Universal SafetyNet Fix Magisk Module is the first of its kind to help us to pass Safetynet, Basic Integrity and CTS profile match. So that we can use high-security apps such as banking and OTT apps. This module is still under development and working great on many devices.
Kdrag0n is the developer of this module, and you can see his other projects in his Github profile.
Table Of Contents
What is Universal SafetyNet Fix Magisk Module?
Universal SafetyNet Fix Magisk module to work around Google’s SafetyNet attestation.
This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS profile attestation, which requires a valid combination of device and model names, build fingerprints, and security patch levels.
If you still have trouble passing SafetyNet with this module, use MagiskHide Props Config to spoof a certified device profile. This is a common issue on old devices, custom ROMs, and stock ROMs without GMS certification (e.g. Chinese ROMs).
Android versions up to 13 Beta 3 are supported, including OEM skins such as Samsung One UI and MIUI.
Download
Requirements
- Magisk 24 or higher
- Zygisk enabled in the settings
- Android 7 and higher
How to Install Universal SafetyNet Fix Magisk Module?
- Download Module from above
- Open Magisk app (24+)
- Head over to the modules section
- Tap on install from the storage option
- Select a safetynet-fix-vx.x.x.zip.zip file.
- Reboot.
How does it work?
Since January 12, 2021, Google Play Services opportunistically uses hardware-backed attestation to improve SafetyNet Play integrity. It also enforces usage based on the device model name since September 2, 2021.
This module uses Zygisk to inject code into the Play Services process and register a fake Keystore provider that overrides the real one. When Play Services attempts to use key attestation, it throws an exception and pretends that the device lacks support for key attestation. This causes SafetyNet to fall back to basic attestation, which is much weaker and can be bypassed with existing methods.
However, blocking key attestation alone does not suffice because basic attestation fails on devices that are known by Google to support hardware-backed attestation. This module bypasses the check by appending a space character to the device model name. This has minimal impact on UX when only applied to Play Services, but it’s sufficient for bypassing the enforcement of hardware-backed attestation.
This doesn’t break other features because key attestation is only blocked for Play Services, and even within Play Services, it’s only blocked for SafetyNet code. As a result, other attestation-based features (such as using the device as a security key) continue to work.
Donate
If you found this helpful, please consider supporting development with a recurring donation for rewards such as early access to updates, exclusive behind-the-scenes development news, and priority support. Alternatively, you can also buy me a coffee. All support is appreciated.
