As part of Google Play Services, the SafetyNet API is tasked to notify apps if the user has unlocked the bootloader. If a device fails the check, the user is locked out of certain apps.
One of the best features of Magisk is its ability to spoof the Verified Bootloader status on rooted devices. This enables users to run several banking apps, payment apps such as Google Pay, and games like Pokemon Go, which would otherwise break on devices with an unlocked bootloader.
However, a new update on Google SafetyNet bypasses the Magisk hack, as noticed by several users. Magisk developer John Wu believes the new update adds hardware-level key attestation to check if the device has been tampered with.
Previously, SafetyNet API only included software level checks; therefore it was easy for Magisk to spoof the bootloader status. Time and again, Google has rolled out device checks in SafetyNet to try and stop Magisk, and each time, John Wu would roll-out a new patch.
So here we go, after years of fun messing around using Magisk, it seems that Google FINALLY decided to "fix" SafetyNet to something useful, and that is to use key attestation to verify device status (after 3 years since introduced to Android's platform!)
— John Wu (@topjohnwu) March 11, 2020
However, it would be a real struggle for John Wu to find a workaround this time. As XDA Developers notes, hacking the SafetyNet API would now require finding a vulnerability in Trusted Execution Environment (TEE) firmware of devices. It is challenging to get into TEE, especially when device vendors shell out thousands of dollars if a vulnerability is reported.
Enjoy Magisk Hide while you can
As of now, the hardware-level key attestation is not enforced yet. In other words, even if the check fails, SafetyNet won’t be triggered.
However, it’s only a matter of time before Google enforces SafetyNet key attestation on the Google server, which will then leave the Magisk feature for hiding unlocked bootloader status completely broken.