13th February 2018, 05:59 AM |#5  
moneytoo's Avatar
OP Recognized Developer
Thanks Meter: 1,169
 
Donate to Me
More
@itandy
I've made over 10 payments, used S7 for setup Android Pay on Android Wear and it still works. I tried running SafetyNet checks and they said that attestation fails (both baseic integrity and cts profile match).

So far my thinking is that it's allowed by design. S7 features fingerprint reader which means (by CTS requirements) it also has embedded secure storage for signing keys (SE/TEE?). The S5 doesn't have that (their fingerprint reader was one of the firsts and didn't use system APIs) so it fall backs to unsecured software keystore implementation. I see that only S7 contains some actual data in table "StorageKey" (in Android Pay db inside GMS).
I tried spoofing "KeyInfo.isInsideSecureHardware()" but maybe I was too late as the device profile was already setup.

I've just realized I should be able to get another device (with fingerprint reader) for testing this theory so I will do that.
13th February 2018, 06:08 AM |#6  
itandy's Avatar
Senior Member
Hong Kong
Thanks Meter: 1,331
 
More
Quote:
Originally Posted by moneytoo

@itandy
I've made over 10 payments, used S7 for setup Android Pay on Android Wear and it still works. I tried running SafetyNet checks and they said that attestation fails (both baseic integrity and cts profile match).

So far my thinking is that it's allowed by design. S7 features fingerprint reader which means (by CTS requirements) it also has embedded secure storage for signing keys (SE/TEE?). The S5 doesn't have that (their fingerprint reader was one of the firsts and didn't use system APIs) so it fall backs to unsecured software keystore implementation. I see that only S7 contains some actual data in table "StorageKey" (in Android Pay db inside GMS).
I tried spoofing "KeyInfo.isInsideSecureHardware()" but maybe I was too late as the device profile was already setup.

I've just realized I should be able to get another device (with fingerprint reader) for testing this theory so I will do that.

Thanks for you response. But still it doesn't make sense to me. S7 is not the only device to have the requirements you mentioned. And specifically Xposed is one major target of SafetyNet. My device with Magisk passed everything without Xposed. But once Xposed is enabled, both ctsProfile and Basic Integrity fails, as expected.
13th February 2018, 10:06 AM |#7  
Junior Member
Thanks Meter: 1
 
More
I had the same situation S7 working android pay with root and xposed for the last year , until all of a sudden last week it stopped and now will only work if i disable xposed

is anyone's s7 still working with android pay ,root and xposed ?
or is it just mine that stopped last week ?

Stef
13th February 2018, 12:06 PM |#8  
itandy's Avatar
Senior Member
Hong Kong
Thanks Meter: 1,331
 
More
Quote:
Originally Posted by sjpage10

I had the same situation S7 working android pay with root and xposed for the last year , until all of a sudden last week it stopped and now will only work if i disable xposed

is anyone's s7 still working with android pay ,root and xposed ?
or is it just mine that stopped last week ?

Stef

I'm not using S7. But my local payment app used to work with Magisk and Xposed until recently. I think a recent Google Play update strengthened the SafetyNet.
13th February 2018, 05:41 PM |#9  
moneytoo's Avatar
OP Recognized Developer
Thanks Meter: 1,169
 
Donate to Me
More
@sjpage10

The most recent payment I made with S7 was 9 days ago but that's cause I'm using watch now. I'm still able to read Android Pay card data from S7.

Android Pay version may not actually matter that much as the core for payments is in Google Play Services. I'm currently on version 11.9.75.
15th February 2018, 02:27 PM |#10  
Junior Member
Flag Chicago, IL
Thanks Meter: 12
 
More
Quote:
Originally Posted by moneytoo

I have just made successful transaction via Android Pay on my rooted & Xposed Samsung Galaxy S7.

I'm curious to know what is the actual reason for working as I was under impression that Android Pay is guarded by SafetyNet.

Quote:
Originally Posted by sjpage10

I had the same situation S7 working android pay with root and xposed for the last year , until all of a sudden last week it stopped and now will only work if i disable xposed

is anyone's s7 still working with android pay ,root and xposed ?
or is it just mine that stopped last week ?

Stef

I did a clean install of Superman ROM 2.8.0 by @Tkkg1994 (Android 7.1) + Magisk w/MagiskSU on my Galaxy S7 (SM-G930FD) back in December. With this combination, I was able to pass SafetyNet, and install Android Pay 1.36.177845727 using the Play Store app. I configured it and began using it without issue. I then installed Systemless Xposed, and even though SafetyNet would fail whenever Xposed is activated in Magisk Manager, Android Pay continued to work normally. Even with Xposed activated, the Play Store settings dialog would report "Certified" in the Device certification field. Nevertheless, apps that prohibit distribution to compromised devices (e.g., Netflix, which I don't have installed) would not show up in Play Store searches. Android Pay would still show up, presumably only because it was already installed on my device.

I have been using Android Pay nearly daily every evening at the supermarket across the street without issue until yesterday. During the day, I upgraded to Magisk 15.4 (from 15.3), Magisk Manager 5.6.0 (from 5.5.0), and Systemless Xposed 89.2 (from 89.1). Nothing appeared different; Android Pay continued to open normally. Note that I have NOT been offered (nor installed from any other source) any updates to Google Play Services in recent weeks; I am on 11.9.75. However, when presenting the device at the supermarket's payment terminal last night, I was greeted by a window featuring a red exclamation point in a circle, an image of my credit card, and the verbiage "You can no longer use Android Pay on this phone". There was a link to activate a feedback form, though I didn't submit feedback. When I backed out of the window, things otherwise seemed normal with respect to Android Pay: I was able to browse my various payment methods, explore the settings dialog, etc. I then disabled Xposed momentarily in Magisk Manager, and was once again able to pass SafetyNet. I haven't had the opportunity of try Android Pay again since this incident.

So, like most in this thread, I am trying to understand the relationship between Android Pay and SafetyNet, as well as any other device integrity checks it makes. Based on the experiences reported in this thread by @moneytoo, @sjpage10 and myself, it looks like Android Pay doesn't regularly check SafetyNet, though the Play Store does not offer it to you if your device is failing SafetyNet when you look for it. Obviously, that doesn't preclude sideloading it using an APK from APKMirror or another source.

So, I have a few questions:
  1. It isn't clear to me why Android Pay suddenly stopped working last night. Is this a consequence of my updates, or did something change on the server side? It seems like it might be a bit more than a coincidence that both @sjpage10 and I experienced the same phenomenon within a short period of time.
  2. Is there a convenient way to do complete end to end testing of Android Pay without actually making a charge? It sounds like @moneytoo has some method, but I am not clear what this is.
  3. What does Android Pay actually check to determine if a device is allowed to use it, and when is this checked?
  4. How can I find out the underlying cause of an Android Pay failure? I'll try logcat the next time I attempt to use Android Pay to make a purchase, but any hints on what to look for would be helpful.
Thanks.
15th February 2018, 07:29 PM |#11  
moneytoo's Avatar
OP Recognized Developer
Thanks Meter: 1,169
 
Donate to Me
More
@sjevtic

It stopped working for me as well.

So far on every device I tried, Android Pay works perfectly fine offline (for at least few days) but after a device reboot it requires internet connectivity for initialization.

The "Device certification" status in Play Store is cached and doesn't 100% correspond with the actual SafetyNet responses. Apps like Netflis doesn't show up when SafetyNet fails but there's no such protection turned on for Android Pay.

1) Seems like they disabled the responses on servers needed for initialization of Android Pay

2) As I already mentioned, install "Credit Card Reader NFC (EMV)" on second phone and try reading card with that. When this works, Android Pay also works.

3-4) That's the question. I still think it's possible to hack it so Android Pay will continue working on our phones. The key here is that it works offline. It may be a bit cumbersome though (automate rebooting to environment without Xposed to refill new payment tokens).

BTW: At least Android Pay still works on my Android Wear watch (connected to S7).
The Following User Says Thank You to moneytoo For This Useful Post: [ View ]
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes