Android Play Store Tidbits – Blocking Unlocked/Uncertified/Rooted Devices, Graphics Drivers as an App

Orange Pi Development Boards

There’s been at least two or three notable stories about the Play Store this week. It started with Netflix not installing from the Google Play Store anymore on rooted device, with unclocked bootloader, or uncertified devices, and showing as “incompatible”. AndroidPolice contacted Netflix which answered:

With our latest 5.0 release, we now fully rely on the Widevine DRM provided by Google; therefore, many devices that are not Google-certified or have been altered will no longer work with our latest app and those users will no longer see the Netflix app in the Play Store.

So that means you need to  Google Widevine DRM in your device, which mean many Android TV boxes may stop to work with Netflix. You can check whether you device is certified by opening Google Play and click on settings, Scroll to the bottom and check Device Certification to see if it is Certified or Uncertified (H/T jon for the tip).

I tried this in my Chinese phone, and unsurprisingly it is “Uncertified”. AndroidPolice however successfully tested both Netflix 4.16 and Netflix 5.0.4 on an unlocked Galaxy S tab with Level 3 DRM and both worked. So the only drawback right now is that you can’t install Netflix from the Play Store, but it still works normally. Some boxes do not come with any DRM at all, which you can check with DRM info, and they may not work at all (TBC).

We’ve know learned this will not only affect Netflix, as developers will now be able to block installation of apps that fail “SafetyNet” as explained at Google I/O 2017:

Developers will be able to choose from 3 states shown in the top image:

  • not excluding devices based on SafetyNet
  • excluding those that don’t pass integrity
  • excluding the latter plus those that aren’t certified by Google.

That means any dev could potentially block their apps from showing and being directly installable in the Play Store on devices that are rooted and/or running a custom ROM, as well as on emulators and uncertified devices ….. This is exactly what many of you were afraid would happen after the Play Store app started surfacing a Device certification status.

This would mean it might become more complicated to install apps from the Google Play store on some devices, and we may have to start to side-load apps again, or use other app store. That’s provided they don’t start to stop apps running all together. The latter has been possible for year, as for example many mobile banking apps refuse to run on rooted phones.

I’ll end up with a better news, as starting with Android O it will be possible to update Graphics Drivers from the Play Store, just like you would update an app. Usually, a graphics driver update would require an OTA firmware update, or flash a new firmware image manually, and it’s quite possible this new feature has been made possible thanks to Project Treble.

Support CNX Software - Donate via PayPal or become a Patron on Patreon

10
Leave a Reply

avatar
10 Comment threads
0 Thread replies
3 Followers
 
Most reacted comment
Hottest comment thread
6 Comment authors
cnxsoftJon SmirlMihaiChrisKopiJahe Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Paul M
Guest
Paul M

My phone, Xperia Z Ultra, has an unlocked bootloader but is unrooted – I had been trying out Magisk to see if I could have both root without breaking internet banking (Barclays, UK), but for some reason I got terrible battery drain.

Netflix still plays, but my phone is uncertified, and the Barclays Banking app (which is very good at detecting root) runs fine.

Paul M
Guest
Paul M

p.s. my phone has three G accounts on it, if I login to G play as one of the less used accounts and try and install Netflix, it refuses saying my device is incompatible.

KopiJahe
Guest
KopiJahe

If you have access to a custom recovery (such as TWRP), install magisk, and enable magisk hide on the apps like netflix and play store.

My device comes up as “certified” after doing this.

Chris
Guest
Chris

KopiJahe :
If you have access to a custom recovery (such as TWRP), install magisk, and enable magisk hide on the apps like netflix and play store.
My device comes up as “certified” after doing this.

As a previous commenter noted the ‘certified’ status seems to be related to whether it can detect if the bootloader is unlocked or not. There are ways to hide this via kernel mods but Magisk itself doesn’t hide it.

Mihai
Guest

I bypassed this by using Magisk Hide with LineageOS running on LG G Pad 8.3. When Netflix 5.0 update was released, my unofficial G Pad and my TV box Q10 Pro could not upgrade nor install Netflix anymore, also Netflix would not appear when searching. Before doing this make a backup in TWRP, the Rom on your device may not be compatible with Magisk.

I replaced the standard LineageOS root with Magisk, I enabled Magisk Hide and then I checked in Magisk Hide all the Google apps (including Play Store and others, like Connectivity Services and Google Plus) + Netflix, HBO Go and other apps that I did not want to know my device is rooted. I did not do any other modifications to my tablet. Then magically my tablet started getting updates to Netflix app again. I have not tried this yet on my Q10 Pro, I will do it when I am getting a new firmware (that erases data on it anyway).

Member

The “certified” status is based on if the manufacturer has a Google Play License. A signature from the device is computed and sent back to Google. That signature is used to determine if the device has a GPS license. Programs like Magisk must be intercepting the OS level calls used to compute the signature and substituting in another device’s data.

App makers can add a SafetyNet check to their app and then execute that check every 15 minutes if they choose. Netflix has not added run-time SafetyNet checks yet.

You can read all about it here:
https://developer.android.com/training/safetynet/attestation.html

At some point I suspect this procedure is going to start using a private key pre-loaded into the hardware secure keystore at the time of device manufacture. When that gets implemented this system will be almost impossible to break. Each device will have a unique private signing key that can be blacklisted. It is very difficult to extract a device key from the secure hardware keystore (I don’t think it has been cracked, it is part of the ARM CPU). But even if you get the key from the keystore Google can simply blacklist it which will only invalidate the cracked device and leave all of the other devices from that manufacturer working. Blacklisting the device key will catch the clones Magisk makes.

The reason for doing stuff like this for Apple Music and Netflix is probably because of a rumor I’ve heard about content companies demanding that distributors like Netflix and Apple Music post large bonds guaranteeing that their DRM won’t get broken. If it gets broken the content companies take these bonds (millions of $$) as compensation. This is also why Google, etc won’t even talk to smaller companies when it involves DRM. In general this is just harassment of the device makers because the content companies are still pumping out Blueray, DVD and CD by the millions, all of which have had their DRM broken long ago. I suspect the long term plan is to develop bullet proof DRM on electronic devices and then stop making the physical media with broken DRM.

Personally, DRM is such a hassle it has probably reduced my content consumption to half of what it was twenty years ago. This is caused by the need for expensive, connected DRM decoders to view the content. For example we used to have five TVs scattered around the house. Four of those TVs were used in special situations – like by the pool (baseball games), and morning bathroom area for news. Now we have a single TV. The other four have been eliminated because they need a $10/mth cable box to continue working. Now that we are down to a single TV the value proposition of cable is pretty bad causing me to want to cut the cord but wife is stopping me. This effect is happening all over America, statistics show a decline of 10% in number of TVs despite a rising population.

Mihai
Guest

@Jon Smirl
I want that implementation, to depend on hardware rather than software. Now it is not done like that, it is implemented inside the OS. As soon as you change OS (root your device and change to LineageOS, let’s say) that device will not be compatible anymore from DRM point of view. This is exactly why this approach will never be used.

We will never get rid of DRM, sadly. And I did not say that Magisk is making a Widevine L3 device become a Widevine L1 (that is impossible). Magisk Hide does exactly what the name says: it hides root from apps, making the device to pass SafetyNet. I think Google will find a way around this in the future. Netflix is only using the SafetyNet check for now.

Member

@Mihai

Complete lockdown is achieved by using a software and hardware combination. The necessary hardware is already in almost every phone. iPhone has it turned on, that is why it was so hard to get into the San Bernardino iPhone. Android is not locked down as hard as an iPhone is.

But this could all change at anytime. The hardware is sitting there. It is Android fragmentation that blocks Google from implementing a hard lockdown, many of the OEMs have not built hard lockdown into their base software.

Nothing stops Google from making hard lockdown an Android O requirement. Once the underlying OS is using the hard lockdown hardware Google’s GPS can simply refuse to work on a device that is not locked down. All of this is protected via public key encryption. There is no way to alter the binaries and bypass. Hardware on the CPU will use a “chain of trust” to verify the signing keys and if the keys fail that check the hardware simply refuses to run the code.

Once a device is in hard lockdown you have to resort to dynamic attacks that alter the in-memory executing code. Hardware does not yet have the ability to stop that type of attack, it can only make it difficult to achieve. Of course this type of breach disappears on a reboot since cryptographic checks prevent you from altering any stored code.

Note that this is never going to be a hardware only solution. If you can alter any of the system software you can defeat DRM. The hardware is going to be used to run a signed binary OS. If you replace the OS the signature won’t match, Google can see this, and if they choose to enforce the signature, nothing will work.

Member

Another note, this strong lock down is being done to protect banking credentials like Android Pay. If payment services are breached your entire bank account can be drained in seconds. Sometimes they ever overdraft it and you end up owing money. In the US these breaches are always refunded to the customer, but it can takes months of hassle to get a refund. Meanwhile you have no money.

The content industry is utilizing this level of security now to lockdown their goods. This whole lockdown mess is only going to get worse over time. I wouldn’t mind it so much if copyright were limited to twenty years. But locking down stuff for 175 years is ridiculous. This older content is what culture is made out of. It is senseless to lock away all of our culture under pay per view rules. For example every photo taken during WWII will be locked up until sometime past the year 2100. Shouldn’t people be able to learn about WWII without paying copyright fees?