SafetyNet’s hardware-backed attestation hasn’t been defeated yet and the way it works, it is infeasible to defeat it by software. Universal SafetyNet Fix Magisk module downgrades evaluation type to
BASIC which is software based evaluation that is defeated by Magisk.
All Google apps licensed android 8+ devices are provisioned with TEE so all of them support hardware-backed attestation. You don’t have to implement your own detection techniques. Use SafetyNet API and check on your web service if
hardware-backed in the attestation response. You can deny the service to the client if the android version is 8+ and evaluation type is basic.
You have to make exception for the lower android versions because those devices either may not have TEE or their TEE’s public key is not certified by Google root certificate authority. Also make an exception for OnePlus7, despite android 8+, it’s hardware backed attestation is broken so SafetyNet fallsback to basic evaluation type.
An app with root access can extract secrets of your app by using code injection, memory dump and impersonating your app. TEE cannot prevent compromise of the host OS.