Google's getting rid of SafetyNet Attestation, but the root and ROM crowd shouldn't celebrate yet

The new Play Integrity API is taking over for SafetyNet in the next two years, and it does all the same things (and more)

Google's new Play Integrity API was first announced at the Google for Games Developer Summit last year. Originally presented as a way to prevent cheating, its utility has expanded in recent documentation to overlap and expand on everything that the SafetyNet APIs did to ensure that an app and device are trustworthy, unmodified, and probably safe from malicious or fraudulent interactions — in short, developers can likely trust that nothing bad or weird is going on. Knowing that, today's news is hardly surprising, but Google has announced that the SafetyNet Attestation API will be deprecated by 2024 in favor of the new Play Integrity API.

Some of our readers should be familiar with SafetyNet because of the nearly perpetual cat-and-mouse game imposed by those trying to work around its limits on rooted or ROMed devices. For those who remember it in that context, SafetyNet may feel like more of an inconvenience than a benefit since it allows apps to restrict their operation if it detects that the system has been modified. While many enthusiasts root and ROM for fun or to keep an old device going, unfortunately, bad actors also use these tools for other nefarious purposes, and there's no real way to separate the good from the bad. This causes a headache for enthusiasts and developers alike and means tools like SafetyNet will always be required for verification and trust.

Many thought that SafetyNet had essentially "won" in this arms race some years ago, but more recent solutions like Magisk paired with Zygisk can pick up where the old MagiskHide left off (among other solutions).

How the Play Integrity checks work.

It remains to be seen how the new system will affect the Android root and ROM crowd, but Google has announced on the SafetyNet API Clients Google Group that the SafetyNet Attestation API is being deprecated in favor of the new Play Integrity API. It's a well-documented API at this point, and Google says that it includes all the same integrity signals previously offered by SafetyNet with extra and better tools on top.

According to an Esper.io Android Bytes podcast about the subject with Sergio Castell (the security analyst more often called linuxct), the Play Integrity API also offers developers better granularity to control which checks are used on which devices for more custom-tailored security — developers can themselves choose the level of risk to accept for different actions. App licensing (as in: did the customer buy/install the app on the Play Store or pull it down from a third-party source/pirate it) and app modification/tampering can also be checked, even for dynamic app bundles that a developer might not be able to compare a checksum against — Google, having done the app bundle builds on their behalf, can compare the numbers itself.

To all appearances, it seems there's no reason to stick with the old SafetyNet system, and the new Play Integrity API offers developers more and better tools to keep their customers safe. Depending on the kind of extra granularity offered for these checks, that could mean that developers can more easily turn a blind eye to rooting and ROMing while still watching out for other issues if they opt to. However, Android developer Danny Lin in the same interview believes that the opposite will hold true, and by offering even stronger measures for verification, all developers will simply opt for the most secure options for all checks. We may just have to wait and see how the new APIs are used to know if this ends up being an escalation in the war against root enthusiasts or not.

According to the schedule, developers are encouraged to start testing the replacement Play Integrity API immediately. At the end of June 2023, developers that have transitioned to the new API will be able to continue using the old SafetyNet Attestation on older versions of their apps, but those that have not migrated will be left out in the cold. Finally, at the end of June 2024, Google says SafetyNet Attestation will be retired entirely.