fromTom This is enough. When the app does not like your device, you cannot even see this screen: a "device is rooted" pop-up shows up and overlays the app.
It looks like, given your report, that it can be a GrapheneOS regression.
fromTom This is enough. When the app does not like your device, you cannot even see this screen: a "device is rooted" pop-up shows up and overlays the app.
It looks like, given your report, that it can be a GrapheneOS regression.
@lbschenkel: I also could easily install MidID and start it. I had to stop, where the Passport should be scannend.
Pixel 6
GrapheneOS TP1A.221005.002.2022102300
MitID version 2.3.4 (versionCode 55)
lbschenkel fromTom Toophei8 can you all confirm which version of Play Services you are operating with?
Play Services version 22.41.13 (190400-480714934)
Pixel 4a
GrapheneOS TP1A.221005.002.2022102300
MitID version 2.3.4 (versionCode 55) WORKING FINE
Play Services version 22.41.13 (190400-480714934), com.google.android.gms versionCode 224113044
You need to file a bug report with the app developers, not with us. We didn't make any changes in the most recent release which would break an app not doing anything completely unreasonable to stop users from using it via GrapheneOS or another alternate OS. If people who want this app to work want the compatibility issue resolved, they'll need to determine what the problem is and provide a way to work around it without rolling back important security features for everyone else. One way or another, this app was going to break if it doesn't want to run on aftermarket operating systems since they will eventually switch to the Play Integrity API. Nothing we can do about that.
Toophei8 You should test again with the latest GrapheneOS release. Per the original post, it likely stopped working with 2022102600. It may somehow be incompatible with the kernel lockdown mode, but it's strange for anything to be impacted by that kernel change which is almost entirely an internal change in the OS.
strcat I believe that there was a bit of misunderstanding here. I was not stating that changes needed rolling back. What I meant to say is that all evidence points to something new in this release tripping the app. As we cannot roll back the OS, I was hoping that the developers could give a hand in figuring out what exactly tripped the app by quickly trying custom builds with a subset of changes in 2022102600: only with kernel changes, only with GmsCompat changes, etc. in order to narrow it down.
My intent was to narrow down and find the cause, and then I'm in a better position to have a conversation with the MitID app maintainers (I already contacted them, by the way). Also, depending on what the cause is, it might not be impossible that a per-app compatibility flag could end up being useful. This was already done to work around some buggy apps (games, etc.) which are way less "mission critical" as this particular one.
And with all honesty, I want to press on this a bit further because in the past I also reported other bugs in which I was immediately brushed off and the issue closed, but the problem ended up being GmsCompat issues that ultimately were addressed.
Another weird behaviour: sometimes when I force stop the app and run it again, I don't get the "Device is rooted" error but a different pop-up: "There is a problem. Please try again. If you experience the problem again, you can find help at MitID.dk."
Unfortunately no other information or error code is given. I checked logcat again but I can see nothing that catches my attention: no error, no stack trace, nothing.
If I disable and enable the app I get either the "rooted" or the "there is a problem" message, apparently at random. I also saw "there is a problem" for a brief instant, then "device is rooted" showing up and overlaying it.
This is the logcat of a launch resulting in the "rooted" message:
10-28 09:01:21.033 1606 1967 I ActivityTaskManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10000000 pkg=dk.mitid.app.android cmp=dk.mitid.app.android/.activity.MainActivity} from uid 1000
10-28 09:01:21.034 1606 1967 D CompatibilityChangeReporter: Compat change id reported: 194480991; UID 10137; state: ENABLED
10-28 09:01:21.038 1606 1967 D CompatibilityChangeReporter: Compat change id reported: 174042980; UID 10137; state: DISABLED
10-28 09:01:21.038 1606 1967 D CompatibilityChangeReporter: Compat change id reported: 184838306; UID 10137; state: DISABLED
10-28 09:01:21.039 1606 1967 D CompatibilityChangeReporter: Compat change id reported: 185004937; UID 10137; state: DISABLED
10-28 09:01:21.040 1606 1967 D CompatibilityChangeReporter: Compat change id reported: 205907456; UID 10137; state: DISABLED
10-28 09:01:21.044 1606 1967 D CompatibilityChangeReporter: Compat change id reported: 194833441; UID 10137; state: DISABLED
10-28 09:01:21.045 1606 1717 D CompatibilityChangeReporter: Compat change id reported: 135634846; UID 10137; state: DISABLED
10-28 09:01:21.045 1606 1717 D CompatibilityChangeReporter: Compat change id reported: 177438394; UID 10137; state: DISABLED
10-28 09:01:21.045 1606 1717 D CompatibilityChangeReporter: Compat change id reported: 135772972; UID 10137; state: DISABLED
10-28 09:01:21.045 1606 1717 D CompatibilityChangeReporter: Compat change id reported: 135754954; UID 10137; state: ENABLED
10-28 09:01:21.046 1606 1726 D CompatibilityChangeReporter: Compat change id reported: 143937733; UID 10137; state: ENABLED
10-28 09:01:21.046 1606 1967 D CompatibilityChangeReporter: Compat change id reported: 168419799; UID 10137; state: DISABLED
10-28 09:01:21.048 1606 1704 D CoreBackPreview: Window{b99114f u0 Splash Screen dk.mitid.app.android}: Setting back callback OnBackInvokedCallbackInfo{mCallback=android.window.IOnBackInvokedCallback$Stub$Proxy@c0bb5e5, mPriority=0}
10-28 09:01:21.060 1606 1726 I ActivityManager: Start proc 23106:dk.mitid.app.android/u0a137 for next-top-activity {dk.mitid.app.android/dk.mitid.app.android.activity.MainActivity}
10-28 09:01:21.060 23106 23106 W Zygote : Can't access app profile directory: /data_mirror/cur_profiles/0/dk.mitid.app.android
10-28 09:01:21.068 23106 23106 E tid.app.android: Not starting debugger since process cannot load the jdwp agent.
10-28 09:01:21.125 23106 23106 D AndroidRuntime: >>>>>> START com.android.internal.os.RuntimeInit uid 10137 <<<<<<
10-28 09:01:21.126 23106 23106 W tid.app.android: type=1400 audit(0.0:446914): avc: denied { read } for name="u:object_r:odsign_prop:s0" dev="tmpfs" ino=241 scontext=u:r:untrusted_app:s0:c137,c256,c512,c768 tcontext=u:object_r:odsign_prop:s0 tclass=file permissive=0 app=dk.mitid.app.android
10-28 09:01:21.128 23106 23106 E cutils-trace: Error opening trace file: No such file or directory (2)
10-28 09:01:21.129 23106 23106 W dk.mitid.app.android: ART APEX data files are untrusted.
10-28 09:01:21.126 23106 23106 W tid.app.android: type=1400 audit(0.0:446915): avc: denied { getattr } for path="/apex/apex-info-list.xml" dev="tmpfs" ino=67 scontext=u:r:untrusted_app:s0:c137,c256,c512,c768 tcontext=u:object_r:apex_info_file:s0 tclass=file permissive=0 app=dk.mitid.app.android
10-28 09:01:21.130 23106 23106 W tid.app.android: type=1400 audit(0.0:446916): avc: denied { lock } for path="/system/framework/arm64/boot.art" dev="dm-10" ino=1406 scontext=u:r:untrusted_app:s0:c137,c256,c512,c768 tcontext=u:object_r:system_file:s0 tclass=file permissive=0 app=dk.mitid.app.android
10-28 09:01:21.130 23106 23106 W tid.app.android: type=1400 audit(0.0:446917): avc: denied { lock } for path="/system/framework/arm64/boot-core-libart.art" dev="dm-10" ino=1358 scontext=u:r:untrusted_app:s0:c137,c256,c512,c768 tcontext=u:object_r:system_file:s0 tclass=file permissive=0 app=dk.mitid.app.android
10-28 09:01:21.130 23106 23106 W tid.app.android: type=1400 audit(0.0:446918): avc: denied { lock } for path="/system/framework/arm64/boot-okhttp.art" dev="dm-10" ino=1388 scontext=u:r:untrusted_app:s0:c137,c256,c512,c768 tcontext=u:object_r:system_file:s0 tclass=file permissive=0 app=dk.mitid.app.android
10-28 09:01:21.192 23106 23106 D dk.mitid.app.android: Time zone APEX ICU file found: /apex/com.android.tzdata/etc/icu/icu_tzdata.dat
10-28 09:01:21.192 23106 23106 D dk.mitid.app.android: I18n APEX ICU file found: /apex/com.android.i18n/etc/icu/icudt70l.dat
10-28 09:01:21.219 23106 23106 E dk.mitid.app.android: Unable to find pattern file or unable to map it for am
10-28 09:01:21.237 23106 23106 D CompatibilityChangeReporter: Compat change id reported: 171979766; UID 10137; state: ENABLED
10-28 09:01:21.260 23106 23106 W dk.mitid.app.android: unable to execute idmap2: Permission denied
10-28 09:01:21.276 23106 23106 V GraphicsEnvironment: ANGLE Developer option for 'dk.mitid.app.android' set to: 'default'
10-28 09:01:21.276 23106 23106 V GraphicsEnvironment: ANGLE GameManagerService for dk.mitid.app.android: false
10-28 09:01:21.556 23106 23106 D CompatibilityChangeReporter: Compat change id reported: 183155436; UID 10137; state: DISABLED
10-28 09:01:21.557 23106 23106 I FirebaseCrashlytics: Initializing Firebase Crashlytics 18.2.4 for dk.mitid.app.android
10-28 09:01:21.587 1606 1967 D CompatibilityChangeReporter: Compat change id reported: 161145287; UID 10137; state: DISABLED
10-28 09:01:21.602 23106 23154 W dk.mitid.app.android: Failed to determine odex file name: Dex location /gmscompat_fd_58 has no extension.
10-28 09:01:21.602 23106 23154 W ziparchive: Unable to open '/gmscompat_fd_58.dm': No such file or directory
10-28 09:01:21.641 23106 23187 I FA : adb shell setprop debug.firebase.analytics.app dk.mitid.app.android
10-28 09:01:21.662 23106 23106 D CompatibilityChangeReporter: Compat change id reported: 210923482; UID 10137; state: DISABLED
10-28 09:01:21.662 23106 23106 D CompatibilityChangeReporter: Compat change id reported: 37756858; UID 10137; state: ENABLED
10-28 09:01:21.688 23106 23106 D CompatibilityChangeReporter: Compat change id reported: 160794467; UID 10137; state: ENABLED
10-28 09:01:21.780 23106 23106 D CompatibilityChangeReporter: Compat change id reported: 171228096; UID 10137; state: ENABLED
10-28 09:01:21.781 23106 23106 E ConstraintLayout: layout_constraintHeight_default="wrap" is deprecated.
10-28 09:01:21.781 23106 23106 E ConstraintLayout: Use layout_height="WRAP_CONTENT" and layout_constrainedHeight="true" instead.
10-28 09:01:21.793 1606 17983 D CoreBackPreview: Window{adebde9 u0 dk.mitid.app.android/dk.mitid.app.android.activity.MainActivity}: Setting back callback OnBackInvokedCallbackInfo{mCallback=android.window.IOnBackInvokedCallback$Stub$Proxy@68c032b, mPriority=0}
10-28 09:01:21.796 1606 17983 D CoreBackPreview: Window{4674121 u0 dk.mitid.app.android/dk.mitid.app.android.activity.MainActivity}: Setting back callback OnBackInvokedCallbackInfo{mCallback=android.window.IOnBackInvokedCallback$Stub$Proxy@845a707, mPriority=0}
10-28 09:01:21.805 23106 23158 D CompatibilityChangeReporter: Compat change id reported: 194532703; UID 10137; state: DISABLED
10-28 09:01:21.805 1606 17983 D CompatibilityChangeReporter: Compat change id reported: 194532703; UID 10137; state: DISABLED
10-28 09:01:21.811 23106 23167 E cutils-trace: Error opening trace file: No such file or directory (2)
10-28 09:01:21.846 1606 1714 I ActivityTaskManager: Displayed dk.mitid.app.android/.activity.MainActivity: +811ms
10-28 09:01:21.896 1606 1704 D CompatibilityChangeReporter: Compat change id reported: 214016041; UID 10137; state: DISABLED
10-28 09:01:22.149 1606 3541 D CoreBackPreview: Window{b99114f u0 Splash Screen dk.mitid.app.android EXITING}: Setting back callback null
10-28 09:01:22.149 1606 1704 W InputManager-JNI: Input channel object 'b99114f Splash Screen dk.mitid.app.android (client)' was disposed without first being removed with the input manager!
10-28 09:01:22.863 1606 1967 D CoreBackPreview: Window{adebde9 u0 dk.mitid.app.android/dk.mitid.app.android.activity.MainActivity}: Setting back callback null
10-28 09:01:22.867 1606 1967 W InputManager-JNI: Input channel object 'adebde9 dk.mitid.app.android/dk.mitid.app.android.activity.MainActivity (client)' was disposed without first being removed with the input manager!
10-28 09:01:27.222 1606 1919 E ContextHubClientManager: Cannot send message to unregistered client (host endpoint ID = -28638)
10-28 09:01:27.225 1606 1919 E ContextHubClientManager: Cannot send message to unregistered client (host endpoint ID = -28638)
grepped by (mitid|10137|compat| E )
(10137 is the UID of the app).
Actually I noticed this now, which may be relevant:
10-28 09:04:08.952 23311 23311 W dk.mitid.app.android: unable to execute idmap2: Permission denied
10-28 09:04:08.952 23311 23311 W OverlayConfig: 'idmap2 create-multiple' failed: no mutable="false" overlays targeting "android" will be loaded
Also, on every app launch Google Play Services triggers this error:
10-28 09:04:09.664 2731 23251 W NetworkScheduler: Error inserting flex_time=2452000 job_id=-1 period=4905000 source=16 requires_charging=0 preferred_network_type=1 target_class=com.google.android.gms.measurement.PackageMeasurementTaskService user_id=0 target_package=com.google.android.gms tag=Measurement.PackageMeasurementTaskService.UPLOAD_TASK_TAG task_type=0 required_idleness_state=0 service_kind=0 source_version=224113000 persistence_level=1 preferred_charging_state=1 required_network_type=0 runtime=1666940649661 retry_strategy={"maximum_backoff_seconds":{"3600":0},"initial_backoff_seconds":{"30":0},"retry_policy":{"0":0}} last_runtime=0 [CONTEXT service_id=218 ]
10-28 09:04:09.664 2731 23251 W NetworkScheduler: android.database.sqlite.SQLiteConstraintException: UNIQUE constraint failed: pending_ops.tag, pending_ops.target_class, pending_ops.target_package, pending_ops.user_id (code 2067 SQLITE_CONSTRAINT_UNIQUE)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at android.database.sqlite.SQLiteConnection.nativeExecuteForLastInsertedRowId(Native Method)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at android.database.sqlite.SQLiteConnection.executeForLastInsertedRowId(SQLiteConnection.java:961)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at android.database.sqlite.SQLiteSession.executeForLastInsertedRowId(SQLiteSession.java:790)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at android.database.sqlite.SQLiteStatement.executeInsert(SQLiteStatement.java:89)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at android.database.sqlite.SQLiteDatabase.insertWithOnConflict(SQLiteDatabase.java:1868)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at android.database.sqlite.SQLiteDatabase.insertOrThrow(SQLiteDatabase.java:1763)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at brdb.g(:com.google.android.gms@224113044@22.41.13 (190400-480714934):52)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at brbu.n(:com.google.android.gms@224113044@22.41.13 (190400-480714934):3)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at brbu.u(:com.google.android.gms@224113044@22.41.13 (190400-480714934):20)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at brbu.h(:com.google.android.gms@224113044@22.41.13 (190400-480714934):3)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at bqxl.run(:com.google.android.gms@224113044@22.41.13 (190400-480714934):9)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at zyr.c(:com.google.android.gms@224113044@22.41.13 (190400-480714934):6)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at zyr.run(:com.google.android.gms@224113044@22.41.13 (190400-480714934):7)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at aadw.run(:com.google.android.gms@224113044@22.41.13 (190400-480714934):0)
10-28 09:04:09.664 2731 23251 W NetworkScheduler: at java.lang.Thread.run(Thread.java:1012)
Hello @lbschenkel,
this night I received an upgrade to TP1A.221005.002.2022102600.
Right after an upgrade I tried to run MitID with the same result as you had described - "device is rooted".
However, a few minutes later I obtained an automatic update of one of Google services app (unfortunatelly I am not sure which one it was) and voila - MitID works fine again.
fromTom That is very interesting. Do you mind opening "Apps" and reporting the version of GmsCompat and each Google app that you have?
Mine:
lbschenkel Do you have the Network permission denied for either Play services or the Play Store?
strcat No I don't, both have network permissions enabled: Play Service needs it for notifications, and Play Store needs to download apps.
The MitID app also has network permissions enabled.
The same issue here after updating to stable version.!
"One of your MitID apps is temporarily blocked. "
Please un-do the changes ,it rather serious issue that this app is not working.
Why the OS was pushed to stable if somebody reported a problem?
Grkrz I believe that "undo-ing" is a strong statement. I believe that we should have an idea of what started tripping the app first, and then figuring out what can be done about that. It is very likely that the problem is in the app being too aggressive on its checks, and it's tripping on something innocuous. If we can find out what that is, then we have a better chance of complaining to MitID or it might be possible to introduce a workaround in GrapheneOS side (hopefully a per-app switch like the one that already exists).
To non-Danish users: it is hard to overstate how essential this app is to daily life. You cannot interact with the government, you cannot open your digital mail (that you are legally required to read), you cannot do any banking with any bank, you cannot pay your bills, you cannot use your card online, you cannot login to a great deal of websites if you are locked out of NemID. Even if you try calling, they want you to prove who you are by using the app. It is like if everything only had Google sign-in and your Google account gets banned. You become a "non-citizen". Naturally none of this is GrapheneOS' fault, but I'm just explaining what the situation is. If no solution is found, GrapheneOS will be a complete non-starter to Danish users. I expect that the potential user base is much larger now because Pixel 7 is being officially sold in Denmark, unlike previous models. (Sweden is in a similar boat: everything requires the use of BankID, and if the app stops working, you become a "non-citizen".)
(I have a backup dongle that can be ordered but I guess the majority of users will not put up with it.)
strcat Please let me know what I can do to help.
lbschenkel
I can confirm that my versions Are the same as yours.
Tried installing MitID 2.3.4 on Pixel 7 TD1A.220804.031.2022102600, all working fine. I get this error when enabling OEM unlock in dev options though, maybe that's causing the error for you too?
Had to reboot after disabling OEM unlock and reinstall app for it to work again.