Inside Android's SafetyNet Attestation

Presented at Black Hat Europe 2017, Dec. 7, 2017, 2 p.m. (60 minutes).

Many app developers often have questions like the following: "Is the device my app runs on reliable and trustworthy?" "Could it be, god forbid, 'rooted'?" It turns out that answering these questions is quite difficult. In an area traditionally dominated by "root detection" products and DIY techniques, Google attempts to respond to this request: "OK Google, what do you think about the device I'm running in?"

SafetyNet is the primary security platform used by Google to keep the Android ecosystem in check. SafetyNet Attestation is a service offered by the SafetyNet system to all Android application developers, who can use it to gain some insight into what Google believes is the state of tampering of the operating system and the device.

Unfortunately, SafetyNet Attestation is not well documented by Google. How does it work? What checks does it do? Does it really help? How can you implement it in your app without it being trivially bypassable? Taking a perspective useful to both developers and penetration testers, this presentation covers multiple aspects of the system.

Part one of this presentation will quickly recap the basics of root detection and tamper detection on Android applications. Part two takes a deep dive into the internals of the SafetyNet system and Attestation specifically, what checks it does and how it is designed, detailing how it different to traditional detection techniques. Part three discusses the different ways the system can be implemented in real world applications and how each method may achieve different level of risk reduction. This is based on the lessons learned from implementing SafetyNet Attestation for several apps with large install bases and will show how an organization's maturity may impact security checks. Finally, part four presents various attacks and bypasses against SafetyNet Attestation which target not only SafetyNet but other similar approaches.


Presenters:

  • Collin Mulliner - Researcher, MUlliNER.ORG
    Collin Mulliner is a security researcher and software engineer and spends most of his time working on mobile and smart phones. Collin is interested in vulnerability analysis and offensive security as he believes that in order to understand defense you first have to understand offense. Collin received a Ph.D. from the Technische Universitaet Berlin in 2011, and a M.S. and B.S. in computer science from UC Santa Barbara and FH-Darmstadt. Lately Collin switched his focus to the defensive side to work on mitigations and countermeasures. Collin co-authored The Android Hacker's Handbook.
  • John Kozyrakis - Researcher, Synopsys
    John Kozyrakis is a security engineer and researcher in the area of mobile application security. Over more than six years as a consultant he has helped large organizations threat model their applications and design or evaluate defensive controls, including binary hardening, tamper detection and pinning. Within Synopsys R&D, he designs automated static and dynamic analysis tools and helps define the company's mobile testing methodology. John holds MSc degrees in Information Security and Electrical & Computer Engineering.

Links:

Similar Presentations: