From ae57183500bb34032ec426fcae2b9a14e028ce12 Mon Sep 17 00:00:00 2001 From: Danny Lin Date: Mon, 11 Oct 2021 20:00:44 -0700 Subject: [PATCH] keystore: Block key attestation for SafetyNet SafetyNet (part of Google Play Services) opportunistically uses hardware-backed key attestation via KeyStore as a strong integrity check. This causes SafetyNet to fail on custom ROMs because the verified boot key and bootloader unlock state can be detected from attestation certificates. As a workaround, we can take advantage of the fact that SafetyNet's usage of key attestation is opportunistic (i.e. falls back to basic integrity checks if it fails) and prevent it from getting the attestation certificate chain from KeyStore. This is done by checking the stack for DroidGuard, which is the codename for SafetyNet, and pretending that the device doesn't support key attestation. Key attestation has only been blocked for SafetyNet specifically, as Google Play Services and other apps have many valid reasons to use it. For example, it appears to be involved in Google's mobile security key ferature. Change-Id: I5146439d47f42dc6231cb45c4dab9f61540056f6 --- .../internal/gmscompat/AttestationHooks.java | 16 ++++++++++++++++ .../security/keystore2/AndroidKeyStoreSpi.java | 3 +++ 2 files changed, 19 insertions(+) diff --git a/core/java/com/android/internal/gmscompat/AttestationHooks.java b/core/java/com/android/internal/gmscompat/AttestationHooks.java index 621156eb84b9..fe12dfe02a9f 100644 --- a/core/java/com/android/internal/gmscompat/AttestationHooks.java +++ b/core/java/com/android/internal/gmscompat/AttestationHooks.java @@ -22,12 +22,15 @@ import android.util.Log; import java.lang.reflect.Field; +import java.util.Arrays; /** @hide */ public final class AttestationHooks { private static final String TAG = "GmsCompat/Attestation"; private static final String PACKAGE_GMS = "com.google.android.gms"; + private static volatile boolean sIsGms = false; + private AttestationHooks() { } private static void setBuildField(String key, String value) { @@ -53,7 +56,20 @@ private static void spoofBuildGms() { public static void initApplicationBeforeOnCreate(Application app) { if (PACKAGE_GMS.equals(app.getPackageName())) { + sIsGms = true; spoofBuildGms(); } } + + private static boolean isCallerSafetyNet() { + return Arrays.stream(Thread.currentThread().getStackTrace()) + .anyMatch(elem -> elem.getClassName().contains("DroidGuard")); + } + + public static void onEngineGetCertificateChain() { + // Check stack for SafetyNet + if (sIsGms && isCallerSafetyNet()) { + throw new UnsupportedOperationException(); + } + } } diff --git a/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java b/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java index 33411e1ec5b9..133a4094d434 100644 --- a/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java +++ b/keystore/java/android/security/keystore2/AndroidKeyStoreSpi.java @@ -42,6 +42,7 @@ import android.util.Log; import com.android.internal.annotations.VisibleForTesting; +import com.android.internal.gmscompat.AttestationHooks; import java.io.ByteArrayInputStream; import java.io.IOException; @@ -164,6 +165,8 @@ private KeyEntryResponse getKeyMetadata(String alias) { @Override public Certificate[] engineGetCertificateChain(String alias) { + AttestationHooks.onEngineGetCertificateChain(); + KeyEntryResponse response = getKeyMetadata(alias); if (response == null || response.metadata.certificate == null) {