Software Integrity Blog


Demystifying Android’s SafetyNet Attestation at Black Hat Europe 2017

Demystifying Android's SafetyNet Attestation at Black Hat Europe 2017

Many app developers have questions like “Is the device my app runs on reliable? Is it trustworthy? Could it be ‘rooted’?”

Answering questions such as these can be difficult.

In an area traditionally dominated by root detection products and DIY techniques, Google attempts to respond to this request: “OK Google, what do you think about the device I’m running in?”

SafetyNet is the primary security platform used by Google to maintain the Android ecosystem. SafetyNet Attestation is a service offered by the SafetyNet system to all Android application developers. They can use it to gain insight into what Google believes to be the state of the operating system and device.

RELATED: How to use the SafetyNet API

Unfortunately, SafetyNet Attestation isn’t well documented by Google.

How does SafetyNet Attestation work?

You may be wondering how it works, what checks it conducts, whether it helps, and how you can implement it in your application without it being trivially bypassable. Join John Kozyrakis and Collin Mulliner at Black Hat Europe 2017 to take a deep dive into Android’s SafetyNet Attestation. Taking a perspective useful to both developers and penetration testers, the upcoming presentation covers multiple aspects of the system.

The first part of the presentation will recap the basics of root detection and tamper detection on Android applications. We’ll then take a deeper look into the internals of the SafetyNet system and Attestation. Specifically, we’ll examine what checks it does and how it’s designed, detailing how it is different to traditional detection techniques. From there, we’ll discuss the different ways the system can be implemented in real world applications and how each method may achieve a different level of risk reduction. This is based on the lessons learned from implementing SafetyNet Attestation for several applications with large install bases. It also shows how an organization’s maturity can impact security checks.

Finally, we’ll present various attacks and bypass methods against SafetyNet Attestation. These target not only SafetyNet, but also other similar approaches.

Secure my mobile apps


More by this author