The same issue here after updating to stable version.!
"One of your MitID apps is temporarily blocked. "
Please un-do the changes ,it rather serious issue that this app is not working.

    Why the OS was pushed to stable if somebody reported a problem?

    Grkrz I believe that "undo-ing" is a strong statement. I believe that we should have an idea of what started tripping the app first, and then figuring out what can be done about that. It is very likely that the problem is in the app being too aggressive on its checks, and it's tripping on something innocuous. If we can find out what that is, then we have a better chance of complaining to MitID or it might be possible to introduce a workaround in GrapheneOS side (hopefully a per-app switch like the one that already exists).

    To non-Danish users: it is hard to overstate how essential this app is to daily life. You cannot interact with the government, you cannot open your digital mail (that you are legally required to read), you cannot do any banking with any bank, you cannot pay your bills, you cannot use your card online, you cannot login to a great deal of websites if you are locked out of NemID. Even if you try calling, they want you to prove who you are by using the app. It is like if everything only had Google sign-in and your Google account gets banned. You become a "non-citizen". Naturally none of this is GrapheneOS' fault, but I'm just explaining what the situation is. If no solution is found, GrapheneOS will be a complete non-starter to Danish users. I expect that the potential user base is much larger now because Pixel 7 is being officially sold in Denmark, unlike previous models. (Sweden is in a similar boat: everything requires the use of BankID, and if the app stops working, you become a "non-citizen".)

    (I have a backup dongle that can be ordered but I guess the majority of users will not put up with it.)

    lbschenkel

    Tried installing MitID 2.3.4 on Pixel 7 TD1A.220804.031.2022102600, all working fine. I get this error when enabling OEM unlock in dev options though, maybe that's causing the error for you too?

    Had to reboot after disabling OEM unlock and reinstall app for it to work again.

      vvdn Unfortunately that didn't solve it for me: I disabled both "OEM unlocking" (just to test, I don't want to risk having that disabled and one day bricking the phone because it fails to boot and I can't reflash) and "Developer options" and rebooted but I still get the error...

      Given the reports here, I'm inclined to assume that the following is happening:

      • the bug is manifesting only when the app has data, i.e., you have previously enrolled the authenticator
      • on top of the above, maybe the app might be setting a "tainted" flag and refusing to work once it detects what it believes is tampering, even if the underlying checks now pass

      I think I will need to revoke this instance of the authenticator, wipe the app data, and try setting up from scratch again, and check what happens.

      • vvdn replied to this.

        lbschenkel

        Did you also reinstall the app after rebooting?

        You might want to consider disabling OEM locking anyway because error seems to be triggered by that

          vvdn No, I did not reinstall because I was trying to avoid wiping data at all costs — if I do that I need to revoke the authenticator and re-enroll.

          But given the reports here that on a new installation the error shows up and disappears, I am resigned that this instance of the authenticator is unrecoverable and I will test as a new installation.

          Update:

          I revoked the authenticator and uninstalled/reinstalled the app. This was done with both "OEM unlock" and "Developer options" disabled. The app opens and shows the welcome screen without errors.

          Then I enabled "developer options" and "OEM unlock", and rebooted. App still opens without showing any error. Then I uninstalled the app and reinstalled once more, to make sure I'm forcing a "re-validation" of the device. Welcome screen still shows without any error.

          Now I need to activate (enroll) the authenticator. I started the process but for security reasons there's a waiting period for that (*) so I need to wait for it to elapse. I will try enrolling the device in the current state, with "OEM unlock" enabled, and see if it works.

          Will keep you posted.

          (*) They send the person an SMS notifying that there's a request to enroll a new authenticator, and you have time to contact them and block it if it was not you who is doing it.

          P.S.: In the MitID website they provide an activity log, and I checked what happened yesterday, and there's the following entry: "App - temporarily blocked due to 'jailbreak' - unlocks automatically once it is removed". This confirms that something tripped the app and it reported to the mothership; but the wording claims that it would work again once the right conditions are satisfied. This clearly did not happen for me. Another interesting fact is that yesterday, at that point in time when I launched the app and it locked itself, I already had all the other GmsCompat+Google updates that other reporters claimed that "un-broke" the app.

            lbschenkel

            • I was able to enroll with "OEM unlock" enabled and it worked. I did some authentication operations and confirmed that it works.
            • I rebooted the device without changing anything. Now it shows "Device is rooted" again.
            • Disabled "OEM unlocking". Rebooted. "Device is rooted".
            • Revoked, uninstalled, reinstalled app, re-enrolled (with "OEM unlocking" disabled). It worked.
            • Rebooted. Still works.
            • Enabled "OEM unlocking" to confirm that this is tripping the app. Rebooted. "Device is rooted". Confirmed that this is tripping the app.

            I also saw what is happening at server-side, given the information provided in the website. Any time the app trips, it reports to the server which temporarily disables the app. This results in an entry in the activity log, and I also see that the specific installation is under a new section "Temporarily blocked authenticator".

            I believe that this explains why it doesn't unblock once I disable "OEM unlocking": the app will not re-activate until the timeout passes. This "temporary block" must only happen once the app is enrolled and linked to a user profile, and that is why other reporters who have just installed it but not enrolled it see the state changing immediately.

            Why is this tripping the app now, and not on previous versions of GrapheneOS? Any clue, @strcat? Was the state of "OEM unlock" invisible to apps before, but visible now?

            Now I have disabled "OEM unlock", rebooted, and the app is still blocked but I believe it will come back to life once the temporary block expires. I will wait some hours and report what happens.

            OEM unlocking toggle state was always visible to apps. Nothing like that has changed has at all. I think you're wrongly tying this to an OS upgrade when they upgraded their service.

              strcat I understand what you're saying, but at the same time how do you explain all the different reports here of users that installed this very same version of the app on the previous GrapheneOS version, and the app immediately tripping after the OS upgrade? I'm trying to reason based on the evidence presented and on experimentation.

              The reason for why I'm asking for help from the developers is because you're empowered to build a new version that is the same as the previous one (since we can't roll back), and determine beyond any doubt if this is the case or not. Would GrapheneOS run in any kind of virtual machine? Then I could try to do those experiments myself.

                I I hope you figure this out ibschenkel. I had the same issue on a fresh GOS install on a pixel 6 pro, and have now ended up ordering an analog code reader instead of the app - since as you say, you are quite lost as a danish citizen without it - hoping this will work instead.

                Everything else works amazing though, and as a newbie I can say that the GOS team/developers has really outdone themselves.

                /Frank

                lbschenkel

                  Frankdux When was this? Before adopting GOS around 1 year ago I did a test an tested all essential apps, including MitID, and it just worked flawlessly. This last update was the very first time that MitID complained.

                    After a new OS update the app again stopped working, this insane!

                      lbschenkel I agree, I have used GOS for over a 6 months and the second update and which is breaking the app.. If this will continue my adventure with GOS will end. Not be able to use this app is equal to not having the INTERNET.

                        Grkrz After a new OS update the app again stopped working

                        What was your OEM unlocking state when it happened?

                        Hypothesis: The MitID app developers in their infinite wisdom might be doing some root checks only when the app sees an OS update / build number change - which could confound your testing, because it would look like the OS update was the cause when it was really just the trigger.

                          Grkrz I agree with you in content but not in tone. Remember that this is a community project, and nobody is trying to break anything — the developers are trying to improve the OS and also having to perpetually catch up with Google regarding GmsCompat (sandboxed Play Services). The problem is that there is this single app which is essential to life in Denmark, and the app is aggressive in its "security" checks. And app compatibility is a thankless job; I am a software developer myself and I know this first hand.

                          That said, it is not a stretch to say that this particular update 'upset' the app in some way that it did not happen before. We have a number of reports there that confirmed it. I am also fairly confident that there is nothing in this update that should have upset the app, but the app has some stupid or buggy check that no longer passes. It would be nice to figure out what exactly it was to see if there is any workaround possible.

                          Unfortunately for us, Denmark is a small country. Were this app essential to life in US or another country of comparable importance, it would be such a deal breaker for any distro that the willingness to make it work (despite its faults) would be different.