How to upgrade Note 2 to newer Android and pass SafetyNet / without being flagged

[masterton]

Hi my friend has a Note 2 who has a very old Android version. Some apps can't be installed without upgrading the system.
I downloaded a custom ROM (Resurrection Remix Android 7.1.2 Nougat) and helped him to flash to upgrade.
However some apps limited the functionality or refused to run. I believe it has to do with the fact it is a custom ROM.

How could I solve the problem? It doesn't matter what ROM to upgrade, as long as:
1. it is stable
2. Android 6 or above (he wants permission manager, preferably with Privacy Guard)
3. can pass SafetyNet and any popular ways app use to detect a custom ROM

Thank you.

 

[svim]

When you referred to '...very old version' just which version was it running? (as in the actual version number)
Also, which apps are a problematic running with this Lineage ROM and where did you obtain them? (Play Store or downloaded APKs) Since you've presumably rooted the device to install that custom ROM some apps like Netflix will be a problem, as will some banking/finance apps. It doesn't matter if that Note is running a stock or a custom ROM, some apps intentionally won't function on a rooted device.

This definitely doesn't meet what requirements you stated but you might want to just re-flash it with a stock ROM (KitKat 4.4.2), returning it back to a non-root status:
https://updato.com/firmware-archive...I&exact=1&r=USC,ATT,SPR,XAS,TMB,VZW&v=&rpp=15

 

[masterton]

When you referred to '...very old version' just which version was it running? (as in the actual version number)
Also, which apps are a problematic running with this Lineage ROM and where did you obtain them? (Play Store or downloaded APKs) Since you've presumably rooted the device to install that custom ROM some apps like Netflix will be a problem, as will some banking/finance apps. It doesn't matter if that Note is running a stock or a custom ROM, some apps intentionally won't function on a rooted device.

This definitely doesn't meet what requirements you stated but you might want to just re-flash it with a stock ROM (KitKat 4.4.2), returning it back to a non-root status:
https://updato.com/firmware-archive-select-model?q=GALAXY+Note+II&exact=1&r=USC,ATT,SPR,XAS,TMB,VZW&v=&rpp=15

The last version of the stock firmware which is 4.4.2

Yes, the banking/finance/payment apps, mostly from Google Play. Some won't run or limit functionality.

Going back to the stock ROM is not a good solution. Some apps can't be installed on this version. The stock ROM lack security updates and permission manager too. He wants an upgrade to newer Andriod.

 

[chanchan05]

Lineage OS' official stance is they will NOT do anything to bypass Google's integrity check.

https://lineageos.org/Safetynet/

Basically AFAIK what you want will not happen. The only way I know to bypass SafetyNet is rooting and using Magisk and a custom kernel, but that will trigger the root detection of the app that is made to be secure, so you're sort of trapped with the only option to buy a new phone.

 

[masterton]

Lineage OS' official stance is they will NOT do anything to bypass Google's integrity check.

https://lineageos.org/Safetynet/

Basically AFAIK what you want will not happen. The only way I know to bypass SafetyNet is rooting and using Magisk and a custom kernel, but that will trigger the root detection of the app that is made to be secure, so you're sort of trapped with the only option to buy a new phone.

I see but from the wording it seems to imply it is possible to bypass technically but they just don't do it officially.

It hasn't to be Lineage OS. Any other OS is fine as long as it matches the requirement listed in the first post. He simply wants to upgrade to a newer Android system but the company abandoned it long time ago.

The old phone is still in good condition. He does not want to buy a new phone.

 

[chanchan05]

I see but from the wording it seems to imply it is possible to bypass technically but they just don't do it officially.

It hasn't to be Lineage OS. Any other OS is fine as long as it matches the requirement listed in the first post. He simply wants to upgrade to a newer Android system but the company abandoned it long time ago.

The old phone is still in good condition. He does not want to buy a new phone.

I already answered that AFAIK no. There is a way, technically to bypass SafetyNet and that's by rooting and using a custom Kernel and Magisk. You will be using a different ROM from Lineage. HOWEVER, you are just trading one block for another, because once you successfully bypass SafetyNet, the app will still not work because you are rooted and it will use it's root blocking.

Basically this is like saying, you only have one key, vs 2 locks, and opening one lock destroys the key. No matter which lock you choose to break (SafetyNet or Root protection), you will only have opened one lock with no way left to open the second lock.

The issue here isn't about bypassing SafetyNet. The issue here is that the app was designed to block you even if you bypass SafetyNet because it knows and detects the methods to bypass SafetyNet and also protects against that.

App blocks both rooted devices and via safetynet.
to bypass safetynet you need to root.

You're just trading one error for another. Once you successfully bypass SafetyNet, the apps you want to work still won't work because you'll get a "app will not work on rooted device" error.

Not wanting to buy a new phone is different from not NEEDING to buy a new phone.
Android 6 is basically a new "floor" for security in Android, like how Android 5 is the "floor" for newer gaming apps. Google has been making sweeping changes in the underlying code to the OS, making it more secure yes, but also breaking compatibility with older OS versions.

 

[Davdi]

I agree with @chanchan05, the safety-net is there to ensure that apps dealing with sensitive financial and personal data can be sure of running in a safe environment, but from Android's perspective being rooted is most definitely NOT a safe environment. And I agree that Lineage are doing the right thing when they state "Our official stance is that we will not intentionally circumvent an integrity check that Google has put in place for app developers".
They also neatly summarize the point of safety-net as "SafetyNet is an API that was developed by Google in order to detect whether or not a device is in a known-good state. On older devices, this check is more lenient in order to maintain compatibility."

The best option is to buy a new phone running Oreo (8.0/8.1) or Pie (9). if budget is limited, look at some of the Chinese phones like HomTom, Cubot, Blackview, Elephone and many others.

 

[Dannydet]

Again, rooting will not fix BOTH issues here, PEOPLE.

 

[bcrichster]

Not a Note 2 tho..

 

[masterton]

Magisk will help you to pass google's safetynet.Since it stores all the modification in boot partition it may be helpful to you

I tried now but it still fails to pass SafetyNet check:
ctsProfile: false
basicIntegrity: false

I wonder it is due to the fact this is a custom ROM. Even Magisk couldn't help to pass it.

Magisk hide does not work properly either. I checked the targeted app, went back and returned. The check mark is removed.

 

[masterton]

I agree with @chanchan05, the safety-net is there to ensure that apps dealing with sensitive financial and personal data can be sure of running in a safe environment, but from Android's perspective being rooted is most definitely NOT a safe environment. And I agree that Lineage are doing the right thing when they state "Our official stance is that we will not intentionally circumvent an integrity check that Google has put in place for app developers".

If my understanding is correct, Google only recognizes ROMs issued by the companies (as known-good state). Any custom ROMs are automatically marked as insecure.

How safe is it to still run a stock ROM with a very old Android version from the company? Google will think it is secure because it is from the company.

How dangerous is it if we flash a better and more secure ROM with newer Android version? Rooted device can be safe and we can do more to protect our data and privacy. Google just don't know so they assume unsafe.

Many community ROMs are much better than stock's. Stock ROMs often contain bloatware or intrude into your privacy.

One size never fits all. Let people choose. They can turn on/off SafetyNet check depending on their situations. Set a warning about that.

Personally I think the whole security thing is flawed.

 

[masterton]

A quick thought.

What if I flash other stock ROM of the same series, like Note5/7/8 stock firmware?
Will it solve the issue?
If so, can he get the system updates automatically via the system menu?

 

[Hadron]

You can't flash a stock ROM from a different Note model. The software won't let you, and if you succeeded you'd have a brick on your hands.

There are often custom ROMs based on ports of software from other models (I don't know for Notes specifically, not really my taste in phones), but they are still custom ROMs.

 

[chanchan05]

If my understanding is correct, Google only recognizes ROMs issued by the companies (as known-good state). Any custom ROMs are automatically marked as insecure.

How safe is it to still run a stock ROM with a very old Android version from the company? Google will think it is secure because it is from the company.

How dangerous is it if we flash a better and more secure ROM with newer Android version? Rooted device can be safe and we can do more to protect our data and privacy. Google just don't know so they assume unsafe.

Many community ROMs are much better than stock's. Stock ROMs often contain bloatware or intrude into your privacy.

One size never fits all. Let people choose. They can turn on/off SafetyNet check depending on their situations. Set a warning about that.

Personally I think the whole security thing is flawed.

The whole idea that the custom ROM is more secure than official ROM is flawed.

official ROM means it's untampered with.

Custom ROMs are essentially hacked official ROMs and then spliced apart to make an outdated driver set compatible with the newer OS. A custom ROM is LESS secure than an official ROM of the same Android version, and it is only as secure as the underlying driver set, which is the same driver set as the last official update the phone received. Plus you don't know the manner it was hacked.

One reason phones don't get updates beyond two years is because the chip manufacturer, Qualcomm, doesn't make compatible drivers for the SoC to the newer Android version. So basically, the Android 7 custom ROM for the Note 2 is just Android 7 sitting ontop of Android 4 drivers. Meaning the security chip embedded in the SoC is as secure with Android 7 as it is with Android 4. Sure you get the added software patches for security against some attacks, but other attacks you never bothered patching.

 

[Hadron]

I could quibble about citing Qualcomm as a reason. It's certainly been true in some cases, but many cease to get updates even when Qualcomm have updated drivers, and as Google promised 3 years updates for the Pixel 2 they are clearly confident that the s835 will get more than 2 years support. Also outside of North America Samsung flagships use Samsung SoCs rather than Qualcomm, so it would be Samsung themselves who choose not to produce drivers.

Though this is one reason some of us will never touch a MediaTek-powered device: they are abysmal at providing updates for new Android versions.

 

[masterton]

The whole idea that the custom ROM is more secure than official ROM is flawed.

This is not what I said. What I said is we can't simply make assumptions that rooted = insecure, custom ROM = insecure, official = secure no matter what, and vice versa.
After all, it all depends. One size does not fit all. Make people choose.

Official ROMs of many manufacturers are bloated, bundled with various apps which you don't want but can't be removed. Many of them intrude into your privacy.

 

[masterton]

I could quibble about citing Qualcomm as a reason. It's certainly been true in some cases, but many cease to get updates even when Qualcomm have updated drivers, and as Google promised 3 years updates for the Pixel 2 they are clearly confident that the s835 will get more than 2 years support. Also outside of North America Samsung flagships use Samsung SoCs rather than Qualcomm, so it would be Samsung themselves who choose not to produce drivers.

Though this is one reason some of us will never touch a MediaTek-powered device: they are abysmal at providing updates for new Android versions.

I believe one big reason is because they don't have any incentives to do so.

By NOT providing updates, this could urge people to buy their new phones.

 

[masterton]

You can't flash a stock ROM from a different Note model. The software won't let you, and if you succeeded you'd have a brick on your hands.

There are often custom ROMs based on ports of software from other models (I don't know for Notes specifically, not really my taste in phones), but they are still custom ROMs.

Yep you are right.
I wonder whether it could pass SafetyNet even if I use a ported Note ROM.

 

[chanchan05]

I could quibble about citing Qualcomm as a reason. It's certainly been true in some cases, but many cease to get updates even when Qualcomm have updated drivers, and as Google promised 3 years updates for the Pixel 2 they are clearly confident that the s835 will get more than 2 years support. Also outside of North America Samsung flagships use Samsung SoCs rather than Qualcomm, so it would be Samsung themselves who choose not to produce drivers.

Though this is one reason some of us will never touch a MediaTek-powered device: they are abysmal at providing updates for new Android versions.

Qualcomm is used as an example, but you get the drift. Plus no chip manufacturer other than Apple has made updates to the hardware beyond 3 years. As for Samsung, they seem to have some sort of agreement with Qualcomm wherein the matching devices don't get updates beyond what Qualcomm will give. Although of course this only refers to flagships and the phones/tablets with Qualcomm variants. The mid rangers are another issue altogether.

This is not what I said. What I said is we can't simply make assumptions that rooted = insecure, custom ROM = insecure, official = secure no matter what, and vice versa.
After all, it all depends. One size does not fit all. Make people choose.

Official ROMs of many manufacturers are bloated, bundled with various apps which you don't want but can't be removed. Many of them intrude into your privacy.

Rooted = less secure. It's not an assumption, it's fact. The whole idea of root is you break open the security of the phone to gain superuser privileges. Apps with root access can ignore the app's security sandboxing and look into the data. Basically if your phone is rooted and root privileges were inadvertently given phone wide, that innocuous flashlight app can look into and copy the data from inside your bank app if it wanted to. Saying rooted is not necessary less secure than non-rooted is like saying there is no difference in the ability of an open door to prevent entry to a closed one, because that's what rooting basically is, opening the doors to system level commands and hacking.

custom ROMs isn't necessary less secure, but it's not more secure either. Having the more updated Android version on top doesn't change the fact that the drivers are still old and vulnerable to attack. A custom ROM is only as secure as the last official update the phone received. So a Nougat Custom ROM for the Note 2 is not more secure than the Kitkat Note 2.

However, the biggest security risk in custom ROMs isn't the fact that it's custom or unofficial. It's the fact that we don't know who these people who are distributing these stuff are. That's the entire idea of SafetyNet. Passing SafetyNet standards basically means Google vouches for the integrity of the device. Basically this is Google giving app developers a list of who it knows is legit, and who is not. If you;re not on the list, Google doesn't know if you're safe or not. It is up to the banks to whether to risk the bit where they're dealing with an unknown or not. Of course they will not risk, because that's how banks are, and because this means they don't have to spend the money to program apps to detect integrity for themselves, so they let Google spend the resources and just look at Google's reviews.

But the fact here is, SafetyNet is just basically a trigger that says the device has been modified, nothing else. It's basically your phone answering a yes or no question. It's not some big firewall type thing actively preventing you from using your app. In fact, it's your app itself that locks itself down once it detects that the phone answers "no." In fact, the best way probably to make an app work despite SafetyNet is just to unpack the app and remove the coded SafetyNet check in it. Except of course usually the terms of use of apps that do use SafetyNet checks could make it that you're liable to legal action if you modify their app.

 

[chanchan05]

I could quibble about citing Qualcomm as a reason. It's certainly been true in some cases, but many cease to get updates even when Qualcomm have updated drivers, and as Google promised 3 years updates for the Pixel 2 they are clearly confident that the s835 will get more than 2 years support. Also outside of North America Samsung flagships use Samsung SoCs rather than Qualcomm, so it would be Samsung themselves who choose not to produce drivers.

Though this is one reason some of us will never touch a MediaTek-powered device: they are abysmal at providing updates for new Android versions.

AFAIK Google promises 3 years of security updates. Security updates don't need new drivers. Just the new OS.

 

[Hadron]

That was true with the original pixel, but they explicitly said that it would be 3 years of OS updates when they released the second generation.

 

[masterton]

Is that so.Sorry buddy then.Because I am not a expert in this matter.I just tried to help you as i can.Hope you will find a good solution soon

Don't worry buddy. No need to say sorry. I found the solution. Magisk cannot pass SafetyNet due to a lack of necessary functionality required in the kernel of our devices.

 

[masterton]

OK I managed to solve it and bypass SafetyNet checks. You have to use Lineage Su and iSu.

Step-by-step guide
Uninstall other su first if you have.
Download Lineage Su and iSu
https://mirrorbits.lineageos.org/su/addonsu-14.1-arm-signed.zip
https://androidfilehost.com/?w=files&flid=120360 (look for "iSu_X_X.apk" where X is version number)

Boot into recovery: For Samsung devices, power off your phone. Then hold "Volume Up + Home + Power Button" to boot.

Select "backup and restore" > "backup to /sdcard" (in case if anything goes wrong, you still have your system backup to restore)

If you download directly from the phone (using the internal memory), select "install zip" > "choose zip from /sdcard". It should be at /sdcard/0/Download/ or /sdcard/Download/.
If you transfer the file from the computer to the external (removable) sdcard, select "install zip" > "choose zip from /storage/sdcard1".

Select "addonsu-14.1-arm-signed.zip" file and select "Yes - Install xxx"

After install, go back to the main menu. Select "reboot system now" > "No" (do not need to fix root)

Install iSu app (Open "File Manager" and click on the iSu apk file. Do NOT use "Files" app. It can't run apk file)

Enable root access. Go to system settings > "Developer options" > "Root access" > "Apps only".

Run iSu app. Change the following:
"Change SU state" = deactivated
"Change SELinux state" = Enforcing

 

[masterton]

Rooted = less secure. It's not an assumption, it's fact. The whole idea of root is you break open the security of the phone to gain superuser privileges. Apps with root access can ignore the app's security sandboxing and look into the data. Basically if your phone is rooted and root privileges were inadvertently given phone wide, that innocuous flashlight app can look into and copy the data from inside your bank app if it wanted to. Saying rooted is not necessary less secure than non-rooted is like saying there is no difference in the ability of an open door to prevent entry to a closed one, because that's what rooting basically is, opening the doors to system level commands and hacking.

Well you have a point. Root will break open the security of the phone. It is potentially dangerous.

Let's imagine the following scenario:
The device is rooted, but you only install Google Pay, banking, finance apps in this device, and no more. you don't even use this device to browse the Internet.
Tell me how insecure it is in this environment.

Imagine another scenario.
The device is not rooted, but you install all sorts of rogue apps from different unknown sources. You browse rogue sites. Click on anything you see mindlessly.
Is it really secure?

It comes back to my original point. It all depends.

Let users choose. You can have a setting in the developer option where people know what they are doing can turn off the SafetyNet checks.

SafetyNet is good for the average Joe, but not power users who know what they are doing.

 

[chanchan05]

Let's imagine the following scenario:
The device is rooted, but you only install Google Pay, banking, finance apps in this device, and no more. you don't even use this device to browse the Internet.
Tell me how insecure it is in this environment.

If you're rooted, not very. There are apps in Google Play that are legitimate, yet mine your data to sell to whoever wants to buy. All Cheetah Mobile products for example. This is in their terms of service, so people are actually giving consent. But installing any app from such a company with root means unfettered access to everything. If you aren't rooted, apps are still sandboxed.

Imagine another scenario.
The device is not rooted, but you install all sorts of rogue apps from different unknown sources. You browse rogue sites. Click on anything you see mindlessly.
Is it really secure?

In this scenario, Google isn't responsible anymore. Unlike in cases like SafetyNet.

It comes back to my original point. It all depends.

Let users choose. You can have a setting in the developer option where people know what they are doing can turn off the SafetyNet checks.

SafetyNet is good for the average Joe, but not power users who know what they are doing.

It's not just about you. Bank apps have access to bank database. They're not only worried about third parties like rogue apps or customROMs, they're worried about you the user as well. If bank apps can run on rooted phones, this provides unrestricted access to the bank app from a different app, essentially making a big security hole in their system.
A cyberthief can use this to hack into the bank and steal from them. So in fact, someone who knows what they are doing is a bigger reason for banks and Google to enforce SafetyNet. Letting users choose to enable SafetyNet or not is more dangerous for the app makers. In the scenario you are describing, only two things will happen: Bank apps will develop their own ways to prevent being used while rooted or on CustomROMs (games like Pokemon Go has had this even before SafetyNet was active), or stop the app service altogether.