Wiki source for MagiskHideSafetyNet


Show raw source

@@[[MagiskHide | -- To the top/main article --]]@@
=====**{{color text="SafetyNet" c="blue"}}**=====

There's a corresponding section about hiding root from apps and ""SafetyNet"" in the [[https://topjohnwu.github.io/Magisk/tutorials.html#best-practices-for-magiskhide | official Magisk documentation]]. That is also very well worth a look.

===**Passing ""SafetyNet""**===
If everything works out, ""SafetyNet"" should pass with no further input from the user, as long as your device fulfills the [[https://didgeridoohan.com/magisk/MagiskHideBasics | basic requirements]]. Nothing needs to be added to the Hide list. You'll see in the Magisk Manager if it works by checking the ""SafetyNet"" status. If ""SafetyNet"" doesn't pass after enabling Hide, try rebooting //(also see [[https://www.didgeridoohan.com/magisk/MagiskHideMore | “MagiskHide isn’t working”]])//.

Google continuously updates ""SafetyNet"". Currently, no versions prior to Magisk v13.3 will pass ""SafetyNet"" without major workarounds.

===**What triggers ""SafetyNet""?**===
There are two parts to the ""SafetyNet"" check, CTS Profile and Basic Integrity.

Examples of when ctsProfileMatch will report as false (failed):
- Uncertified device (the manufacturer haven't applied for Google certification)
- Unlocked bootloader
- Custom ROM
- Signs of system integrity compromise (rooting, etc)
- Signs of other attacks (Xposed, etc)

Examples of when basicIntegrity will report as false (failed):
- Signs of system integrity compromise (rooting, etc)
- Signs of other attacks (Xposed, etc)

Several (but not all) of the things mentioned above can be hidden by Magisk. See what Magisk can and cannot hide under //[[https://didgeridoohan.com/magisk/MagiskHideBasics | Basics]]//.

===**Test ""MagiskHide""**===
First thing to do is to toggle MagiskHide off and on again. Sometimes MagiskHide stops working temporarily after an update of Magisk or the Manager. If ""SafetyNet"" still doesn't pass, make sure MagiskHide is actually working by using a root checker or a root app. Start by making sure the app can detect that your device is rooted. After that, add the app to the Hide list and see if it no longer can detect root. If that is the case, MagiskHide is working on your device. If you can't get it to work, see [[MagiskHideIssues | "MagiskHide Issues"]].

===**""SafetyNet"" fails after an update**===
If ""SafetyNet"" starts failing after an update to either Magisk, the Manager or both it's usually fixed by toggling MagiskHide off and on //(see ”Test ""MagiskHide"" above”)//. It might be necessary to reboot after toggling the setting off and on.

===**CTS profile mismatch vs Basic integrity**===
There are two parts to a ""SafetyNet"" check, CTS compatibility and Basic integrity. The CTS check is a server side checkup up that's difficult to spoof, while Basic integrity is done on the device side and is a lower level of security. Some apps only use the Basic integrity part of the ""SafetyNet"" API and thus can be used even if ""SafetyNet"" doesn't fully pass.

===**Checking if Basic integrity passes**===
You can check ""SafetyNet"" directly in the Magisk Manager, to see if you at least pass Basic integrity. If you can't pass ""SafetyNet"", but Basic integrity shows as true, that basically means Google doesn't trust your device for some reason //(also see """SafetyNet"" incompatible devices and ROMs" below)//. You should be able to fix this by matching prop values with a ROM that passes ""SafetyNet"" //(see "Matching official prop values to pass ""SafetyNet""" and "Spoofing device fingerprint" below)//.

===**""SafetyNet"" incompatible devices and ROMs**===
There are devices/ROM’s that just won’t be able to pass ""SafetyNet"". This might have to do with how the ROM is built, and if so there is nothing the user can do to change it.

But, fortunately, most of the time it is much simpler than that.

All custom ROMs are incompatible with ""SafetyNet"" out of the box (unless the ROM creator uses the described method below and uses a certified device fingerprint instead of the on that matches the ROM). This has to do with how Google certifies devices, CTS certification (Compatiblity Test Suite). If a device hasn’t passed the Google certification process, or if the ROM alters how the device is perceived by Google, it won’t be able to fully pass ""SafetyNet"" (CTS profile mismatch). You might be able to get basic integrity to report as true //(see Checking if Basic integrity passes above)// and this would mean that MagiskHide is working as it should and it's most likely a simple CTS certification issue.

You can match your ROM's ro.build.fingerprint (and possibly other props, like ro.build.version.security_patch) with an official ROM for your device, or any other device that is certified, to make it pass ""SafetyNet"" fully //(see "Matching official prop values to pass ""SafetyNet""" and "Spoofing device fingerprint" below)//.

===**Matching official prop values to pass ""SafetyNet""**===
If you use an unofficial/developers ROM you might have to match an official/stable ROM's details (usually ro.build.fingerprint and possibly ro.build.version.security_patch) to pass ""SafetyNet"" //(also see "Spoofing device fingerprint" below)//.

[[https://forum.xda-developers.com/member.php?u=6217614 | coolguy_16]] have made a guide for Moto G 2015 [[https://forum.xda-developers.com/2015-moto-g/general/guide-pass-safetynet-custom-roms-t3603609 | here]]. Thank you to [[https://forum.xda-developers.com/member.php?u=6705717 | diegopirate]] for the tip.

===**Spoofing device fingerprint**===
Try changing your device's ro.build.fingerprint to a device's/ROM's that is known to pass ""SafetyNet"". The Magisk module [[https://forum.xda-developers.com/apps/magisk/module-magiskhide-props-config-t3789228 | MagiskHide Props Config]] can do this. This can also be done with a [[https://topjohnwu.github.io/Magisk/guides.html#boot-scripts | boot script]] (don't forget to set the proper permissions for the script to execute) and the resetprop tool //(also see [[MagiskHideMore | "Sensitive props"]])//.

To change the device fingerprint with a [[https://topjohnwu.github.io/Magisk/guides.html#boot-scripts | boot script]], add the following to a file you place in /data/adb/service.d (and don't forget to set the proper permissions for the script to execute):
%%
#!/system/bin/sh
resetprop ro.build.fingerprint <fingerprint value>
%%
You might also have to edit ro.bootimage.build.fingerprint and ro.vendor.build.fingerprint.

If the device fingerprint is from an Android build after March 16 2018 you'll also have to match that build's Android Security Patch date (ro.build.version.security_patch). This is automatically done by [[https://forum.xda-developers.com/apps/magisk/module-magiskhide-props-config-t3789228 | MagiskHide Props Config]], but otherwise you can go about it the same way as described above.

===**The response is invalid**===
This basically means that your device can't get a proper response from the Google servers, for whatever reason. It says nothing about wether your device actually passes ""SafetyNet"" or not...

If you get an invalid response result when checking ""SafetyNet"" it might mean that the app you're using to check ""SafetyNet"" hasn't been updated to work with the latest version of the ""SafetyNet"" API. Your best bet is always to use the Magisk Manager to check the ""SafetyNet"" result.

This response might also mean that Google's servers are down at the moment.

Another thing to try is to force close Play Services, clearing it's data and/or rebooting the device.

You could also try using a different GAPPS package (if you're on a custom ROM) or update the Play Services manually by downloading the latest version from [[https://www.apkmirror.com/ | APKMirror]].

Make sure that you have a proper working internet connection and that there's nothing interfering (firewalls, etc).

===**""SafetyNet"" check never finishes**===
If the ""SafetyNet"" status check never finishes (make sure to wait a while), it might mean that your Google Play Services aren’t working properly or have crashed. Try force closing Play Services, clearing data and/or rebooting the device.

You could also try using a different GAPPS package (if you're on a custom ROM) or update the Play Services manually by downloading the latest version from [[https://www.apkmirror.com/ | APKMirror]].

===**""SafetyNet"" API error**===
This error is usually caused by the Manager not having internet access or the snet.apk not downloading properly. Try clearing data for the Manager and make sure that you have a working internet connection when starting the ""SafetyNet"" check. The Manager need to download the necessary files to be able to do the check and internet access is required to get a response from Google's servers.

===**Device uncertified in Play store/Netflix (and other apps) won't install or doesn't show up**===
If some apps won't install or doesn't show up in the Play store, check the Play store settings. At the bottom there might be a section called "Device certification". Some apps won't install if this shows "uncertified" (a couple of known apps are Netflix and Mario Run). It might even be that your device show "certified" and they don't show up. Even if there isn't a "Device certification" section in your version of the Play store, try the below if you have issues with apps like Netflix not installing or showing up.

The solution is to make sure your device passes ""SafetyNet"" and then clear data for the Play store and reboot. If you have multiple users on your device, you might have to clear data for all users. Next time you open up the Play store, "Device certification" should show "certified" and the apps should be able to install/show up again. You might have to wait a bit before the apps show up. Some users have reported having to wait mere minutes, others several hours up to a whole day.

===**Permissive SELinux**===
MagiskHide can usually mask a permissive SELinux and let you pass ""SafetyNet"" anyway. But, it has been reported that this is not successful on all devices. If you have SELinux set to permissive, try changing it to enforcing and check ""SafetyNet"" again.

===**I still can't pass ""SafetyNet""**===
Start by clearing data for Play Services and the Play Store. There have been reports of this making ""SafetyNet"" passing. It's also a good idea to read through the rest of the guide. For example [[MagiskHideMore | More hiding tips]], [[MagiskHideIssues | MagiskHide Issues]], [[MagiskOther | Other things to try]], [[MagiskHelp | Asking for help/reporting bugs]] and other parts.

Changing ROM or completely wiping your device and starting out clean might also be a good idea.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki