DroidGuard: A Deep Dive into SafetyNet

SSTIC & BlackHat Asia May 12, 2022

SafetyNet is the Android component developed by Google to verify the devices' integrity. These checks are used by the developers to prevent running applications on devices that would not meet security requirements but it is also used by Google to prevent bots, fraud & abuse.

In 2017, Collin Mulliner & John Kozyrakis made one of the first public presentations about SafetyNet and a glimpse into the internal mechanisms. Since then, the Google anti-abuse team improved the strength of the solution which moved most of the original Java layer of SafetyNet, into a native module called DroidGuard. This module implements a custom virtual machine that runs a proprietary bytecode provided by Google to perform the devices integrity checks.

This paper aims at providing a state-of-the-art of the current implementation of SafetyNet. In particular, it presents the internal mechanisms behind SafetyNet and the DroidGuard module. This includes an overview of the VM design, its internal mechanisms, and the security checks performed by SafetyNet to detect Magisk, emulators, rooted devices, and even Pegasus.