SafetyNet System Design : Android
Posted By : Pushpandra Kumar | 30-Apr-2018
In the previous post, I discussed what is SafetyNet and how to use it in code. Now, I will discuss how SafetyNet System works.
There are more than 1 billion play-enabled android devices over. SafetyNet is a data collection tool that Google uses to gather security-related information from these devices.
How Google implements this? Actually, A service named "snet" is started by Google Play Services. Various pieces of data are collected by this service and sent to the Google Servers. This information is used by Google for ecosystem analysis and threat profiling of the devices. Google uses this information also to determine whether a device being tampered in the multitude of ways and maintains this information.
Knowing which information is collected by Google would mean that someone with technical skills can develop a hooking system to fool snet by feeding it with non-malicious information. But that's not easy. Let's understand the SafetyNet Internals.
When an application calls SafetyNetApi.attest(mGoogleApiClient,nonce), for performing attestation then through binder this library uses com.google.android.gms.safetynet.internal.ISafetyNetService service running on the device. Snet implementation is not given inside any apk. As discussed Snet is a service started by play services that sends data to Google servers. Instead, a SafetyNet service packaged inside Google Play Services downloads a binary package with code. This binary package contains a jar file that contains classes.dex file with java bytecode. Google Play services cache it in Dalvik-cache( snet.dex) and using reflection loads it dynamically. Hope you would be familiar with Dalvik and Dalvik stuff. For a brief review, Dalvik is a virtual machine just like JVM but with some differences. Dalvik-cache is a directory where optimized dex files are stored by android. This class contains a method enterSnet which is called by Play Services through reflection. Now, this method can be started with different collection modules to check different scenarios.
I would like to list out some of them:
1. default_package
2. su_files
3. settings
4. locale
5. ssl_redirect
6. ssl_handshake
7. mx_record
.
.
.
.
There are many modules that are present in the collection.
Thanks for reading out this post, hope you understood the SafetyNet mechanism.
Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.
About Author
Pushpandra Kumar
Pushpender has experience in Core Java, C & C++. His hobbies are learning new technologies and listening music.