Android Pay & SuperSU & Xposed: works for me - Xposed General

I have just made successful transaction via Android Pay on my rooted & Xposed Samsung Galaxy S7.
I'm curious to know what is the actual reason for working as I was under impression that Android Pay is guarded by SafetyNet.
My Samsung Galaxy S7 runs Android 7.0 (G930FXXU1DQIC - patch level 8/2017), good old CF-Auto-Root and latest Xposed framework (no systemless root or Magisk). I started using S7 year and half ago and I am rooted from the very beginning. CF-Auto-Root disabled device internal memory encryption (after the last reinstallation). I only use two my own Xposed modules and YouTube AdAway. I block ads via AdAway. (I also disable any system/provisioning updates, security checks, unused system apps - but without using of any 3rd party software or hacks)
As I was thinking Android Pay won't work on my S7, I setup payment card on Samsung Galaxy S5 which I have reinstalled (from LineageOS) to the latest stock ROM (without rooting). Then I gave try my S7 and confirmed the same card for use on that device as well.
First I tried reading card info using "Credit Card Reader NFS (EMV)" which worked fine on both phones in either way so I tried using S7 today in a shop (two days after setup)... and it just worked.
Android Pay version: 1.36.177845727
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Interesting [emoji848][emoji848]
Could you please share your android pay apk? I would like to try
But I have magisk and a lot of modules with xposed, anyway I'll try
Enviado desde mi SM-G930F mediante Tapatalk

The version (name/code) I use is the same as here: https://www.apkmirror.com/apk/googl...id-pay-1-36-177845727-4-android-apk-download/
Before running any SafetyNet checks on my working S7, I will try replicating the setup on rooted S5 first.
EDIT (day later):
After rooting S5, Android Pay reports the "Android Pay can't be used on this device" message. However I used older image for rooting (as I had some issues with latest but will try again). It further confirms that there's some quirk in my setup/configuration that makes it work on S7.
S5 gave me that error shortly after trying reading card via "Credit Card Reader" app - so it seems like a perfect verification without the need to use a real terminal in a shop.
I don't have much time lately but I will be digging deeper...
EDIT (18th January):
Made second payment via Android Pay, this time above the limit requiring unlocking. It still works.
Still no luck with S5 - all SafetyNet checks fail. I'm too scared to actually run any SafetyNet checks on S7 but I guess I could snoop the network and compare the local SafetyNet logs/dbs inside GMS...

moneytoo said:
The version (name/code) I use is the same as here: https://www.apkmirror.com/apk/googl...id-pay-1-36-177845727-4-android-apk-download/
Before running any SafetyNet checks on my working S7, I will try replicating the setup on rooted S5 first.
EDIT (day later):
After rooting S5, Android Pay reports the "Android Pay can't be used on this device" message. However I used older image for rooting (as I had some issues with latest but will try again). It further confirms that there's some quirk in my setup/configuration that makes it work on S7.
S5 gave me that error shortly after trying reading card via "Credit Card Reader" app - so it seems like a perfect verification without the need to use a real terminal in a shop.
I don't have much time lately but I will be digging deeper...
EDIT (18th January):
Made second payment via Android Pay, this time above the limit requiring unlocking. It still works.
Still no luck with S5 - all SafetyNet checks fail. I'm too scared to actually run any SafetyNet checks on S7 but I guess I could snoop the network and compare the local SafetyNet logs/dbs inside GMS...
Click to expand...
Click to collapse
Just curious, is there any progress on this? I'm using latest Magisk with Xposed. One of my local payment app refused to work after a recent Google update. I think Google has strengthened the SafetyNet checking again. I wonder if your S7 is still working after the recent update.

@itandy
I've made over 10 payments, used S7 for setup Android Pay on Android Wear and it still works. I tried running SafetyNet checks and they said that attestation fails (both baseic integrity and cts profile match).
So far my thinking is that it's allowed by design. S7 features fingerprint reader which means (by CTS requirements) it also has embedded secure storage for signing keys (SE/TEE?). The S5 doesn't have that (their fingerprint reader was one of the firsts and didn't use system APIs) so it fall backs to unsecured software keystore implementation. I see that only S7 contains some actual data in table "StorageKey" (in Android Pay db inside GMS).
I tried spoofing "KeyInfo.isInsideSecureHardware()" but maybe I was too late as the device profile was already setup.
I've just realized I should be able to get another device (with fingerprint reader) for testing this theory so I will do that.

moneytoo said:
@itandy
I've made over 10 payments, used S7 for setup Android Pay on Android Wear and it still works. I tried running SafetyNet checks and they said that attestation fails (both baseic integrity and cts profile match).
So far my thinking is that it's allowed by design. S7 features fingerprint reader which means (by CTS requirements) it also has embedded secure storage for signing keys (SE/TEE?). The S5 doesn't have that (their fingerprint reader was one of the firsts and didn't use system APIs) so it fall backs to unsecured software keystore implementation. I see that only S7 contains some actual data in table "StorageKey" (in Android Pay db inside GMS).
I tried spoofing "KeyInfo.isInsideSecureHardware()" but maybe I was too late as the device profile was already setup.
I've just realized I should be able to get another device (with fingerprint reader) for testing this theory so I will do that.
Click to expand...
Click to collapse
Thanks for you response. But still it doesn't make sense to me. S7 is not the only device to have the requirements you mentioned. And specifically Xposed is one major target of SafetyNet. My device with Magisk passed everything without Xposed. But once Xposed is enabled, both ctsProfile and Basic Integrity fails, as expected.

I had the same situation S7 working android pay with root and xposed for the last year , until all of a sudden last week it stopped and now will only work if i disable xposed
is anyone's s7 still working with android pay ,root and xposed ?
or is it just mine that stopped last week ?
Stef

sjpage10 said:
I had the same situation S7 working android pay with root and xposed for the last year , until all of a sudden last week it stopped and now will only work if i disable xposed
is anyone's s7 still working with android pay ,root and xposed ?
or is it just mine that stopped last week ?
Stef
Click to expand...
Click to collapse
I'm not using S7. But my local payment app used to work with Magisk and Xposed until recently. I think a recent Google Play update strengthened the SafetyNet.

@sjpage10
The most recent payment I made with S7 was 9 days ago but that's cause I'm using watch now. I'm still able to read Android Pay card data from S7.
Android Pay version may not actually matter that much as the core for payments is in Google Play Services. I'm currently on version 11.9.75.

moneytoo said:
I have just made successful transaction via Android Pay on my rooted & Xposed Samsung Galaxy S7.
I'm curious to know what is the actual reason for working as I was under impression that Android Pay is guarded by SafetyNet.
Click to expand...
Click to collapse
sjpage10 said:
I had the same situation S7 working android pay with root and xposed for the last year , until all of a sudden last week it stopped and now will only work if i disable xposed
is anyone's s7 still working with android pay ,root and xposed ?
or is it just mine that stopped last week ?
Stef
Click to expand...
Click to collapse
I did a clean install of Superman ROM 2.8.0 by @Tkkg1994 (Android 7.1) + Magisk w/MagiskSU on my Galaxy S7 (SM-G930FD) back in December. With this combination, I was able to pass SafetyNet, and install Android Pay 1.36.177845727 using the Play Store app. I configured it and began using it without issue. I then installed Systemless Xposed, and even though SafetyNet would fail whenever Xposed is activated in Magisk Manager, Android Pay continued to work normally. Even with Xposed activated, the Play Store settings dialog would report "Certified" in the Device certification field. Nevertheless, apps that prohibit distribution to compromised devices (e.g., Netflix, which I don't have installed) would not show up in Play Store searches. Android Pay would still show up, presumably only because it was already installed on my device.
I have been using Android Pay nearly daily every evening at the supermarket across the street without issue until yesterday. During the day, I upgraded to Magisk 15.4 (from 15.3), Magisk Manager 5.6.0 (from 5.5.0), and Systemless Xposed 89.2 (from 89.1). Nothing appeared different; Android Pay continued to open normally. Note that I have NOT been offered (nor installed from any other source) any updates to Google Play Services in recent weeks; I am on 11.9.75. However, when presenting the device at the supermarket's payment terminal last night, I was greeted by a window featuring a red exclamation point in a circle, an image of my credit card, and the verbiage "You can no longer use Android Pay on this phone". There was a link to activate a feedback form, though I didn't submit feedback. When I backed out of the window, things otherwise seemed normal with respect to Android Pay: I was able to browse my various payment methods, explore the settings dialog, etc. I then disabled Xposed momentarily in Magisk Manager, and was once again able to pass SafetyNet. I haven't had the opportunity of try Android Pay again since this incident.
So, like most in this thread, I am trying to understand the relationship between Android Pay and SafetyNet, as well as any other device integrity checks it makes. Based on the experiences reported in this thread by @moneytoo, @sjpage10 and myself, it looks like Android Pay doesn't regularly check SafetyNet, though the Play Store does not offer it to you if your device is failing SafetyNet when you look for it. Obviously, that doesn't preclude sideloading it using an APK from APKMirror or another source.
So, I have a few questions:
It isn't clear to me why Android Pay suddenly stopped working last night. Is this a consequence of my updates, or did something change on the server side? It seems like it might be a bit more than a coincidence that both @sjpage10 and I experienced the same phenomenon within a short period of time.
Is there a convenient way to do complete end to end testing of Android Pay without actually making a charge? It sounds like @moneytoo has some method, but I am not clear what this is.
What does Android Pay actually check to determine if a device is allowed to use it, and when is this checked?
How can I find out the underlying cause of an Android Pay failure? I'll try logcat the next time I attempt to use Android Pay to make a purchase, but any hints on what to look for would be helpful.
Thanks.

@sjevtic
It stopped working for me as well.
So far on every device I tried, Android Pay works perfectly fine offline (for at least few days) but after a device reboot it requires internet connectivity for initialization.
The "Device certification" status in Play Store is cached and doesn't 100% correspond with the actual SafetyNet responses. Apps like Netflis doesn't show up when SafetyNet fails but there's no such protection turned on for Android Pay.
1) Seems like they disabled the responses on servers needed for initialization of Android Pay
2) As I already mentioned, install "Credit Card Reader NFC (EMV)" on second phone and try reading card with that. When this works, Android Pay also works.
3-4) That's the question. I still think it's possible to hack it so Android Pay will continue working on our phones. The key here is that it works offline. It may be a bit cumbersome though (automate rebooting to environment without Xposed to refill new payment tokens).
BTW: At least Android Pay still works on my Android Wear watch (connected to S7).

moneytoo said:
@sjevtic
It stopped working for me as well.
So far on every device I tried, Android Pay works perfectly fine offline (for at least few days) but after a device reboot it requires internet connectivity for initialization.
Click to expand...
Click to collapse
So Android Pay previously didn't need to be online to process payments? Are you suggesting that there was some form of pre-authorization, either for some period of time, dollar amount, or number of transactions for which it will work with no further attempts to connect to a server? And was SafetyNet only checked at the time of this pre-authorization? For what it is worth, I have been online every single time I attempted a transaction to date, so as of the moment I have no additional data to offer here.
The "Device certification" status in Play Store is cached and doesn't 100% correspond with the actual SafetyNet responses. Apps like Netflis doesn't show up when SafetyNet fails but there's no such protection turned on for Android Pay.
Click to expand...
Click to collapse
It doesn't make a lot of sense why the SafetyNet status displayed would be cached, yet a live value would be used to filter apps displayed by the Play store. Nonetheless, observations seem to support this.
1) Seems like they disabled the responses on servers needed for initialization of Android Pay
Click to expand...
Click to collapse
So are you suggesting that now Android Pay goes online for every transaction made, checking SafetyNet at each transaction as well?
2) As I already mentioned, install "Credit Card Reader NFC (EMV)" on second phone and try reading card with that. When this works, Android Pay also works.
Click to expand...
Click to collapse
Ah, ok, I found the app now. That said, it didn't seem to actually be able to read NFC cards, let alone my S7's Android Pay "card" on the HTC One M8 that happened to be sitting in my desk. Just to make sure the app was sane, I tried installing it on my S7 and was able to read my NFC-enabled transit card, but that doesn't help much for these experiments. I can find a different phone on Monday if needed.
Before you responded though, I found a vending machine in the office that accepts NFC payments, and for which I can just cancel the transaction after scanning. I did a couple simple tests with it:
Android Pay transaction with Xposed on (SafetyNet failing): "You can no longer use Android Pay on this phone"
Android Pay transaction with Xposed off (SafetyNet pass): Success/green check mark
Android Pay transaction with Xposed on (SafetyNet failing): "You can no longer use Android Pay on this phone"
In each of these scenarios, I was online. It seems like now SafetyNet has to be passing whenever Android Pay is used to make a transaction. It isn't yet clear whether the phone also has to be online.
I am out of the office today, but can try some other scenarios on Monday if needed (e.g., Android Pay while offline).
3-4) That's the question. I still think it's possible to hack it so Android Pay will continue working on our phones. The key here is that it works offline. It may be a bit cumbersome though (automate rebooting to environment without Xposed to refill new payment tokens).
BTW: At least Android Pay still works on my Android Wear watch (connected to S7).
Click to expand...
Click to collapse
An occasional boot with Xposed off for a "refill" would be manageable; requiring that Xposed be off at every boot during which an Android Pay transaction is made not so much.
Any suggestions? I am happy to help out in any way I can, though sadly I have no significant Android development experience at this point.

Quick update
Over the course of the weekend, I upgraded my phone to Superman ROM v2.9.0, and along the way, I spent some time (that is, more than a few minutes) with my phone booted up without Xposed running. I am not sure if this had any effect, but when I next tried Android Pay on Saturday and then again on Sunday, it worked. In both cases, Xposed was running and the phone was online.
Today, however, Android Pay failed again with the same message I reported earlier. So, that makes me wonder:
Is offline authentication caching working again?
Does the phone need to be booted up for an extended period in a SafetyNet-passing state (Xposed off) to refill the offline token cache?
Is there a way to examine the contents of the offline token cache, and determine the state of remaining tokens, if any?
Thanks.

moneytoo said:
@itandy
So far my thinking is that it's allowed by design. S7 features fingerprint reader which means (by CTS requirements) it also has embedded secure storage for signing keys (SE/TEE?). The S5 doesn't have that (their fingerprint reader was one of the firsts and didn't use system APIs) so it fall backs to unsecured software keystore implementation. I see that only S7 contains some actual data in table "StorageKey" (in Android Pay db inside GMS).
I tried spoofing "KeyInfo.isInsideSecureHardware()" but maybe I was too late as the device profile was already setup.
Click to expand...
Click to collapse
Indeed SE (oldschool sim toolkit), or TrustZone (TEE) is to blame. SafetyNet is consulted only if the pay is, well ... exposed.
I'd advise against releasing yet another safetynet bypass though, as those are promptly coopted by banking trojans and google is forced to update safetynet soon after (magisk didn't work for very long now, did it). Xposed is difficult beast to hide sort of by design.
isInsideSecureHardware
Click to expand...
Click to collapse
I suspect that when you do that, you tell the NFC payment stack that you now sign tokens inside TEE trustlet, but without having TEE...

Related

[Magisk][Module] Play Store Visa - Get your device certified with custom ROMs

Introduction
Fix UNCERTIFIED status in Play Store for OP2/OP3/Note4 and maybe more.
Uncertified status may lead to some restrictions on specific apps (saying Netflix). It is not only judged by SafetyNet status but also some build props in your ROM. So this module does NOT may or may not help you to pass SafetyNet.
More specifically, to pass SafetyNet, if you are on a custom ROM/Kernel,
a patch in your kernel like this is REQUIRED (maybe optional because of MagiskHide?)
If you are on stock ROM or other ROMs that enabled dm-verity, never touch system part.
SELinux is always enforcing
Installation
Search for "Play Store Visa" in Magisk Manager or download at Github.
Support for New Devices
This module made it by injecting proper build fingerprint properties per device, most commonly ro.build.fingerprint. So device support is highly dependent on a working build fingerprint from a certified stock ROM. You can test and find a combination by your own and add to service.sh accordingly.
I used to find those fingerprints hard to search around. Although one fingerprint may work for all devices of a kind, but people barely shares it. Pull requests are very welcomed so we may help one another!
Define: a working fingerprint
For the time being, I test the prop edits working by:
clean data of Play Store
reboot for the module to apply (or invoke resetprop through adb)
open and check certification status in settings. (may have some delay)
search for Netflix in Play Store.
If you can see Netflix in search results after wiping store's data, then your props edits are good to go!
Enjoy
Q&A
Q:
Only for OP2/OP3/note4? Not support for other device?
A:
To support other device, we need the value of `ro.build.fingerprint` from a stock ROM. I don't own other devices so I may not have chance to extract it. Contributions are welcomed, and I may search for other useful ones in the future..
Q:
What's the difference between this module and this one?
A:
We both solved part of the problem, see my explanation below. I'm happy to contribution my parts, if necessary, to prevent reinventing the wheels.
XDA:DevDB Information
Play Store Visa, App for all devices (see above for details)
Contributors
ttimasdf
Source Code: https://github.com/Magisk-Modules-Repo/playstore_certification_bypass
Version Information
Status: Beta
Created 2018-03-26
Last Updated 2018-03-31
Only for OP2/OP3/note4?
Not support for other device?
What's the difference between this module and this one?
ttimasdf said:
More specifically, to pass SafetyNet, if you are on a custom ROM/Kernel,
a patch in your kernel like this is REQUIRED
If you are on stock ROM or other ROMs that enabled dm-verity, never touch system part.
SELinux is always enforcing
Click to expand...
Click to collapse
That patch you're talking about is unnecessary if you use Magisk. MagiskHide already changes ro.boot.verifiedbootstate to "green".
MagiskHide also hides a permissive SELinux, so keeping it enforcing isn't necessary to pass SafetyNet if you use Magisk. Although keeping SELinux enforcing is highly advisable...
I'm also curious as to what observations you've made about SafetyNet and a certified Play Store. From my own (very light) research I've found that it relies on SafetyNet. Not directly, but the CTS profile matching part. From the link to Google support in the OP:
If your device is uncertified, Google doesn’t have a record of the Android compatibility test results.
Click to expand...
Click to collapse
If your device hasn't passed the Android compatibility test, it won't be reported as certified in the Play Store, and it won't pass SafetyNet. On the other hand, if you pass SafetyNet, your device has passed the compatibility test, and then it'll also be certified in the Play Store.
Would love the hear your findings if you're up to sharing.
---------- Post added at 13:27 ---------- Previous post was at 13:25 ----------
abacate123 said:
What's the difference between this module and this one?
Click to expand...
Click to collapse
Quite similar in that we both change the device fingerprint. We go about it a bit different, and mine has a couple of other features as well.
My play store don't have "Device certification" tab :'(
zerlkung said:
My play store don't have "Device certification" tab :'(
Click to expand...
Click to collapse
Can you find and install Netflix? If so, your device is certified. If not, it's uncertified.
Was this created in response to Google blocking GApps on uncertified devices/roms? If so then that is great, I didn't expect a solution to come out so fast.
That being said, based on current reports it would not be hard to create a universal "coyote mode" by getting the existing ro.build.fingerprint and then modifying the build date portion so that it is before March 2018. Said mode would not make the device certified if it wasn't already but would allow GApps to run normally thus the term "coyote mode" (a coyote is a person who smuggles other people across the border).
nl3142 said:
Was this created in response to Google blocking GApps on uncertified devices/roms? If so then that is great, I didn't expect a solution to come out so fast.
Click to expand...
Click to collapse
Google is not blocking gapps for custom roms. At least not yet.
In fact, you can actually register an uncertified device using a custom rom (it says android id, but it'll accept the imei number) here: https://www.google.com/android/uncertified/
abacate123 said:
Google is not blocking gapps for custom roms. At least not yet.
In fact, you can actually register an uncertified device using a custom rom (it says android id, but it'll accept the imei number) here: https://www.google.com/android/uncertified/
Click to expand...
Click to collapse
Though since the Android ID is regenerated after either every factory reset (pre-Oreo) or even every boot (Oreo) it will be pretty easy to run into the 100 Android ID limit.
nl3142 said:
Though since the Android ID is regenerated after either every factory reset (pre-Oreo) or even every boot (Oreo) it will be pretty easy to run into the 100 Android ID limit.
Click to expand...
Click to collapse
IMEI fellow...
abacate123 said:
IMEI fellow...
Click to expand...
Click to collapse
Which wifi only devices like tablets don't have, so obviously that isn't going to work.
Cbk | Unknown said:
Only for OP2/OP3/note4?
Not support for other device?
Click to expand...
Click to collapse
As said above, to support other device, we need the value of `ro.build.fingerprint` from a stock ROM.
I don't own other devices so I may not have chance to extract it. So we only need some contributions
abacate123 said:
What's the difference between this module and this one?
Click to expand...
Click to collapse
Oh, I know that module but didn't read it's doc until you mentioned. In a word, the same solution for different questions.
My problems is, my ctsProfile is True for my phone but I cannot get Netflix from the store. But after some props edit it just works so I published my solution. Maybe I could make a PR into it
Didgeridoohan said:
That patch you're talking about is unnecessary if you use Magisk. MagiskHide already changes ro.boot.verifiedbootstate to "green".
MagiskHide also hides a permissive SELinux, so keeping it enforcing isn't necessary to pass SafetyNet if you use Magisk. Although keeping SELinux enforcing is highly advisable...
I'm also curious as to what observations you've made about SafetyNet and a certified Play Store. From my own (very light) research I've found that it relies on SafetyNet. Not directly, but the CTS profile matching part. From the link to Google support in the OP:
If your device hasn't passed the Android compatibility test, it won't be reported as certified in the Play Store, and it won't pass SafetyNet. On the other hand, if you pass SafetyNet, your device has passed the compatibility test, and then it'll also be certified in the Play Store.
Would love the hear your findings if you're up to sharing.
---------- Post added at 13:27 ---------- Previous post was at 13:25 ----------
Quite similar in that we both change the device fingerprint. We go about it a bit different, and mine has a couple of other features as well.
Click to expand...
Click to collapse
Your project goes a lot further than mine but I didn't notice it as a key to my problem :silly:
From my finding, SafetyNet ctsProfile seems to rely solely on ro.build.fingerprint and the "certified" status does the same. The rom I used on Note4 patched the fingerprint and passed SafetyNet from the very beginning.
But Play Store seems to have more verifications on other build props, in my case, ro.build.version.release, ro.build.version.incremental to match the ones in fingerprint. The patch I used for OP3 did not patched them (for I have no time to inspect) so I passed SN, get certified, but still cannot search for Netflix. I don't know it's a more strict policy enforced by Netflix or Google but it makes the certification imperfect. Maybe we shall look into this together
ttimasdf said:
Oh, I know that module but didn't read it's doc until you mentioned. In a word, the same solution for different questions.
My problems is, my ctsProfile is True for my phone but I cannot get Netflix from the store. But after some props edit it just works so I published my solution. Maybe I could make a PR into it
Your project goes a lot further than mine but I didn't notice it as a key to my problem :silly:
From my finding, SafetyNet ctsProfile seems to rely solely on ro.build.fingerprint and the "certified" status does the same. The rom I used on Note4 patched the fingerprint and passed SafetyNet from the very beginning.
But Play Store seems to have more verifications on other build props, in my case, ro.build.version.release, ro.build.version.incremental to match the ones in fingerprint. The patch I used for OP3 did not patched them (for I have no time to inspect) so I passed SN, get certified, but still cannot search for Netflix. I don't know it's a more strict policy enforced by Netflix or Google but it makes the certification imperfect. Maybe we shall look into this together
Click to expand...
Click to collapse
Hm... I'm wondering. From what I've tested and seen reported, all that is needed is to pass SafetyNet for your device to be certified. On that we're on the same page though.
I've also seen reported (and experienced) that even after getting your device certified in the Play Store, it can take several reboots and/or up to a whole day before the apps that rely on the certification status (Netflix, etc) to show up/install. Could it be that you were simply experiencing a delay when you couldn't install Netflix? It's possible that any other props are part of the new Gapps blocking on uncertified devices, but somehow I don't think so... I will do more research and report back.
And as a side note, about the CTS profile test:
Changing the device fingerprint is only one part of making a device pass. That causes the devices to be recognised as a certified device with trusted software, even if the manufacturer hasn't certified the device or if you've installed a custom ROM (both would normally cause ctsProfile to be false). It will also report false if your bootloader is unlocked or if you've rooted your device, but both of these will be taken care of by MagiskHide. Xposed will of course also cause issues, but for the ctsProfile check this can actually be fooled by the No Device Check Xposed module. It'll still cause a basic integrity failure though, and be detected in other ways.
I'll be back...
Didgeridoohan said:
Hm... I'm wondering. From what I've tested and seen reported, all that is needed is to pass SafetyNet for your device to be certified. On that we're on the same page though.
I've also seen reported (and experienced) that even after getting your device certified in the Play Store, it can take several reboots and/or up to a whole day before the apps that rely on the certification status (Netflix, etc) to show up/install. Could it be that you were simply experiencing a delay when you couldn't install Netflix? It's possible that any other props are part of the new Gapps blocking on uncertified devices, but somehow I don't think so... I will do more research and report back.
And as a side note, about the CTS profile test:
Changing the device fingerprint is only one part of making a device pass. That causes the devices to be recognised as a certified device with trusted software, even if the manufacturer hasn't certified the device or if you've installed a custom ROM (both would normally cause ctsProfile to be false). It will also report false if your bootloader is unlocked or if you've rooted your device, but both of these will be taken care of by MagiskHide. Xposed will of course also cause issues, but for the ctsProfile check this can actually be fooled by the No Device Check Xposed module. It'll still cause a basic integrity failure though, and be detected in other ways.
I'll be back...
Click to expand...
Click to collapse
Thanks for the hint. I do a few tests today. My module seems to be broken today but after added Play Store and `com.google.android.gsf` to MagiskHide list it works again.
And most interestingly, the fingerprint for my Note4 from the ROM seems to be blacklisted by Google.
I wiped data, disabled module, reboot. Device become uncertified and even cannot pass `basic integrity`. wipe-enable-reboot become certified and able to download again.
It's a cat and mouse game after all:angel:
Also I tested for the "delay" you mentioned. After a wiped reboot, tested 2 out of 3 times the Netflix shows in result. However, whether it can start download still depends on the certification status. If uncertified, download will say error after some time. With module enabled, the download succeeded normally. So Netflix is the most timely and accurate way to speak if your device is certified.
For I have not yet used any apps that check SafetyNet status at runtime, maybe I'll check it later.
Profound Thanks For You. Your Module Was Useful To Make A Specified One For My Phone. :good:
After installing this module, I get force close popup in most Google and non Google apps. FYI, I also have Youtube Vanced installed via Magisk module. I uninstalled the module but I still get the same popups. Also, the device remains certified. Is there any way to actually undo everything? From what I can understand, my device should remain uncertified for everything to work.
GeorgePr said:
After installing this module, I get force close popup in most Google and non Google apps. FYI, I also have Youtube Vanced installed via Magisk module. I uninstalled the module but I still get the same popups. Also, the device remains certified. Is there any way to actually undo everything? From what I can understand, my device should remain uncertified for everything to work.
Click to expand...
Click to collapse
This module merely changed some build props, if and only if your device is supported. Theoretically it should not mess other things around. Check your logcat if there's anything worth notice and clear app data if necessary
ttimasdf said:
As said above, to support other device, we need the value of `ro.build.fingerprint` from a stock ROM.
I don't own other devices so I may not have chance to extract it. So we only need some contributions
Click to expand...
Click to collapse
I made a screenshot from my Pixel 8.1 stock - april security patch
Maybe can help for pixel support :good:
Sent from my Google Pixel using XDA Labs
It is working on my Nexus 7 2013 WiFi tablet. Running Flo classic asop 8.1 r28 May 2018 version with Ground Zero Gapps. Did the clear data (clear cache alone didn't work) rebooted and open Playstore, my apps updates and installed tabs show zero item. A few hours later, check again and I get a Certified in Playstore settings.
Thank you, good job! :good:
Also trying on OnePlus One running AEX 8.1 v5.5. currently updates and installed tabs are also zero item. Going to let it be and see if it will populate over time. Under Playstore version build number, nothing under. Before installing Visa module, it say uncertified.
Library tabs on both show my history of apps.

[Discussion] Snapchat Locked Accounts Thread Magisk

This forum is meant for people who are getting locked out of their accounts due to "3rd Party Plugins or Applications"
We need to stop this from happening so share your experiences and thoughts on the matter.
I have 2 devices: a Nexus 6P running Pie (Pixel Experience) and a Pixel 3XL on the stock Pie rom. Both are rooted with Magisk Canary builds and both have Magisk Hide turned on. Snapchat never detects root on the Nexus but ALWAYS detects it on the Pixel. I've even repackaged Magisk on the Pixel but that doesn't help. I've read that it's easier for apps to detect root on A/B partition devices so maybe the newer, updated Snapchat apps have code to detect it. When I have time, I'll try an old version and see if it works...
Note that I don't believe Snapchat bans just by detecting root. It is detecting certain apps that are somehow triggering it. If you check the list of apps that you have given permission for superuser, it would be one of those. The app that I had that was triggering Snapchat was an app named app ops. I had downloaded it and just giving it permissions alone was getting me banned on Snapchat. I think this problem only affects users running Oreo or higher for whatever reason. I myself had an old phone running marshmallow with app ops and never experienced a ban. I don't think that any of the people reporting the problem had anything lower than Oreo. If you have somehow discovered the app causing your problems, uninstalling it may not fix your problem. I had to wipe my phone in order to fix it because I was still receiving bans despite uninstalling the app that was causing my problems
I've never installed app ops so that's not my problem.
As for A/B partitioning, I'm on a Samsung galaxy Note 8 and it didn't come out with this on my device so yeh ?
The main thing I found out that I had to do, was repackage the manager and I haven't been banned for the last 4 days
I am on the S8 plus and was locked out for 12 hours before. Snapchat continued to lock me out even when I fully uninstalled magisk. I decided to clean install a different Rom which seemed to do the trick. A month later I decided to go back to my original Rom and guess what? Can't even login coz of some mod I think.
So I would say it depends on what mods you have installed yourself or packaged with the custom ROM.
Snapchat ban
I have same problem. Yesterday they gave me ban but i was unbanned with their site. But today they give me one more ban but now is for 24h ... anyone know how to fix snap or maybe hide root? S7 9.0 blackdiamond v3
Downloaded an early January 2019 version of Snapchat and signed up for a new account on my Pixel 3XL. All was good at first then I closed the app. When I tried to sign back in, I got the "problem connecting to server" error which requires an update to the most current version. I updated and after just a few hours, I got the "12 hour account locked" message for "3rd party apps". I've had Magisk Manager repackaged but that obviously didn't help. BTW, I have not repackaged Magisk on my Nexus 6P and it's still works. I found a comment by a user of the Bitmoji app (which I use on my Pixel but not my Nexus) that reported his Snapchat was locked by this app so I uninstalled it. We'll see how it goes when my 12 hour ban is up...
Update: I uninstalled Bitmoji. I also added the systemless host module in Magisk and enabled systemless mode in Adaway. That is supposed to prevent Adaway from modifying the system partition but neither worked. I'm on a 24 lock now....
newkydawg said:
Update: I uninstalled Bitmoji. I also added the systemless host module in Magisk and enabled systemless mode in Adaway. That is supposed to prevent Adaway from modifying the system partition but neither worked. I'm on a 24 lock now....
Click to expand...
Click to collapse
What apps have you given superuser? The app causing you problems is likely in that list
I had this happen before to me, i uninstalled edXposed and i was able to use snapchat even while on a 24 hour ban
iMystic said:
What apps have you given superuser? The app causing you problems is likely in that list
Click to expand...
Click to collapse
Nope. I have the same apps on my Nexus 6P and it doesn't get locked out. In fact, my wife's Nexus 6P has the same apps, is rooted with SuperSu and she doesn't get locked out so IDK...
newkydawg said:
Nope. I have the same apps on my Nexus 6P and it doesn't get locked out. In fact, my wife's Nexus 6P has the same apps, is rooted with SuperSu and she doesn't get locked out so IDK...
Click to expand...
Click to collapse
I don't know if this would affect you but an app that was causing the problems on my phone with Android 9.0 has no affect on an old phone running Android 6.0.1. I don't know why this happens but if you were running a new version of Android such as Android 9.0, an app that may not cause problems on your 6P may cause problems for you. And again, I have no idea why this happens but I can guarantee that was my problem and I haven't had a ban since
iMystic said:
I don't know if this would affect you but an app that was causing the problems on my phone with Android 9.0 has no affect on an old phone running Android 6.0.1. I don't know why this happens but if you were running a new version of Android such as Android 9.0, an app that may not cause problems on your 6P may cause problems for you. And again, I have no idea why this happens but I can guarantee that was my problem and I haven't had a ban since
Click to expand...
Click to collapse
Both my Pixel 3XL and Nexus 6P are running Android 9 rooted with Magisk Canary (19005). Both have the same apps with superuser rights. All this to say that Snapchat was working fine on both for months and for about the last 6 weeks, my Pixel 3 XL's account gets locked and my Nexus 6P does not.
Thanks for trying to help and glad you figured your problem out.
I'm copying this from the SnapFreedom thread who's problems obviously mirror your own. I'll be editing parts out, but some of it should still apply if you guys are getting locked out.
XPrivacyLua
Install it from FDroid or Xposed Repo and check the boxes for "Determine activity" and "Get applications" in Snapchat's tab. You can also enable "Get location" to spoof your location and still use SnapMaps.
Magisk
A few points, these probably don't apply, but they're still worth doing.
Repackage it through Settings -> Hide Magisk
Make sure to block all components under "Google Play Services" and "Google Play Store". There's a few things that aren't blocked by default that might trigger SafetyNet.
Snapchat
Hoo boy...
Don't use anything higher than, and including, 10.41.6.0. It's pretty much a ban-fest. With SnapTools, we use 10.20.5.0 and 10.26.5.0. Those are probably your safest bets. Also, if you plan on downgrading, use any 10.39 app. Something in how logins work has changed in the later versions, so apps like Preferences Manager don't work.
Theming your app should be okay. I did it for months and never got a ban.
Only give it the bare minimum permissions. Storage, Camera, and Microphone. Location too, if you're into being tracked by your friends and Snapchat.
Do NOT use modified apps. At all. Ever. They're the easiest things to detect.
If you want to block ads reliably, you can use this Magisk Module. This WON'T stop bans.
Snapchat also logs your device ID. If you've received a temp-ban prior to this, make sure to change your Device ID. If you're on Oreo, you can use this app. If not, you can use Titanium Backup to change it. The latest version with this function is version 8.2.2. But honestly, the most reliable way is to reflash your ROM.
TevW said:
I'm copying this from the SnapFreedom thread who's problems obviously mirror your own. I'll be editing parts out, but some of it should still apply if you guys are getting locked out.
XPrivacyLua
Install it from FDroid or Xposed Repo and check the boxes for "Determine activity" and "Get applications" in Snapchat's tab. You can also enable "Get location" to spoof your location and still use SnapMaps.
Magisk
A few points, these probably don't apply, but they're still worth doing.
Repackage it through Settings -> Hide Magisk
Make sure to block all components under "Google Play Services" and "Google Play Store". There's a few things that aren't blocked by default that might trigger SafetyNet.
Snapchat
Hoo boy...
Don't use anything higher than, and including, 10.41.6.0. It's pretty much a ban-fest. With SnapTools, we use 10.20.5.0 and 10.26.5.0. Those are probably your safest bets. Also, if you plan on downgrading, use any 10.39 app. Something in how logins work has changed in the later versions, so apps like Preferences Manager don't work.
Theming your app should be okay. I did it for months and never got a ban.
Only give it the bare minimum permissions. Storage, Camera, and Microphone. Location too, if you're into being tracked by your friends and Snapchat.
Do NOT use modified apps. At all. Ever. They're the easiest things to detect.
If you want to block ads reliably, you can use this Magisk Module. This WON'T stop bans.
Snapchat also logs your device ID. If you've received a temp-ban prior to this, make sure to change your Device ID. If you're on Oreo, you can use this app. If not, you can use Titanium Backup to change it. The latest version with this function is version 8.2.2. But honestly, the most reliable way is to reflash your ROM.
Click to expand...
Click to collapse
There are all the reasons why i purely stopping to use Snapchat, and also due to the fact that the application is so badly optimized for Android (even since the complete redesign of the application), in the end considering my use so irregular, I just uninstalled it, so no problem.
The time of Snapprefs and Snaptools was fun and funny, and especially less vicious as a concept than the basic one.
The good old days, but all good things must come to an end.
Rom said:
snip
Click to expand...
Click to collapse
It's what happens when a company becomes complacent and puts more effort into blocking modifications instead improving their terrible app.
Update:
About 2 weeks ago, I flashed the May rom update for my Pixel 3 XL, installed Snapchat ver. 10.41.6.0, hid SC and all components of Google Play Services and Google Play Store in Magisk and I haven't been banned! I detach SC from the Play Store with TiBu but it somehow gets reattached. I just don't update it. Thanks @TevW !!!
I have got a problem, I have a Nokia 7 Plus, stock fw no changes at all!
And I keep getting banned... Support is a joke, I just get automatic replies...
The only reason i may have for getting bans is if snap scans the sd card, where I have magisk and roms files from other devices...
Any tips ???
newkydawg said:
Update:
About 2 weeks ago, I flashed the May rom update for my Pixel 3 XL, installed Snapchat ver. 10.41.6.0, hid SC and all components of Google Play Services and Google Play Store in Magisk and I haven't been banned! I detach SC from the Play Store with TiBu but it somehow gets reattached. I just don't update it. Thanks @TevW !!!
Click to expand...
Click to collapse
I tried to follow the instructions but snapchat keeps saying there was a connection problem with the server.
TevW said:
I'm copying this from the SnapFreedom thread who's problems obviously mirror your own. I'll be editing parts out, but some of it should still apply if you guys are getting locked out.
XPrivacyLua
Install it from FDroid or Xposed Repo and check the boxes for "Determine activity" and "Get applications" in Snapchat's tab. You can also enable "Get location" to spoof your location and still use SnapMaps.
Magisk
A few points, these probably don't apply, but they're still worth doing.
Repackage it through Settings -> Hide Magisk
Make sure to block all components under "Google Play Services" and "Google Play Store". There's a few things that aren't blocked by default that might trigger SafetyNet.
Snapchat
Hoo boy...
Don't use anything higher than, and including, 10.41.6.0. It's pretty much a ban-fest. With SnapTools, we use 10.20.5.0 and 10.26.5.0. Those are probably your safest bets. Also, if you plan on downgrading, use any 10.39 app. Something in how logins work has changed in the later versions, so apps like Preferences Manager don't work.
Theming your app should be okay. I did it for months and never got a ban.
Only give it the bare minimum permissions. Storage, Camera, and Microphone. Location too, if you're into being tracked by your friends and Snapchat.
Do NOT use modified apps. At all. Ever. They're the easiest things to detect.
If you want to block ads reliably, you can use this Magisk Module. This WON'T stop bans.
Snapchat also logs your device ID. If you've received a temp-ban prior to this, make sure to change your Device ID. If you're on Oreo, you can use this app. If not, you can use Titanium Backup to change it. The latest version with this function is version 8.2.2. But honestly, the most reliable way is to reflash your ROM.
Click to expand...
Click to collapse
Does this mean that I can't use energized adblock magisk module? Do I have to use only the Snapchat adblock magisk module that you linked for any kind of adblocking on the device.
Thanks!

Magisk security risks

Hey, folks,
I have a question about the risks involved in using Magisk on the phone and also Xposed. Using Magisk and Xposed has always been elementary for me, however, I have never used my bank account on my phone as I am afraid of being vulnerable for using these applications. In my new job the use of my banking application is mandatory so I don't know if I should uninstall Magisk and Xposed. What do you guys think? Is it advisable to manage money on your phone with these applications installed?
thank you
Can you even run the banking app with xposed installed? It breaks safetynet and apps probably check for that. As for magisk yeah it's perfectly fine.
Hi,
I haven't had any problems. Being unable to sit up in front of a PC/Laptop, I handle *everything* on my phone.
Of course, like anything important, use proper security measures. Using a VPN is advisable. Look at places like the Android Authority Tech Store. They have deals here and there. I've purchased "Lifetime" (20 years) deals on 2 different quality VPN services, one for $20 and the other for $40. One goes out, or even out of business, I've got the other and my money's worth long ago, so no big deal.
I also use Avast! Anti-Virus (not asking for opinions), as it's Free. There's also an app that scans for cell specific stuff that "spies" on what your doing, called "Incognito" for $2-$3 (one time).
Use what you feel good about, that's just me. Just use common sense as always, of course.
But no, I have not had any issues. So either I'm secure, or they've gotten in, saw how little there is and decided that I need it more than they do and are probably working on ways to put money *in* for me.
TTYL
Posted from my way cool LG V20 (H910) Nougat 7.0
From my experience Magisk is completely safe, it hides root very good. Some banking apps might still recognize it and block it, but you can try hide the app in the magisk manager section or even generate a random package name for the magisk manager itself if the bank app still finds it.
Also, using EdXposed (the new "unofficial" version for oreo and pie) won't affect safetynet, but again some apps might recognize it. There is a module for that called "rootcloak", it hides root, xposed and particular keywords that you can manually add, from some apps you can choose.
Last time I tried that was 2 or 3 months ago, and my banking/security apps worked normally without any problem. You just have to play around a little with those hiding-settings when you flash them the first time, that's it.

Issue: Using NFC for Payments (rooted)

Hi everyone, I've been seeking for a solution before posting here, didn't want to bother anyone or clutter the web, but as a last resort...
My device is rooted, props successfully installed and set. Banking app works, Netflix and even McDonald's (which I've tested because i had a cts issue) which is now solved.
The issue now is that i want to activate payments using NFC, but when i open my bank app and try to activate the toggle it shows this error:
"your smartphone does not meet the requirements to use NFC payments.
HCE_INIT_ACTIVATION/ERROR_SECURITY_TRC"
It's not a big issue, but if there is a work around. I would like to know.
Good you have an option alternative to Google Pay in first place (you are probably not in US, right?). I recently has similar question posted on reddit without much success. Let's see what audience will propose here.
Yes indeed i'm from Europe and I'm not using G-Pay because i think every bank here have their own toggle in their apps to activate or deactivate the option: "pay with your smartphone."
I'm also pretty doubtful as to whether there is a solution to this error, however my fingers are crossed.
ScratchTheCat said:
every bank here have their own toggle in their apps to activate or deactivate the option: "pay with your smartphone."
Click to expand...
Click to collapse
There was same case in US 3-5 years ago and then Google Pay took over and now none of the banks supports its own payment feature in app
Did you check Xposed? There are modules to bypass root check in some European banks available, may be at least on will work.
That's some pretty bad news, that means that Europe will most certainly follow soon enough...
I have not tried Xposed or EdXposed yet, I'll look into it tomorrow and try it out depending on the info.
Question; Does Magisk pass the safety test on your device?
Can you find Netflix on the Playstore? = basicIntegrity
Can you use the McDonald's app? = ctsProfile
I'm curious about your case too.
Even when your bank does not support Google Pay yet, you can use PayPal and they draft the payment from your bank account. Or open an additional account with a bank supporting GPay.
ScratchTheCat said:
Hi everyone, I've been seeking for a solution before posting here, didn't want to bother anyone or clutter the web, but as a last resort...
My device is rooted, props successfully installed and set. Banking app works, Netflix and even McDonald's (which I've tested because i had a cts issue) which is now solved.
The issue now is that i want to activate payments using NFC, but when i open my bank app and try to activate the toggle it shows this error:
"your smartphone does not meet the requirements to use NFC payments.
HCE_INIT_ACTIVATION/ERROR_SECURITY_TRC"
It's not a big issue, but if there is a work around. I would like to know.
Click to expand...
Click to collapse
What is this application you are using? Can you provide a link to google play store? And one more question, do you have to register to the banking application to add a card and see this error
Spartacus500 said:
What is this application you are using? Can you provide a link to google play store? And one more question, do you have to register to the banking application to add a card and see this error
Click to expand...
Click to collapse
Yes this is an app of the bank I'm customer of, so you need to be a customer there and have a bank account and a card, plus a card reader to login to the app at first. Which all works as it should, however the NFC "tap to pay" option doesn't work. Due to the error mentioned above. Also apps such as "it's me" also don't work. https://play.google.com/store/apps/details?id=be.bmid.itsme&hl=nl&gl=BE
When I'm off work, I'll try EdXposed.
ava1ar said:
There was same case in US 3-5 years ago and then Google Pay took over and now none of the banks supports its own payment feature in app
Did you check Xposed? There are modules to bypass root check in some European banks available, may be at least on will work.
Click to expand...
Click to collapse
I've tried EdXposed along with it's modules flashed through Magisk. No luck at all.
However EdXposed does show the NFC app in the blacklist which Magisk doesn't.
My banking app doesn't seem to know that the device is rooted until it asks me to turn on NFC.
Ehh idk...

Magisk, Google play and banking app

Hello,
my Oneplus 7+ is running stock Android 11. Magisk has been installed and since a month ago everything was working fine (even DKB TAN2go and other banking apps). Last month an update for Comdirects Photo TAN was released and it stopped working. Luckily I was not the only one to encounter it and the description from @ralphabt here solved the issue for me.
Since this morning Google Pay stopped working (of couse I only noticed when I tried to pay and had my wallet nearby). SafetyNet fails (basic and cts). If I disabled the modules that I installed for the PhotoTan fix, SafetyNet is working again.
I found the MagiskHide Props Config, which I don't have a problem installing and testing, but I was wondering if there anything else I can try before fixing an issues that is caused by a solution for another issue.
Thanks a lot!
If SafetyNet now triggers from the Riru/EdXposed stuff you'll likely have to wait for an update to those modules (or try the latest beta/alpha/canary releases). Or try LSPosed instead (seems like more people have success with that). It's a cat and mouse game...
Im still waiting for anyone to give me a valid reason to use Xposed of any sort....
I pulled it out recently after jettisoning Xposed back in Marshmallow days, and was completely unsurprised that in my attempts to avoid root detection when i was having bank app issues it just broke things harder
Your biggest issue is getting SafetyNet pass...
Getting Google Pay and banking apps is another level...
My current setup for working bank apps (my bank at least) and working Samsung Pay & Google Pay is, should you wish to have a crack:
Magisk Alpha - here (second most recent at time of posting) or here for latest:
Riru - here
Riru-Momohider - my own mod of that module attached to my post here (where i just added creation of the 4 optional config options to the installations script, to avoid manual jiggery pokery, touching 4 files in a terminal every ROM flash didnt seem like a fun thing after the 3 ROMS i tested that week i started using Riru-Momohider)
Im talking those are the only modules i use. Even a simple font replacement module will give up a system modification to most root detection apps. So no fonts, no emojis swapping, no fiddly shizz. Keep it simple.
You can get an idea of what may be setting things off via Magisk Detector here, or VD Infos here (apologies to Didge, as mentioning that may be a trigger )
And i now get to tell you that this only currently works on 2 ROM's for my device, all the others cough up the existence of root through modifications made by devs to build.prop etc
So even in the best circumstances, and with all the right magisk and riru modules, the ROM youre using can still betray you.
Isnt that fun?
Worth pointing out (so frequently am i pointing this out these days im thinking of removing the link to my GPay Magisk Module from my sig) that for like 6 months now its been unnecessary for a lot of people to
a) Use the Google Pay db fix originally sussed out by @BostonDan, or my Magisk Module that does the same thing
and
b) Enable MagiskHide for Google Pay...
Actually getting SafetyNet is rather easy - if I remove EdXposed and XPrivacyLua it is working again and Google Pay as well. I only installed (my only reason) it, as it was required to get that banking app running.
I am using different banking apps and it the past the one from german DKB was rather difficult, but with newest Magisk (23) and Magisk Hide it is working.

Categories

Resources