How to pass SafetyNet on Android after rooting or installing a custom ROM (2024)

SafetyNet bypassing has long been a cat-and-mouse game between Google and the Android's aftermarket modding community. Tinkerers love to modify the software on their phone - a process that usually involves bootloader unlocking as the first step. But this, in turn, trips SafetyNet, which can cause several popular as well as crucial apps to stop working on the phone, some of them understandably so as they rely on a tamper-proof environment for execution.

To be precise, SafetyNet is meant for app developers, but they can choose to use it or not. For a regular end user, though, you can either give up on the modding potential of Android and pass the SafetyNet compatibility tests or stay ostracized by the app publishers. If you’re wondering how to pass SafetyNet even after rooting or installing a custom ROM on your device, this guide should help you with that.

What is SafetyNet?

Android is designed to run without giving the end user any kind of privileged control over the underlying subsystems. In case a person operating an Android device is able to gain similar access to administrative (AKA "superuser") permissions as on Linux, they can essentially alter or replace core system applications and settings. From the perspective of an app developer, it means the device their app is running on can potentially be compromised. There should be some kind of abuse detection system to examine the device's software and hardware environment and assure the app developers that everything is alright. This is where SafetyNet comes in.

While modding is an integral part of the Android ecosystem, sometimes you need a high degree of rigor in the OS to satisfy the constraints of security policies. SafetyNet is such a set of abuse-detection APIs present in the Google Play Services. By calling the SafetyNet Attestation API, third-party applications can check if the software environment of the device has been tampered with in any way. The API checks for various things like the bootloader unlock status, signs of superuser binaries, and more to compare the current state of the target Android device and verify the integrity of the environment against a known 'safe' value on the server side.

Notably, Google has already announced plans to phase out SafetyNet. It will be replaced by the Play Integrity API by 2024. Be that as it may, SafetyNet is still used by numerous app developers for tamper detection, which means it's indeed a tough hurdle for the modding enthusiasts.

SafetyNet tripping and its consequences

A number of departure events from the stock configuration of an Android device eventually lead to SafetyNet tripping. Even if you just unlock the bootloader of your phone and leave the factory-installed OS untouched, you may still get a "CTS profile mismatch" (where CTS stands for the Compatibility Test Suite) error that causes the SafetyNet check to fail. If you root your Android device or replace the stock firmware with a custom ROM, you will pretty much end up with a SafetyNet failed status. As a result, you can't use apps and games that employ SafetyNet validation on the device. This is especially true for banking and other financial apps such as Google Pay, as they strictly rely on the SafetyNet Attestation result and won't allow users to operate the app on a seemingly tampered environment for the sake of security.

When it comes to games, developers use SafetyNet to assess the device's integrity so that they can prevent rogue players from cheating or modifying in-game variables for unfair advantages. Last but not least, you can also come across examples where publishers are simply misusing Google's tamper detection mechanism for no practical reason, which is why power users want to evade the detection routines.

In a nutshell, the modding community will have to choose between having access to root/custom ROMs/kernels/etc. or their preferred apps and games. This might sound like the end of aftermarket development on Android, but there is hope.

How to pass SafetyNet attestation on Android devices

Since Google periodically updates the backbone of the SafetyNet Attestation API, there is no true universal method to bypass the checks. Since the restrictions depend on a number of factors, you may pass SafetyNet on a modded environment by spoofing the most significant parameters on legacy devices, but the same trick might not work at all on newer phones. The aftermarket development community has come up with a number of techniques for passing the SafetyNet checks, but keep in mind that a generic implementation isn't possible due to the ever-changing nature of the anti-abuse API. This is a game of Dot and Ditto -- one day, you will be ahead, and the other day, you will not be.

With the gradual move towards the hardware attestation strategy, Google is relying on the security of the phone’s Trusted Execution Environment (TEE) or dedicated hardware security module (HSM) for tamper detection. Finding a critical security vulnerability in the isolated secure environment of a device and exploiting it to spoof SafetyNet’s client-side response can't be a feasible approach, but this is XDA, which means there is no shortage of innovative ways to get past the obstacle.

Here are some of the well-known methods to pass SafetyNet:

1. Restoring the original firmware and relocking the bootloader

This is perhaps the simplest way to pass SafetyNet, but it has its own merits and demerits. All you need to do is find the correct firmware for your Android device, flash it, and finally re-lock the bootloader. Of course, you'll lose most of the bells and whistles of the modding scene, but it actually makes sense when you need to use your device in a managed environment with strict security policies, or you’re trying to sell your device.

If you don't know the back-to-stock steps for your phone, we recommend you head over to the XDA forums, search for your device, and then look for a guide to install the official software and lock the bootloader. While we offer tutorials for flashing Samsung Galaxy and Google Pixel devices, there's no universal method for this, as it differs from phone to phone. Once you've restored the stock configuration, you should be able to pass SafetyNet without any fiddling.

2. Using Magisk

If you own a legacy Android smartphone, Magisk is your best bet to pass SafetyNet without much hassle. Even though the current stable build of Magisk doesn't feature MagiskHide anymore (since v24 release), you can still stick to the v23.x version and utilize MagiskHide to hide root status from apps. Furthermore, you can install Magisk modules like MagiskHide Props Config to change/spoof the device fingerprint in order to pass SafetyNet. To know more, take a look at the module support thread and follow the instructions given by the developer(s).

Talking about the deprecation of MagiskHide, the DenyList feature of Magisk is an interesting development, which allows users to assign a list of processes where Magisk denies further modifications and reverts all changes it had done. With an appropriate configuration, it can also be used to pass SafetyNet in some scenarios.

Below you can find some generic steps to utilize DenyList for passing SafetyNet:

1. Open the Magisk app and click on the gear icon to access the settings section.
2. Scroll down and enable Zygisk and Enforce DenyList.
3. Now select the Configure DenyList option, tap on the three dots at the top, and select Show system apps.
4. Configure DenyList for Google Play Store and Google Play Services.
   • If you need to hide the root status from certain apps, you should select them as well at this stage.
5. Navigate to Settings > Apps and clear Data of all the apps you configured in the DenyList.
6. Reboot the device. After booting, connect to the internet, keep the phone sit idle for a while, and then check the SafetyNet status.

Magisk XDA forums

3. Using Universal SafetyNet Fix

Bypassing Google's hardware-backed SafetyNet attestation technique is a tad bit difficult, but it's not entirely impossible. The Universal SafetyNet Fix project by XDA Senior Member kdrag0n cleverly accomplishes this feat by forcing the basic attestation over the hardware-backed checks. To put it simply, it injects some codes into the Play Services process and registers a fake keystore provider that overrides the real one.

Notably, Universal SafetyNet Fix has a dependency on Magisk when it comes to passing the basic attestation part. The developer supports Zygisk solely for the latest version, which means you need Magisk 24 or newer to use it. That said, you can also find Riru-compatible legacy builds in the repo linked below.

Universal SafetyNet Fix: GitHub repo ||| XDA discussion thread

The installation process is quite simple:

1. Make sure you have a working Magisk installation on the target device.
2. Remove MagiskHidePropsConfig module if installed.
3. Install the Universal SafetyNet Fix module and reboot the device.
   • You might need to wipe GMS data after rebooting.
4. Profit!

Notably, XDA Senior Member Displax has come up with a fork of Universal SafetyNet Fix that can bypass Play Integrity API. It is particularly useful for current-gen Google Pixel users. Take a look at the links below for further details.

Universal SafetyNet Fix fork by Displax: GitHub repo ||| XDA discussion thread

4. Shamiko

There's also Shamiko — a work-in-progress module written on top of Zygisk (Magisk in the zygote process). It reads the list of apps to hide from Magisk's denylist to hide Magisk root, Zygisk itself, and Zygisk modules to circumvent SafetyNet. However, Shamiko can only work after disabling the DenyList feature.

You can download pre-release builds of Shamiko from the LSPosed's GitHub repository.

Download Shamilko

Since Shamiko is essentially a Magisk module, it's very easy to apply:

1. Make sure Zygisk support is enabled under Magisk.
2. Install Shamiko as a regular Magisk module and reboot.
3. Configure DenyList to add processes for hiding as per your requirements. However, do not turn on the Enforce DenyList option.
4. To configure the whitelist mode, simply create an empty file as follows: /data/adb/shamiko/whitelist
5. That's it!

5. ih8sn

In case you don't want to rely on Magisk to pass SafetyNet attestation, you can try out an experimental add-on named ih8sn. After applying, it can spoof a plethora of prop values in order to circumvent SafetyNet checks like the MagiskHide Props Config module, but there's no dependency on Magisk in the first place.

The ih8sn tool is maintained by several LineageOS developers, but the LineageOS project doesn't officially endorse it yet. Furthermore, it's not a ready-to-flash solution, so you need to configure it yourself before flashing. To know more, take a look at its codebase by following the link below.

ih8sn GitHub repo

Here's are the necessary steps you should follow in order to perform a successful ih8sn installation:

1. Download the latest release of ih8sn from here.
   • For modern Android devices, pick the aarch64 variant.
2. Open the ZIP file using a suitable archiver, navigate to /system/etc/ih8sn.conf, edit the file with a text editor to change the BUILD_FINGERPRINT and PRODUCT_NAME variables.
   • Browse your device sub-forum to get the most appropriate values for the variable duo.
3. Save the changes and install the modified ZIP file through a custom recovery like TWRP.

Verification

After applying one of the aforementioned SafetyNet passing methods, you may wish to verify the result. The Magisk app comes with an option to initiate the SafetyNet checking routine right from its main menu, which is really handy. You can also opt for an open-source app named YASNAC (short for Yet Another SafetyNet Attestation Checker) to check the status and (optionally) examine the JSON response.

That’s how you can pass SafetyNet on your phone. With a little bit of time and patience, it is possible to restore the true modding potential of Android without bothering about the SafetyNet Attestation failures. We’ll be updating this guide with more SafetyNet passing methods, so check back again in the future!