If you're part of the root and ROM Android enthusiast crowd, then you probably freaked out a bit back in March when it was revealed Google's SafetyNet check was getting a hardware-backed component with no easy workaround. Now, these changes have been spotted live in the wild, and some phones are already using hardware-backed SafetyNet attestation. Cue "the end is nigh" wailing.
Until the change hits critical mass and more Android devices are using hardware-backed SafetyNet, it probably won't affect most of us, especially since some hardware has seemingly buggy implementations. But unless a novel solution is found, the days of being able to root and ROM (and truly own) your phone are almost over — that is, unless you're willing to give up apps and services that use SafetyNet.
Basically, Google is now beta testing the parameters and limits regarding deploying hardware key attestation in the wild. You might get lucky and have "BASIC" only evaluation, but at some point the hardware backed checking will be enabled if supported.
— John Wu (@topjohnwu) June 29, 2020
According to Magisk developer (and, therefore, SafetyNet and Android security expert) John Wu, there's no simple way to fix this. Security researchers either need to break Android's Trusted Execution Environment or find a literal hardware vulnerability to exploit. While it might be possible to use something like Xposed to force a fallback to the non-hardware check, Wu says that sort of manipulation would be impossible to hide from detection. SafetyNet's client-side code could also be entirely reverse engineered and replaced to force software-only checks, but if Google ever flips the switch to strictly enforce a hardware check someday, that won't work either.
There's no easy solution here, and it's easy to lose hope. However, the same claims were made when SafetyNet first started rolling out years ago, and workarounds were found. Things might be more dire this time, but there may yet be a fix. In the meantime, those that root and ROM their phones will have to think about their motivations and reasons. Those looking for extra platform control may have to give up apps that use SafetyNet, but those that use it to drag out Android's limited software support windows can always consider switching to iOS with their next purchase — iPhones get updates for longer.