CTS SafetyNet check fails, so Android Pay and some banking apps won't work

yak

\n\n.
I have an UMI Super and it fails to pass the CTS component of the Android SafetyNet checks. This is a test that Google runs to determine if your device is compromised (especially by malware, rooting, or altered ROMs) and whether it's okay to run Android Pay. Google allows other app developers to access it via an API, and so banking apps are switching over to require CTS.

I'm using the SafetyNet Helper Sample app from Google Play for the test, and have double checked with other CTS testing apps for the same result. https://play.google.com/store/ap ... ab.safetynet.sample

My SafetyNet response is
CTS Profile Match: False
Basic Integrity: True

On the off chance that I somehow screwed up my device by messing with a system file, I first factory reset the device, and later flashed it with SP Flash Tool to the latest stock ROM "V7.01_20170607 Android 7.0 firmware for UMI Super" and unmounted the SD card. No change. I intend to check some older Umi Super ROMs soon.


Can your Umi phone pass the SafetyNet checks? Can you run Android Pay?

Mats

I think it's mostly a matter of UMi (along with most of the lesser brands) simply don't bother with Google certification. It cost money (that the customer eventually will pay) and takes time (and time to market is crucial). The ROM may well pass the certification (had it been sent to Google), but as it hasn't been submitted, the "check" fails.

Mats

Well, since UMi Super doesn't have NFC, Android Pay is out of the question anyway.
But I get the same results as you:

CTS Profile Match: false
Basic Integrity: true

yak

\n\n.Good point about Android Pay. Apparently, some apps can be blocked from our view in Google Play because we fail the SafetyNet test (although we can still see Netflix, Pokemon Go, et al. because we pass the integrity part, even though we fail the Certification check). Slashgear article:
Google VS Root: Why SafetyNet is now standard for developers.

I've tried the oldest Umi Super ROM available and a middle ranged one too. No change on either.

CTS Profile Match: False
Basic Integrity: True

Checked for the following ROMs:

UmiSuperROM20160513_c239v55_kw_u1
UmiSuperROM20161121_c239v55_kw_u1
UmiSuperROM20170607_c239v55_kw_u1
I think that it's safe to assume that none of the ROMs will pass the CTS Profile Match.

yak

Mats replied at 2017-7-4 14:10
I think it's mostly a matter of UMi (along with most of the lesser brands) simply don't bother with  ...

Which is odd, because Umi Super is distributed with Google Apps (Play Store, Gmail, Chrome, YouTube, et al). The only way to legally distribute Android with the Google Apps (aka Google Mobile Service (GMS)) preinstalled is to have your company partner with Google through the GMS certification process to become GMS partners ( https://www.android.com/gms/partners/ ). Then, your Android product must pass the Android CST/SafetyNet if you want to preload it with the Google Apps.
No GMS and CTS = No Play Store (although there's nothing to stop your customers side loading it themselves).


Android is open source and any company can use, modify, and distribute it as they like. The Google Apps are not so free.

Chinese smartphone manufacturers seem to be complying with Google App's distribution limitations and are becoming creative with legal workarounds. Meizu is a good example - http://www.androidpolice.com/201 ... or-googles-android/ - When I was shopping for a Chinese smartphone I drew a line excluding all of those that didn't have Google Play from consideration. When I saw that Umi Super had Play preinstalled I concluded that that meant they passed Google certification and so decided to buy.

Time to market shouldn't be that big an impediment, honestly. Xiaomi churns out new handsets constantly and new dev ROMs on a weekly basis with "official" ROMs more periodically.

Unless I'm misunderstanding something here (and that's entirely possible), Umi shouldn't be selling their phone's with Google Apps preinstalled and marketing them as such. It's misleading customers and could land them in hot water with Google. I honestly thought that Umi looked like a Chinese company that behaved lawfully when I decided to buy a handset from them.

Mats

Well, having GApps and Play Store preinstalled isn't (as you say) the same as having Google certification...
Comparing UmiDigi with Xiaomi isn't really fair - The latter is a huge company with a double digit billion revenue, UmiDigi I don't know, but I doubt it's even 1% of that.
Hell, on A6 their ROMs were not even signed with release keys, but test keys (like what moonlight developers use when cooking their own mod ROMs).