SafetyNet is an Android built-in protection system that you don’t need to know about until something goes wrong and some apps stop working. We will see what is SafetyNet and what is it for.
We will first see what exactly this security test is and what it is for, then we will tell you how can you see if your mobile passes the test and in which cases a mobile can fail the test.
What is SafetyNet and what is it used for?
Google defines SafetyNet from now on services and APIs to prevent abuse. Application developers can use this API to determine if the connection to servers is genuine, from a genuine app, and on a genuine device.
SafetyNet is a system that application developers should verify if the device is genuine, without modifications
I mean, what he does is check device hardware and software
This is not a strict DRM or anti-cheat system for games, but rather a system integrity check which compares that the system remains the same as when it passed the compatibility tests. These tests are made up of a multitude of small tests to detect incompatibilities and which cover areas such as permissions or the interaction between different APIs.
It is also not a root detector, even if rooted devices will not pass the test. Indeed, the results returned by SafetyNet are ambiguous and are limited to saying whether the test was successful or not, but not for what reason.
Regarding its use, SafetyNet is used by developers to verify the overall safety of the system. It is these developers who must implement it in their applications and act accordingly.
For example, a banking application may not work unless the device passes SafetyNet. In fact, this is already happening with Google Pay. Other developers can directly choose not to display their apps on Google Play on devices that do not pass the test, as is the case with Netflix.
How to know if your mobile passes SafetyNet
The easiest way to check if your mobile passes SafetyNet control is to install an application that does the verification
The app literally has a single button, so all you have to do is press Run the test. The test in question takes a second and shows very clearly whether it was passed or not. Some additional details are listed at the bottom of the window.
-
Safety net request. This is the request of the test itself. If it is not performed, the test is not even performed (for example, if you do not have an internet connection).
-
Validation of the signature of the response. This is the validation of the test result, which comes from Google’s servers.
-
Basic integrity. This is the basic integrity test, a little more permissive than the next one. Developers can determine whether they want their applications to continue to function if at least this level of integrity is reached.
-
CTS Profile Match. Th is is the strictest test, which is only true when the device is established as genuine and certified to CTS certification.
SafetyNet test
Why the test may fail
As we mentioned earlier, the SafetyNet test doesn’t help developers know for sure if your mobile is rooted or what’s wrong, but rather returns true or false, without explaining why. Now the reasons why it returns true or false are specific and are as follows:
Test “CTS Profile Match” |
Test “Basic integrity” |
|
---|---|---|
Certified and authentic device according to CTS |
True |
True |
Certified device with unlocked bootloader |
False |
True |
Authentic device not certified (because the manufacturer did not certify it) |
False |
True |
Device with custom ROM, no root |
False |
True |
Emulator |
False |
False |
It is not a device but a script |
False |
False |
Signs of a compromised system, such as a rooted system |
False |
False |
Other signs of seizures |
False |
False |
So the test itself consists of two levels and may fail for all of the above reasonsHowever, the app doing the test won’t know exactly what it is, only that it failed.
This means that the strictest test will give an error. whether the device has an unlocked ROM or bootloader, although the basic integrity test is a bit more permissive and passes in the previous cases. What they both agree to is in root: a rooted device or with similar modifications does not pass any of the tests.
Table of Contents