Breaking The Impossible: Bypassing Android's Secure Hardware Backed Attestation by Joseph Foote

so the title of this talk is Android safety net Hardware um back test station now I'm going to introduce all the Core Concepts and start our low level and try and make sure that everyone can understand hopefully and follow along even if you've not got any better background or you're not in security Etc specifically we're looking at what I refer to as bypassing the impossible and I explain why I'm confronted as that as we go so a little bit of an introduction to who I am I know you're all sick of seeing who I am be atop the slide and it's a bit there it's a cool part we're here now so I'm a security researcher

and consultant my day job is actually in consultancy however during my hobby time my free time Etc I'm always hacking something trying to break something new or generally just doing something that I find fun which happens to be typically around computing I have a background in faucet development as well um with around 10 plus years just of my own personal life programming a minimum with fluency far to main languages account and my current hobby project is trying to run doom on an HDMI adapter and specifically this is uh an apple little Haywire adapter that plugs into your iPhone and it has its own system it has round memory Etc a lot of weird quirky limitations I'm trying to export that so

I can get Doom running on it and plug it in and make it persist as well um all the necessary areas of expertise in there so how to piece together pieces though it's gonna be good fun hopefully the next talk will be on that um responsible disclosure just for everyone here this has been as close to Google I haven't had confirmation yet if it's a unique volatility as far as I know from Google or searching the web Etc and no one else has done something like this attempted it Etc The Source code's not available yet there's two reasons for that okay I don't really want anyone exploiting you before it can be fully patched and mediated although

technically you could try and do your implementation but you've answered a few herders along the way and secondly Source code's a mess I've tried my best to make it clean and readable um but I've been tweaking it and the last few days have been a real rush to try and make this as um functional as possible foreign it's essentially a module or a library that you have because you can load and attempt to do a few key things and I cover this in the next slide just so it makes a little bit more sense of reference but it's only supported on Google pixel devices and that means essentially that what our oldest for this would be for

instance Google pixel 4 and later specifically because that's when they invented Hardware testation which uses part of the actual system to perform a process it's theorized to be impossible to bypass take another pinch of salt bow because the majority of these people are self-programmed experts on Twitter who believe that it can't be done and no one should ever attempt to and you're stupid for trying um or something along those lines as we know that to hackers something's impossible because when you do they get furious they start breaking things and then suddenly you've got an expert in your hands so the use of safety net I just touched upon you can use it for my daughter or a

variety of functions particularly verification is installed on the device so for instance if you have malicious applications or something that's not approved by Google a safe browsing API which refers to verifying URLs that might look like they're potentially phishing on dodgy domains strange characteristics Etc but that's prior to when a user visits it and that uses Google's database essentially of what makes it a good and more bad a recapture API white standard things has proven like they're not robots and then finally and this is what we're actually interested in the attestation API so a testation on Android means checking the device's state and a variety of facts about it to determine things like is it rooted or has it been tampered

where has the Constitution being changed the idea is that bank social media Games Etc can use this and essentially say yes this device is in a good State and we continue to operate on it it's quite straightforward to actually Implement for a developer pump you do require an API to you from Google which can be obtained in all of around 10 or 15 minutes have I was lazy suffered my purposes I stole someone else's key um and here's a little example of how it works at kind of high level so on Android applications typically have a naming Convention of something like com for example not my app and this is actually an APK so when you click on the

settings app that's the individual APK when you click on photos that's another individual APK so your application Imports the safetynet library and the message dependencies for it that in turn facilitates speaking to Google Play services on the device itself and then Google Play services speaks to Google's actual API which is remote and on the internet and this API takes the blog data you've sent which we'll cover in more detail exactly what that is it signs it checks it Etc and returns something you can actually use to save this device is secure it's being verified by Google and you can essentially verify the signature of that on your own actual web server so they are step three is a website for the

application and you can think of this in ethereum account like a bank that might have the application their test security of the device and they send the token they get back with Google's API with every single request and that's verified or server side which essentially limits and removes the facts of you being able to bypass client-side security if you can't use the internet functions that are sort of dependent to do what you want so an example of how this is actually implemented is quite simple before this in the main class of the actual program we have about three or four Imports which is just graphing safety net jerseys but let's break down this code for people who are Java

developers and try and understand it a little bit better so the first lines say I want to create a safetynet client and I want to instantiate that you'll see in the brackets given is an argument called Tab and we're covered out a little bit more later but essentially the context of the application which is a way for something to achieve details of the app like its name what do what kind of activities it exposes Etc so we're giving the API some reference to our app and then after that we're asking it to perform our test function and this a test is actually a task I mean it is asynchronous takes a while to return it doesn't it doesn't immediately

return so we actually have to then call or set up essentially a listener or callback for it and it says that when the task is finished the safety that test patient pass you want to call the on success callback with our testation response included and then we can grab from the attestation response object within Paul Park a jws token I'll detail a little bit more of that is in next slides and then finally we just have a simple debug message just so we as a developer know it succeeded we should have something back and now we can work with it so I alluded this before Google Play services speaks with Google's API it uses HTTP as traffic and that

essentially includes a whole bunch of data about device which Google can then verify to ensure it matches what expectations so typical pinning and Foundation is enforced so they can't sniffer on a non-rooted device meaning we have no visibility into a root device and the rooted device doesn't quite behave the same as a unrooted device for reference routing here refers to braking constraints of an Android device so you can run your own code Etc and as I said the response proves that our device is rooted and I'll show you what that looks like shortly this is an example of an actual request to Google's API it reads other things you need to sort of look at be aware of

so we're speaking to the attestations the test endpoint where it has alt equals Proto this refers to a protobar wrapper around that's going to come back we don't care too much about this but it just helps us make sense of the data is coming back the host again is google'sapi.com and then we also have two more information and this is between seemingly random data a load of random hex um this is the build date of the application that is trying to run the test function and also the apk's name and these are going to be very important later because of essentially we run into some hurdles with this and we need to try and modify what's happening in order

to work with it the response back from Google's API so after we've asked it to a test of the device's state give the database applied it's something like this so you see those first two red bytes that is part of the Proto buff wrapper and I believe that I just say you can expect the following response to be excellent now the keynime key eyed monk you may notice the beginning of that message which is eyj quite standard for JWT tokens jws Etc so if anyone is not aware a Json web tofu jws is a base64 encoded data structure delimited by all stops so the structure you'll be looking at would be something like a header they've also got

a payload or stopping in the signature each one with individual components it's basic support encoded meaning it's represented by 64 which you need characters to include the data we are only interested in the payload for this and you can also actually decode a 30 bus token just for reference purposes you can grab the payload from the middle code it Basics or a little bit of data so what do we get back well we get back to up it looks a bit like this we get an initial launch token which is typically something like 32 random buttons of data that the calling application so for instance com.example.myapp included within its request we get time stamp as well and then we get two more

elements which we need to care about CTS profile match and basic editor I'm going to break down what each of these actually means and why we actually have to care about them now but we also see that this was around on a router device the advice back from Google is restore to factory wrong and lock bootloader thank you and then the evaluation type just so we know we're on the right track here is Hardware backed and what this means is when your test function was called and heard it actually used The Trusted execution environment on the phone which is part of the system odd chip the soc essentially your main processor and a variety of other pieces of very

important technology within a silicon itself it's very very difficult to reverse engineer or break things at a hardware level and typically is more or less unheard of currently we always Target software vulnerabilities whenever possible So within this we're actually missing two bits of data and it's a very good reason why it's don't appear in adjacent I can go back to this so you can see there is no APK by desk or package name included in what we've got back as a good reason for that so when you perform a test the basic Equity is not true then Google doesn't even bother to attempt to verify your device it makes the request to see myself as

happening but it just throws it out really it doesn't care basic Integrity refers to whether or not the device has presence of specific characteristics that success is being rooted so typically this would include mad disk used for routing devices by commonly binaries like XU X8 or bash Etc and modifications such as binaries along with modifications to the bootloader if any of that is detected then basically take it you'll fail and this one will come back to our data for reference the complete data set would look something like this where we have an APK digest in sha256 which does a hash of the APK itself and then we have a package there which tells us who actually requested this data to

begin with so what's the taking that failure level like well this is a application on the Android play store called taking that test you can download this yourself and you can test it I believe safeness only supported by Google pixel devices so if you don't have one you won't be able to find it or it probably will just say doesn't work it may also quite well just do software-based testation instead a completely skip Hardware portion which is something we actually care about so a failure here says that our CTS profile was false basically just false didn't get the advice back so I didn't pass safe in there the key balance as I mentioned were that

CTS profile basically take the two so CTS refers to compatibility testing suite and what this means is the data you send to Google's apis with your devices state is not match what they believe a factory restored or safety device looks like so in other words it had something that being modified hashes didn't match like a person being changed oh and basic Integrity also outlines whether or not you are using an emulator for instance so Google a very um focused on avoiding you've been able to emulate safety net so you can't easily reverse engineering I don't know as we see later I think it's a very bad job of that so as a developer what can we do with

the jws token we get back from Google's apis well we can verify on the device as a really basic and quick check to say whether or not the device is in a secure state but this can be bypassed and Fireside cooking or general modifications to the APK itself otherwise we can also send the request we can send a request to our server with the jws included so for instance as I said a banking application when you make a payment might want to include as jws your bank server verifies it says yeah the application is a secured state so I let this payment proceed because it's probably not being formed by a malicious actor and you'll see taking this

actually used a lot in acne app social media and games particularly things like Pokemon guy I believe use safety nets so how does cigarette really work at a more technical level well the client Imports a library we know that and then Google Play services actually download the safety net runtime binary which is a jar file on the Fly that binary is being obficated it's very difficult to read and it is difficult to actually adverse engineer as well in fact it errors out a lot of attempting to try to reverse engineer it the uterus has said utilizes these trusted execution environment within the SRC so I already were facing Hardware limitations potentially where we're not going to dig into it and

quieter in one and we're not going to see anything that's going on and the device state is actually verified and the collected data you get back in devices States is then sign up a private Key by the cost of distribution environment so what that means is unless it happens private key we can't make our own data and we also don't really know what data looks like to begin with because it's all encrypted or attack audience so people would actually want to bypass taking that perhaps looks like security researchers like myself so I'm doing application testing quite often I'm going to try and test them out it's going to do a safe and access station and then suddenly I

can't test it because it knows that my device is rooted or I have a very limited foothold essentially tested on non-roots advice you just wanted to run out to the routes of devices so maybe you wanted to get some more freedom you want to get away from platforms like Google are trying to get rid of the bloatware or what you might satisfy wear potentially and various Telemetry data and then finally and it wouldn't really want to support the Pirates and Jesus so mobile games where you might want to try and cheat to get yourself advantages Pirates trying to rip obstacles money off the app store no longer support the developer or potentially even implant militias

um payloads into those applications to compromise uses or attempt to use them so that's three key audiences and then the attack surface we've got so if we want to look at exploiting this bypassing safety net or generally just avoiding its using applications what can we do well we can look at personal attacks which rely on having a device connected to a network which you control and you intercept the data going back and forth without advice which then in turn goes back and forth to Google this isn't really possible because there's typical pinning and validations are forced over a TLS connection so we don't really know what's going on behind the scenes at least within the years and

we can't intercept and change things because if there's signatures involved anyway which validate the actual data itself you can put the client-side runtime hooking however this usually needs to be implemented on a case-by-case basis in every single application you want to bypass taking the air which is essentially what already happens but it's a sort of ineffable option because of we don't want to do a head spaces we want to achieve this globally we can replay safety net responses put your sword as a timestamp involved there and a unique value in the actual response so the next payoff byte it won't match what's expected and the timestamp will be essentially out of the limits defined by the app

and then finally we could just steal the private keys from the hardware and sign our own data the issue is this has happened in the past and Google simply decided to revoke certificates do a system update and now that doesn't work anymore the ability that's actually happened is so few of our between as well that it's very unlikely enough to keep stealing private keys and compete with Google to keep signing his data for such a simple purpose so rolling out this tax is what we've just sort of achieved here we've said each partner has different drawbacks so what's the best option here now there is one that we can kind of come back to but impact in a different

sense so if we look at client-side hooking ordinarily this would still fail with the hardware is responsible for actually achieving infestation and filing a device to stay but if we use two devices which is in this diagram concept here so we have a good Android phone which is unrooted and runs our safety net server let's call it and this actually performs all your testation on our behalf and then Returns the data and the equal device has your test function and the get jws result function both hooked on the framework so when we attempt to do a test station you could devise conduct on our path we take the response from that which is valuables of good devices in a know and

good State and we use that in our either application to make it appear as if that's actually a good device at least that's the theory behind it so as a framework called Exposed on Android it's a runtime cooking framework for clientsides it uses Java you need a module loader for it and it's very difficult to get up and running initially which is quite outdated and documentation Max but if you do get working you can put content successfully including either test functions and jwf results there are some limitations of it namely it only really works with Java unfortunately we can't currently put kotlin applications which are quite common for developers of writing and the standard workflow like I sort of

showed up before might look something like this for cessation you can't have positive test methods the task happens you get the call back and we return to jws but a standard workflow with exposed in between might look something more like this the clientification attempts to call your test function but that has been hooked by this exposed framework and we actually dumped a little trampoline sets up all of our parameters our data Etc then we jump to a Macbook chord beforehood methods and this is within our exposed module that enables us to run any code we like prior to the method that you're targeting being called at which point the original members calls to preserve the Integrity of workflow and make the

application look legitimate and then finally another off of method is called which enables us to clean up or do anything else after that's all done the actual original return value happen and as far as the application knows it's not been hooked and everything's perfectly normal so working out what an outer hook well when we Implement Safety Net in our own application we need three libraries safenet safe net API and safenet clients so we know those packages somewhere either on disk or downloaded at one time and we can hook those and hopefully get the message you want it's a little bit more complex than that and I can't explain as I go so the safety net binary you can find the

public implementation of it you interface on your device under data slash app under an APK part now it's actually referred to as Google mobile services so Google Play services Google mobile services both interchangeable but if we dig that I'm actually APK out obtain the safety net implementation we can convert it to a jar file that we can decompile we can use application.jdgui and we can analyze it and then attempt to build our hooks around the data we're expecting so for reference the taking that class was being part was a little bit like this we have its class name safe net we have a build that's declared as static which is taking that API and we come

back to why it's important after the get client function so there's something recording earlier with application and we have a static initializer at the bottom which sets the safenet API to be equal to a internal class this internal class if you actually dig it out is essentially just an obscured implementation of the class in a case of real code what happens behind the scenes Etc and then the same thing we can see or it's in the API class so this is the actual implementation just referred to on the signal API and we see there's a test function and a zz80 function so the ZTA is what we're actually going to hook a little bit later because it's a static

function and it's actually called by a test just there and the reason we're hooking this one is that the test function is because for some reason exposed fails to hook your test function likely because of X and it's statute function and the method kit changes a little bit but those exactly details are too important when it comes to actually becoming events we end up stopping a little bit like this I have an interface for the class by default based on logic just got which is safe Nets we then grab the API files from the actual previous field which is safe in that API that one at the top just there so we grab that filled

and then we hook the method said it's easy a and then we can use those privacy knowledge which is before and after something's actually hooked so what can we do once you put the get jws result function you're saving it and the test function let's say no well we can make a web request like in our diagram to our Good device and we can ask it so a test for us and give that data back as part of the get AWS result function and let's just sort of revisit this hurdle so you would think in theory we've got all the piece of the puzzle and we could put them together but we run into an issue I remember before I

said that assuming base activity passes there would be a field called APK match name APK digest included along with a certificate chain well on Android when an application makes a call to safety net a mechanism which I couldn't actually determine opportunity is used to hold data of that APK that application and use as part of your test function and what happens when we actually send this data across the state of this to our server our external surface I've answered above is there saying well the eight became named does not match the banking app so for instance command or banking dot Barclays expecting that building present but it's expecting it's a match in its entirety but because if

we used another application of our own making on the device to essentially make this call instead that's no longer going to match and likewise the Shah hash so you can't just spook the name you have to speak the hash as well and then we'd have the certificate chain so it's the first card that we wanted to and as of yet I haven't actually been able to bypass unfortunately I spent the last two weeks reverse engineering this and kind of doing my very best that's why I make this work and the truth of it is it's very difficult and very time consuming I wasn't actually able to buy us this last step but I can show you a

little bit of what it might look like once this is bypassed and I do believe that it can actually be implemented so remember before in the test function we passed a context called temp well this is because where I overrodes the set package name and get package based Publishers and the idea behind this was well if Satan only knows about an application based on the context we pass if we overwrite that and we make it return different data sure is taking I should get different data but the result of that appeared to be that in fact no it didn't and safe in that unfortunately is using alternative mechanisms which are quite difficult to dig out and

resolve obscure code base to determine what applications call and get data regarding Gates and also the hashes Etc so an example with me but ultimately unsuccessful and I added a lot of functions to these when I created them but the logs Network chord because taking it never actually used our context in a way that I was expecting but it is possible that more refinement there might be some alternative way to potentially put this and ensure safety net believes that we are the fake application that we're pretending to be so let's look at the results pack so far as a sort of very basically we were able to put necessary methods to essentially try to bypass safety there

so that gave us a good start we had a very good understanding of safe and that works internally based on our decline efforts and also our research in general and then finally a good Insight of how the exploit could work in theory now this is actually some string cost of my setup that I had gov so you'll see on the left side is an application mistake in that mod this is running a basic https server it performs the attestation sets of credit products Etc and return to data in that request from The Good device and then that data is remarkable methods reviewed before essentially you can get it back into your device make it clear

as that's what was expected but you'll see the response we get is it's very small so it's also at the bottom response payload validation fails if we look at the actual logcat so the logs that the actors are producing it will tell us that the APK name does not equal the expected APK name so for instance com by example we've got my app is not equal to our com dot safety netmod application that we made and what this means is currently our proof of Concepts under attack is failing but there is actually a glimmer of hope in this and I do believe some perm of research it can be made to work now I want to sort of end this by saying

this is a couple weeks of research it's a very good start and the ability to actually perform this attack currently relies on using the sort of outermost layer of safety nets attestation but if we de-interest classes and we reinvent the core functionality okay we speak directly to the hardware and we used to tell it what our package name is the data Etc is a very good chance that we can actually spook this functionality at a lower level and return that data instead of which ones we'd have a functional X1 I'm learning a team to actually attempt that and try and make it work and hopefully the results soon enough will end up on GitHub or somewhere once Google kind of

infects and triages to process and essentially signs off on ESV now we think we've fixed this or something like that so given all the information are there any questions as anyone sort of had me yeah

been used

so an application that doesn't have safety net support we'll look for some alternative means or tested device if I'm not mistaken I think the software side of the testation can actually still be used on unsupported devices so if it's your Samsung device and still use basic integrity that's quite trivial to bypass nowadays in fact as to survive for example if we want to make a Google pixel device use software infestation instead of Hardware backed we can just pend a space at the end of its name so instead of Google pixel 6 it comes Google pixel 6 space and that'll be soft at the station which is currently easily known by fast but in terms of how many apps are using to say

for now there's quite a few like I mentioned games like Pokemon go I believe social media apps like Snapchat nearly every single banking app is going to try and make views of every single defense they can get and at software level the security is more easily bypassed but when we're looking at a hardware module that's supported by Google and implemented by professional developers they also being bypass essentially get reduced so it's very tanned lighting for developers and firms to use this technology especially census as we saw very easily implemented does that answer a question let's ask any other questions um

[Music]

they could change the flow of this as you saw they are already kind of doing something like that where that they can't pin a device to specifics because of maybe Google pixel code in the factory State should look fairly similar and we don't know what devices users are used exactly because we don't know the IMEI number or serial numbers of Popeyes what we do know is the APK that we've actually produced Gene hashes up here signatures were expecting within that APK so if they don't match then you can say well advice may be legitimate or not but something has gone on in between there well another applications are typically just call us with a fake

testation response then your question as well okay um three screens up there that was testing the checking the validates came back from Google in the client-side applicational safety netcasting applications but you're saying that really you shouldn't be testing how to server somebody exactly your questions mate do you know whether most people that do test this outside just check is the signature valid that's okay or do most people actually checking he's got the right they're not just what exactly yeah so there's a very good chance that a lot of server-side implementations are verifying this are done wrong and if they are done wrong or means to bypass it suddenly become quite possible the application I've got and listed here

is coming with an offline version of the attestation um or the sorry the validation of that and it's actually simulating what serve would be doing so that's picking out the APK name changing the timestamp verifying the CTS profile based Integrity match that should be what every server is doing but this implementation on the server side is left entirely up to the developer which means a million of Logic box and considering the complexity and sort of a lack of General documentation of how it should be implemented correctly it means that it leaves a very big room of sort of error for developer to incorrectly implements so it's very possible yes that or attempt here a bypass if you could quite well work on

the Lloyd's banking app Santander or some other application where we believe we're secure but no one's attempted this before you haven't tried that on any sort of suggestions two hour happened just for not trying to break the law too much yeah

so a couple of minutes more and and we'll be swapping over and have another speaker if you do have more questions I'm sure it'll be available in in oh I don't know somewhere in the hotel it's not like yeah you can't feel free just to find me I'm happy to take more questions I will see you all in a few minutes [Applause]