SafetyNet
Passing SafetyNet
If everything works out, SafetyNet should pass with no further input from the user, as long as your device fulfills the basic requirements. Nothing needs to be added to the Hide list. You can see in the Magisk app if it works by checking the SafetyNet status, or in the SafetyNet checker of your choice (just make sure that you use one that is properly updated to check the SafetyNet status). If SafetyNet doesn't pass after enabling Hide, try rebooting (also see “MagiskHide isn’t working”).Google continuously updates SafetyNet, so just because you can pass toda it doesn't mean you will tomorrow.
Prerequisites
To be able to pass SafetyNet you need to have Google's Services installed. MicroG won't cut it...What triggers SafetyNet?
There are two parts to the SafetyNet check, CTS Profile and Basic Integrity.Examples of when ctsProfileMatch will report as false (failed):
- Uncertified device (the manufacturer haven't applied for Google certification)
- Unlocked bootloader
- Custom ROM
- Signs of system integrity compromise (rooting, etc)
- Signs of other attacks (Xposed, EdXposed, LSPosed, etc)
Examples of when basicIntegrity will report as false (failed):
- Signs of system integrity compromise (rooting, etc)
- Signs of other attacks (Xposed, EdXposed, LSPosed, etc)
Several (but not all) of the things mentioned above can be hidden by Magisk. See what Magisk can and cannot hide under Basics.
Test MagiskHide
First thing to do is to make sure that MagiskHide is enabled (since Magisk v20.4 MagiskHide is disabled by default), or if it is on toggle MagiskHide off and on again. Sometimes MagiskHide stops working temporarily after an update of Magisk or the Magisk app. If SafetyNet still doesn't pass, make sure MagiskHide is actually working by using a root checker or a root app. Start by making sure the app can detect that your device is rooted. After that, add the app to the Hide list and see if it no longer can detect root. If that is the case, MagiskHide is working on your device. If you can't get it to work, see "MagiskHide Issues".It can of course also be any other mod that you've done to your device outside of Magisk, so check those as well.
Unlocked bootloader
If your device has an unlocked bootloader and shipped with an Android version newer than 8 it will very likely be using hardware backed key attestation to check the bootloader state. That is impossible to circumvent and CTS will fail. Fortunately there is a way of forcing SafetyNet to use a basic attestation instead, by using this Magisk Module, Universal SafetyNet Fix:https://forum.xda-developers.com/t/magisk-module-universal-safetynet-fix-1-1-0.4217823/
In combination with the above fix, or on devices that have a broken implementation of the hardware attestation, you might need to spoof your devices model as something else than your actual device. This can be done with a simple boot script and the resetprop tool, or by using MagiskHide Props Config's Force BASIC key attestation feature. Some have reported success by using MagiskHide Props Config to simply delete the ro.product.model prop from their systems, but this could have some unforeseen consequenses. See the module documentation for best practices.
The Universal SafetyNet Fix also changes model props since v2.1.0, but only for Play Services. That way you won't end up with strange UI/UX glitches due to mismatching model values.
It might also be possible to fool Google Play Services by using XPrivacyLua and limit Google Play Services from tracking you.
A combination of the above might be necessary to fully pass SafetyNet.
Topjohnwu has written a faq on hardware key attestation that can be found here:
https://twitter.com/topjohnwu/status/1237830555523149824?s=20
And XDA has a very good article on this as well:
https://www.xda-developers.com/safetynet-hardware-attestation-hide-root-magisk
Since this part of SafetyNet checks for an unlocked bootloader you might be tempted to simply lock the bootloader again. This is a bad idea... Most devices will be permanently bricked if you lock the bootloader on a modified device. There are some devices that you can lock the bootloader on even if it isn't stock, but this is not recommended unless you know exactly what you are doing. Be warned...
SafetyNet fails after an update
If SafetyNet starts failing after an update to either Magisk, the app or both it's usually fixed by toggling MagiskHide off and on (see ”Test MagiskHide above”). It might be necessary to reboot after toggling the setting off and on.CTS profile mismatch vs Basic integrity
There are two parts to a SafetyNet check, CTS compatibility and Basic integrity. The CTS check is a server side checkup up that's difficult to spoof, while Basic integrity is done on the device side and is a lower level of security. Some apps only use the Basic integrity part of the SafetyNet API and thus can be used even if SafetyNet doesn't fully pass.Both CTS profile and Basic integrity fails
MagiskHide needs to be enabled. Start there. If MagiskHide is enabled and working (see Test "MagiskHide" above), and both checks fail you might be successful if you clear cache for Google Play Services. If that doesn't help you should also make sure that you don't have other root solutions installed (old or preinstalled in your ROM, also see "Magisk can not hide") or any kind of mod or module that is triggering SafetyNet (see "Check your modules and mods" below).CTS profile fails but Basic integrity passes
MagiskHide needs to be enabled (yes, basic integrity can pass even if MagiskHide is disabled). Start there. If MagiskHide is enabled and working (see Test "MagiskHide" above), and you still can't pass the CTS profile check, but Basic integrity shows as true, that basically means Google doesn't trust your device for some reason (also see "Unlocked bootloader" above and "SafetyNet incompatible devices and ROMs" below). You should be able to fix this by matching prop values with a ROM that passes SafetyNet (see "Matching official prop values to pass SafetyNet" and "Spoofing device fingerprint" below).CTS profile passes but Basic integrity fails
This means that SafetyNet is actually failing and you are likely using a mod like the Xposed HiddenCore module that is trying to spoof the CTS profile check result. In reality you're failing both CTS profile and Basic integrity (see above).This might be successful against some apps that haven't properly implemented the SafetyNet check. But it won't have any effect on a properly implemented SafetyNet check.
Both CTS profile and Basic integrity passes
Everythings good. You can stop reading (at least this section of the guide).Check your modules and mods
In March 2020 Google didn't just start using hardware key attestation (see "Unlocked bootloader" below), but they also tightened down what kind of modifications SafetyNet detects. For example, bind mounts in a module may now trigger SafetyNet.If you suddenly start failing both CTS and basic integrity, try disabling or uninstalling the last module you installed (or try disabling all modules). If you can pass SafetyNet fully with that (or all) module disabled you know it is a module that is causing the issue. If you do not know which module disable each module individually until you find which one is the culprit.
SafetyNet incompatible devices and ROMs
There are devices/ROM’s that just won’t be able to pass SafetyNet. This might have to do with how the ROM is built, and if so there is nothing the user can do to change it.But, fortunately, most of the time it is much simpler than that.
All custom ROMs are incompatible with SafetyNet out of the box (unless the ROM creator uses the described method below and uses a certified device fingerprint instead of the on that matches the ROM). This has to do with how Google certifies devices, CTS certification (Compatiblity Test Suite). If a device hasn’t passed the Google certification process, or if the ROM alters how the device is perceived by Google, it won’t be able to fully pass SafetyNet (CTS profile mismatch). You might be able to get basic integrity to report as true (see Checking if Basic integrity passes above) and this would mean that MagiskHide is working as it should and it's most likely a simple CTS certification issue.
You can match your ROM's ro.build.fingerprint (and possibly other props, like ro.build.version.security_patch) with an official ROM for your device, or any other device that is certified, to make it pass SafetyNet fully (see "Matching official prop values to pass SafetyNet" and "Spoofing device fingerprint" below).
Matching official prop values to pass SafetyNet
If you use an unofficial/developers ROM you might have to match an official/stable ROM's details (usually ro.build.fingerprint and possibly ro.build.version.security_patch) to pass the SafetyNet CTS profile check (also see "Spoofing device fingerprint" below).coolguy_16 have made a guide for Moto G 2015 here. Thank you to diegopirate for the tip.
Spoofing device fingerprint
Try changing your device's ro.build.fingerprint to a device's/ROM's that is known to pass SafetyNet. The Magisk module MagiskHide Props Config can do this. This can also be done with a boot script (don't forget to set the proper permissions for the script to execute) and the resetprop tool (also see "Sensitive props").To change the device fingerprint with a boot script, add the following to a file you place in /data/adb/service.d (and don't forget to set the proper permissions for the script to execute):
#!/system/bin/sh resetprop ro.build.fingerprint <fingerprint value>
Depending on your ROM and/or device you might also have to edit ro.bootimage.build.fingerprint, ro.system.build.fingerprint, ro.vendor.build.fingerprint and ro.odm.build.fingerprint. It's not necessary for passing the CTS profile check, but if your ROM has one of these other props and you don't match them with the used fingerprint you may get a warning at boot about your device having an internal problem.
If the device fingerprint is from an Android build after March 16 2018 you'll also have to match that build's Android Security Patch date (ro.build.version.security_patch). This is automatically done by MagiskHide Props Config, but otherwise you can go about it the same way as described above.
The response is invalid
This basically means that your device can't get a proper response from the Google servers, for whatever reason. It says nothing about wether your device actually passes SafetyNet or not...If you get an invalid response result when checking SafetyNet it might mean that the app you're using to check SafetyNet hasn't been updated to work with the latest version of the SafetyNet API.
This response might also mean that Google's servers are down at the moment.
Another thing to try is to force close Play Services, clearing it's data and/or rebooting the device.
You could also try using a different GAPPS package (if you're on a custom ROM) or update the Play Services manually by downloading the latest version from APKMirror.
Make sure that you have a proper working internet connection and that there's nothing interfering (firewalls, etc).
SafetyNet check never finishes
If the SafetyNet status check never finishes (make sure to wait a while), it might mean that your Google Play Services aren’t working properly or have crashed. Try force closing Play Services, clearing data and/or rebooting the device.You could also try using a different GAPPS package (if you're on a custom ROM) or update the Play Services manually by downloading the latest version from APKMirror.
SafetyNet API error
This error doesn't mean that SafetyNet is failing. It is usually caused by the app you are using to check SafetyNet not having internet access, can't reach Google's servers for whatever reason or the snet files not downloading properly if you're using the Magisk app. If you're using the Magisk app, try clearing data for it and make sure that you have a working internet connection and no firewall or other services that could be limiting internet connection for the Magisk app when starting the SafetyNet check. The app need to download the necessary files to be able to do the check and internet access is required to get a response from Google's servers. If clearing the Magisk app's data and trying again doesn't help, try a different SafetyNet checker. It might be that Google has updated the API and that the app needs an update to accommodate this.Device uncertified in Play store/Netflix (and other apps) won't install or doesn't show up
If some apps won't install or doesn't show up in the Play store, check the Play store settings. At the bottom there might be a section called "Device certification". Some apps won't install if this shows "uncertified" (a couple of known apps are Netflix and Mario Run). It might even be that your device show "certified" and they don't show up. Even if there isn't a "Device certification" section in your version of the Play store, try the below if you have issues with apps like Netflix not installing or showing up.The solution is to make sure your device passes SafetyNet and then clear data for the Play store and reboot. If you have multiple users on your device, you might have to clear data for all users. Next time you open up the Play store, "Device certification" should show "certified" and the apps should be able to install/show up again. You might have to wait a bit before the apps show up. Some users have reported having to wait mere minutes, others several hours up to a whole day.
Permissive SELinux
MagiskHide can usually mask a permissive SELinux and let you pass SafetyNet anyway. But, it has been reported that this is not successful on all devices. If you have SELinux set to permissive, try changing it to enforcing and check SafetyNet again.Passing SafetyNet with EdXposed installed
Google can detect if you have EdXposed installed, but you can usually work around this by making sure you're using the latest release (usually the Canary releases) and using things like the EdXposed Managers Blacklist feature and enabling it for Google Play Services, Play Store and Services Framework.I still can't pass SafetyNet
Start by clearing data for Play Services and the Play Store. There have been reports of this making SafetyNet passing. It's also a good idea to read through the rest of the guide. For example More hiding tips, MagiskHide Issues, Other things to try, Asking for help/reporting bugs and other parts.Changing ROM or completely wiping your device and starting out clean might also be a good idea.