Throughout last days, I struggled instrumenting Google SafetyNet protected apps with @fridadotre (meanwhile 14.0.6), because SafetyNet's "basic integrity" check failed.
The test device runs LineageOS + Magisk.
Let me share how I approached this issue
The test device runs LineageOS + Magisk.
Let me share how I approached this issue
The root issue was an outdated version of "Google Play Services", which was fixed by installing the most recent version of "Open GApps". This bumped GMS to version 20.39.15
In order to pass the SafetyNet basicIntegrity check, "MagiskHide" comes to help. It has to be applied to the Google Play Services (formerly known as Google Mobiles Services aka GMS)
The "MagiskHide" option sometimes has to be toggled off and on again (not sure why, but it is documented in many public guides) in order to its job.
... and finally, the SafetyNet checks pass.
... and finally, the SafetyNet checks pass.
Now, in my case, having MagiskHide enabled is an issue, because it does not play well with @fridadotre
To be precise, it prevents attaching to processes with spawn-gating, which I badly need to hook them right during startup (early instrumentation)
To be precise, it prevents attaching to processes with spawn-gating, which I badly need to hook them right during startup (early instrumentation)
Luckily, when the SafetyNet checks have passed once, MagiskHide could be disabled, again. SafetyNet attestation still passes in most cases (I have not investigated the cause of this and what changes done by MagiskHide are persisting)
Once MagiskHide is disabled Frida's spawn-gating is working again, while SafetyNet checks still pass.
This means SafetyNet protected apps could be (early) instrumented with Frida. The screenshot shows "Pokemon Go" as an example (terminal window has live logs from hooked methods).
The Magisk module "Move Certificates" helps to deploy a user installed CA certificate for an TLS interception proxy (@mitmproxy in this case), into the system store.
This again allows to combine and post-process intercepted traffic and event from instrumentation.
This again allows to combine and post-process intercepted traffic and event from instrumentation.
Additional notes:
- toggling MagiskHide on/off has to be re-done after device reboot
- in case checks still fail, clearing the cache of Google Play Services turned out to be helpful
- toggling MagiskHide on/off has to be re-done after device reboot
- in case checks still fail, clearing the cache of Google Play Services turned out to be helpful
Pro tip on Frida+Magisk:
There exists a Magisk module "MagiskFrida" which deploys frida-server (always up-to-date).
The module launches frida-server early at boot. In most cases I have to kill and restart it, to make Frida's app-enumeration feature work ...
There exists a Magisk module "MagiskFrida" which deploys frida-server (always up-to-date).
The module launches frida-server early at boot. In most cases I have to kill and restart it, to make Frida's app-enumeration feature work ...
As a general advice: frida-server should be deployed&started manually via adb, as described in the docs, to avoid issues
One last, but important fact.
The test device covered here is an old Galaxy S5.
The fact that the hardware is dated is beneficial, as only "basic" SafetyNet attestation is used.
For devices with SafetyNet "hardware attestation" (TEE based) this is unlikely to work
The test device covered here is an old Galaxy S5.
The fact that the hardware is dated is beneficial, as only "basic" SafetyNet attestation is used.
For devices with SafetyNet "hardware attestation" (TEE based) this is unlikely to work
• • •
Missing some Tweet in this thread? You can try to
force a refresh
