SafetyNet on /e/OS Community "dev" devices - let it in or not?

SafetyNet, as we understand it, is a Google Play Services proprietary component designed by Google to make their Android-competitors’ life hard. It’s a complex piece of software that is advertized as a “security” feature, (so obviously a lot of bank apps are integrating it), which makes apps that integrate SafetyNet fail when run on on any non Google-commercial-Android device.

As you are probably aware of, we have put quite a lot of energy to have SafetyNet pass on /e/OS. This is normally a device specific work, and now Murena devices available at https://murena.com have it enabled.

We also now have a Merge-request ready to make SafetyNet pass on all (or most) other Community devices (-dev).

But the consequence of having SafetyNet pass, is that for /e/OS with Android up to 11 included, “adb root” will not work anymore.

This won’t be a problem starting with Android 12, that has removed this dependency between “adb root” and SafetyNet.

So today we have different choices on the table for the 200+ /e/OS Community devices:

1. Keep adb root, don’t introduce SafetyNet pass (= same situation as now)
2. Remove adb root, introduce SafetyNet pass
3. Make two different builds, one with SafetyNet pass, the other with adb root support

Probably choice 3. would catch the most votes, but unfortunately we cannot: it would use too much resources in term of compilation time, too much staff time to handle all this.

So only choices 1. and 2. remain.

What’s your take on it?

Please note:

1. again, this is not about “Stable” devices (the ones on Murena devices sold online), they already have SafetyNet pass, and no adb root
2. This won’t be an issue anymore for all /e/OS builds starting from A12 (S) and above, so this is a temporary issue for most of Community devices

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online services

I vote to keep adb-root as i use “magisk” and its “universal safetynet-fix” as a workaround to pass safetynet detection.

I also chose to keep adb root, as it is necessary to be able to backup user-installed apps and data (using Android Backup and Restore Tools project)

Je suis pas développeur, mais d’après un forum généralement bien informé et crédible de XDA, il semblerait que safetynet soit déjà de l’histoire ancienne, et que Google ait trouvé un nouvel amusement :

“Play Integrity has replaced SafetyNet for the most part, with a deadline of June 2024, when Google’s SafetyNet servers will go offline. Apps that continue to exclusively depend on SafetyNet will no longer work once this happens. Most developers have already migrated to Play Integrity.”

https://forum.xda-developers.com/t/discussion-play-integrity-api.4479337/

Considering what an issue backing up this stuff really is, should I be surprised there are actually votes against a possible remedy, and not a few it would seem, on a supposedly degoogled phone, to pass Google SafetyNet? Guess not .

The reason I use /e/OS is to have maximum compatibility with apps, so I voted for Safetynet. When banking apps are not supported anymore, this could be a reason for me to look around.

fortunately I have a work phone with which I do my banking stuff, else it might be a bit of a problem since my bank requires a smartphone in order to do online banking and also I use root apps like titanium (I’ve a lot of apps to backup)… I would probably use another old used phone for banking if I didn’t had my workphone.
I alsmost overlooked the notes about community devices. I have a S10. Not sure if this is community device. I voted for keep abd.

Using the web version to access bank account is my preferred choose to avoid tracker as much as possible so adb-root is fine.

I voted for the first option to hope for a global compatibility with banking and other applications.
However, wouldn’t this call into question the strong communication with google’s servers and the volume of data transmitted there?
The new version that will replace SafetyNet Pass, Play Integriry, will be introduced in June 2024, does not pose problems for alternative stores?

I think that a lot of people are complaining about banking app (and other types also) not working on /e/.

And they don’t want to root their phones with the magisk stuff for security purpose. Which is totally understandable.

For me it would be much more easier for everyone to have the safetynet test passed on ALL devices (including dev ones). No need to root their phone each time we have an update. And in the top of all, more security for our devices.

There is only benefits

@gael, this is a tough one!

For the records: In an ideal world a company would not enforce a specific device state and/or developers would use the evaluation result for a warning at maximum…

That said I think compatibility is very important as long as we live in the imperfect world.

On the other hand there are plenty of useful apps with valuable data and no export/import feature (a major design flaw imho as it would allow to transfer data if accepting the hassle of doing it on a per app basis).

Again, in an ideal world, this would work globally as an OS feature for all apps at once for a non-tech savvy user. (Hint, hint, let me stress again that this would be a killer feature!).

So also (adb) root is almost mandatory. But carrying two devices just for a couple of safetynet apps is also not acceptable.

Not sure if I am able to cast a vote for either option. This is where the expression “to be stuck between a rock and a hard place” must be originating from

Not true. The downside is that without adb root, there is no method that works of backing up and restoring user-installed apps and data. This is an important use case for many people.

What about SeedVault ? It does not require a rooted device.

However, it is possible to pass SafetyNet while being rooted and/or using microG instead of google services. The procedure for lineageOS, /e/, iodéOS, lineageOS for microG is the following:

1. Install microG.
2. Install magisk (to enable root and other functions).
3. Enable zygisk from within the magisk settings. Magisk->Zygisk->Enable.
4. Install Universal SafetyNet Fix.
5. Install microG installer (needed for signature spoofing and giving full system access to microG, already present on /e/, iodéOS, lineageOS forh microG)

After completing the previous steps, the SafetyNet is passed. In addition, within the magisk settings it is possible to add and/or remove rooted applications via Magisk->Enforce DenyList->Enable and Magisk->Configure DenyList->Apps.

but we need to do again this stuff after each update ?

Pitching in my opinion. Although adb root is indeed usefull, I would say that it should not be prioritised over app compatibility (e.g. most Banking apps requiring SafetyNet). If you want “normal” (=not too tech savy) users to use /e/, then they might be put off by some apps not working*

And if you need root for backup etc., you are probably more than capable of installing and setting up magisk (+use other tools to still pass SafetyNet if you really need to). With many devices on A/B partitions, OTA and magisk are also less of a hassle nowadays. I would put together a magisk guide on /e/ for those interesed, rather than drop (=not add) SafetyNet support for all users on dev builds.

* I have even seen apps that report something like “Your device is rooted and device security is compromised. App will not open” as soon as you dont pass SafetyNet - a scary message, if you just installed /e/ and opened your banking app, right?

Only magisk needs to be reinstalled.

How about using:

Haven’t tested yet myself but who I heard of that said that doesn’t require root.

In my perspective, does not make sense to have a de-googled OS, if we keep google-properties… I am interested in /e/OS to have an Android version without any trace of Google in the code and its runtime.

It doesn’t require a rooted device, but unfortunately it doesn’t work (at least for me):

• it only backs up some of my installed apps. Android Backup and Restore Tools project backs up all of them
• restoring a SeedVault backup has been flakey for me; sometimes it works, sometimes it doesn’t, sometimes it mostly works