Decompiling Google Safety Net

Decompiling Google Safety Net

I love free public information so, when I received an email asking for help decompiling Google’s tamper detection for Android called Safety Net I decided to respond with this post.

WHAT IS SAFETY NET?

This has been covered in detail by John Kozyrakis. To quote from his excellent blog post:

“SafetyNet is a data collection system used by Google to gather security-related information from 1 billion Play-enabled Android devices.

The idea is that Google Play Services, a closed-source package on the device starts an always-running service named snet. This service frequently collects various pieces of data from the device and sends it back to Google.

Google uses this information for multiple purposes, such as ecosystem analysis and threat profiling of devices.”

WHERE IS SAFETY NET (SNET) LOCATED?

We can’t decompile snet without first knowing where it resides. A quick search on a rooted device (which is required to decompile snet) shows it’s location:

$ find /data/data -type f -iname *snet*
/data/data/com.google.android.gms/shared_prefs/com.google.android.gms.snet.xml
/data/data/com.google.android.gms/databases/snet_safe_browsing.db
/data/data/com.google.android.gms/databases/snet_safe_browsing.db-journal
/data/data/com.google.android.gms/databases/snet_files_info.db
/data/data/com.google.android.gms/databases/snet_files_info.db-journal
/data/data/com.google.android.gms/snet/download/snet_flags
/data/data/com.google.android.gms/snet/installed/snet.jar
/data/data/com.google.android.gms/snet/dalvik-cache/snet.dex

Without diving deeper, it looks like Google is loading snet as a secondary DEX file. Inside snet.jar we find the classes.dex file that can be decompiled.

DECOMPILING SNET

Before decompiling Safety Net we need to pull it from the device. Run the following commands in a terminal:

adb shell
su
find /data/data/com.google.android.gms -type f -name snet.jar -exec cp {} /sdcard/snet.jar \;
exit
exit
adb pull /sdcard/snet.jar
unzip -p snet.jar classes.dex > snet.dex

Now you should have a file named snet.dex in your current working directory.

There are several tools that can be used to decompile the DEX. I prefer Enjarify or jadx. Other tools include procyon, fernflower, apk-dexguard, and smali/baksmali. If you have jadx installed, simply run jadx-gui snet.dex. You can then save the sources from the options menu.

You’ll find some interesting things in Google’s Safety Net. I haven’t read the code in depth, but it does seem to have access to running app process info, which was denied to developers in Android 7.0 Nougat. Don’t be evil Google.

If you need to use the Safety Net API in your app then check out my open source library SafetyNetHelper on GitHub.

Comments