Blocking apps from being used on rooted smartphones is about to become standard practice. As we found out this morning, Google’s latest update to the Google Play Console, as updated during Google IO 2017, includes a Safety Net toggle. This toggle is one of many which give developers a very simple way of allowing some features to be compatible with the apps they make, and others to be kicked from the pack.
This isn’t all new – there’s been a way for developers to include the Safety Net in apps for some time now. As Pokemon GO cheaters know, there’s always a way around the net – but it’s not always easy. And as those that’ve made the net in the first place will suggest – the net is there for a reason. Remember the dawn of Verify Apps?
As Google suggests in their Android Developers documentation, “SafetyNet provides a set of services and APIs that help protect your app against security threats, including device tampering, bad URLs, potentially harmful apps, and fake users.” In short: if your device is rooted, is an emulator, has an unlocked bootloader, or half a dozen other similar, related elements – it’ll fail the test. Major developer Niantic recently ma
Safety Net Attestation checks for the following Device Status markers:
1. Certified, genuine device that passes CTS
2. Certified device with unlocked bootloader
3. Genuine but uncertified device, such as when the manufacturer doesn’t apply for certification
4. Device with custom ROM (not rooted)
6. No device (protocol emulator script)
7. Signs of system integrity compromise, such as rooting
8. Signs of other active attacks, such as API hooking
Developers that wish to access SafetyNet for their apps on the Google Play app store can do so with the following steps:
1. Sign in to your Play Console.
2. Select an app.
3. On the left menu, select Device catalog.
4. Select the “Excluded devices” tab.
5. Next to “Exclusion rules,” select Manage exclusion rules.
6. Next to SafetyNet Exclusions, select Show.
As Google suggests, “SafetyNet Exclusions only restrict the availability of your app from the Play Store. Users can still install your app using the APK file directly.” This happens with Android Pay, amongst other major apps like Netflix (as of this week). This means that apps could still be loaded to smartphones from sources like APK Mirror. Have a peek at our APK download tag to see how often that happens.
But why, you might be wondering, is Google adding this SafetyNet barrier at this level of the Google Play app store? Why not just be satisfied with the SafetyNet API for developers to insert in the app itself?
Because Google is moving away from Android – or de-emphasizing Android as their main hero subject of chat to the public. And they’re moving toward services like Google Assistant. To make their services turn as much of a profit as possible, they’re going to need to switch up the narrative they’ve been running the past half-decade with Android.
Google is going to have to make using Android – and eventually whatever Fuchsia OS is going to be called – as user-friendly and versatile as possible. Google will need to make a system which users have no good reason to want to modify on the back end – with rooting. Have a peek at “Make way for Fuchsia OS” to see more reasons why.