AH 2015 A New Google LOGO-135

How Google Detects Tampered Devices Via SafetyNet

September 24, 2015 - Written By Matthias Tan

When the Android Pay app was released about a week ago, some users with rooted devices could not load the app because the SafetyNet system would not permit them to do so. SafetyNet’s attestation is a verification system that scans devices requesting for the app. It is designed to test the device for system compatibility and block any devices which are in a tampered state. A tampered state in this case, can be defined as the device being rooted, monitored by a 3rd party source or infected with malware and viruses. This test is called CTS or Compatibility Test Suite. However, this system test is only designed to check for any signs of tampering within the device. The test does not cover whether the device is not up to date or its system vulnerable to tampering. This test is a rather new field for 3rd party developers and this system can be used by any app developer to use for their apps to prevent security breaches in their system.

SafetyNet’s attestation works in five main steps. First, the application e.g. Samsung Pay calls a code which is provided by Google Play Services and the code contains a request to reach Google’s servers. In the second step, the code sent to Google’s servers must contain a clear request of what the code is intended for. If the code does not contain a clear request, the server will reject this request just in case the code is part on a malicious replay attack on the servers. In the third step, if the request is valid, Google will respond with another code that verifies the attestation request of the application. In the fourth step, The developer is required to verify the code manually and it can be verified by Google too. Google does this by using an API call which is short for an application programming interface. This is an excellent method to ensure the security of the application developer. In the fifth and final step, when the response of the is verified both by Google and the application developer, the device has cleared the test and it will be allowed to load the requested application.

Between the five main steps, there are multiple security checks performed which will help verify this request as a genuine request. This system is an excellent way to pick out devices which are infected with malware or are used as tools by hackers. It may not be exactly perfect and the odd hacker or malware may manage to get into the system, but for the time being the system is a good start for ensuring server security for application developers in this regard.