Is there a way to infer from the app logs – or from the Play Services app logs – that Play Integrity is at play here? Or perhaps the checks are all done server side?
Status of MitID app
fid02 It most likely is Play Integrity. Below are logs when I tried installing in a new profile
--------- switch to main
06-24 11:01:18.079 6162 6162 W WindowOnBackDispatcher: sendCancelIfRunning: isInProgress=falsecallback=android.view.ViewRootImpl$$ExternalSyntheticLambda11@f1811b0
06-24 11:01:39.909 6162 6248 I dk.mitid.app.android: Explicit concurrent mark compact GC freed 10MB AllocSpace bytes, 170(46MB) LOS objects, 75% free, 21MB/87MB, paused 230us,860us total 71.399ms
06-24 11:01:39.959 6162 6248 I PlayCore: UID: [10150] PID: [6162] IntegrityService : requestIntegrityToken(IntegrityTokenRequest{nonce=REDACTED, cloudProjectNumber=null})
06-24 11:01:39.961 6162 6971 I PlayCore: UID: [10150] PID: [6162] IntegrityService : Initiate binding to the service.
06-24 11:01:39.974 6162 6162 I PlayCore: UID: [10150] PID: [6162] IntegrityService : ServiceConnectionImpl.onServiceConnected(ComponentInfo{com.android.vending/com.google.android.finsky.integrityservice.IntegrityService})
06-24 11:01:39.975 6162 6971 I PlayCore: UID: [10150] PID: [6162] IntegrityService : linkToDeath
06-24 11:01:41.235 6162 6191 I PlayCore: UID: [10150] PID: [6162] OnRequestIntegrityTokenCallback : onRequestIntegrityToken
06-24 11:01:41.235 6162 6971 I PlayCore: UID: [10150] PID: [6162] IntegrityService : Unbind from service.
06-24 11:01:41.498 6162 6248 W FirebaseCrashlytics: A null value was passed to recordException. Ignoring.
06-24 11:01:41.617 6162 6996 D TrafficStats: tagSocket(115) with statsTag=0xffffffff, statsUid=-1
--------- switch to events
06-24 11:01:45.820 6162 6162 I view_enqueue_input_event: [eventType=Motion - Cancel,action=dk.mitid.app.android/dk.mitid.app.android.activity.MainActivity]
06-24 11:01:45.822 6162 6162 I wm_on_top_resumed_lost_called: [Token=REDACTED,Component Name=dk.mitid.app.android.activity.MainActivity,Reason=topStateChangedWhenResumed]
06-24 11:01:46.500 6162 6162 I wm_on_paused_called: [Token=REDACTED,Component Name=dk.mitid.app.android.activity.MainActivity,Reason=performPause,time=1ms]
--------- switch to main
06-24 11:01:46.501 6162 6162 D VRI[MainActivity]: visibilityChanged oldVisibility=true newVisibility=false
--------- switch to events
06-24 11:01:46.525 6162 6162 I viewroot_draw_event: [window=VRI[MainActivity],event=Not drawing due to not visible]
06-24 11:01:46.535 6162 6162 I wm_on_stop_called: [Token=REDACTED,Component Name=dk.mitid.app.android.activity.MainActivity,Reason=STOP_ACTIVITY_ITEM,time=3ms]
Proxima https://www.mitid.dk/om-mitid/nyheder/mitid-faar-ekstra-anti-svindelsmekanisme/
I wonder if it is possible to have a chat with the "experts and researchers from the IT University"?
lbschenkel Hi, I am back in DK, after a long (wedding week) abroad, where I did not have time to 'play around'with phones and such. I can read here, that unfortunately there has been a bad new 'rule' put in place by the masters of MitID. I did update to the latest stabel GOS and rebooted and all. Yet, I had my 'DK user´, the user that handles the DK apps, being random at granting internet access to the apps. Some had access, like my bank, but eBoks and Easypark did not. After some browsing around here and on my phone, i decided to reinstall GPS (google mirror)... and Voila.. both eBoks and Easypark have connection again. I am now in the process of waiting (1 hour) to copy my MitID to a second device, as that is now possible after 1 hour of waiting. So I will report back when I can do - or fail at installing MitID in that manor.
Unfortunately I get the same screen after copying from my other phone to the new GOS phone. Well, I have the code display and my old phone still, so no real loss.. Lets see if there is a new future for this app in 2025... or later.. New GOS users from Denmark, get a Code Display (for free) before deleting your old phone/Device with MitID on it.
Thank you lbschenkel, proxima and fido2 and all other in trying to get to the bottom of this issue... yes.. we have reached the bottom.... :(
- Edited
fid02 Grooty I took the easy way out and wrote their support. I have made a translated summary here (their email reply contains a whole lot of Google marketing, that I have filtered out):
We use Google Play Integrity on Android and Apple Integrity Assertion on iOS, to ensure that users are not using "false apps" that masquerade as MitID, and that the app is downloaded from an official store. We provide them the code and limited backend access, in order for them to verify that the app binary is legitimate. This is not a kind of scam that is currently being employed, but we want to stay ahead of the threat.
I initially asked them why they went the Google Play Integrity way, and not things like hardware attestation, but I got most of the relevant information for this thread.
Does anyone know of a way, to achieve the same as what they set out to do, but via hardware attestation instead? It sounds like they are trying to solve the following:
- Verify the operating system
- Verify the app binary is legitimate
- Verify that the app is downloaded from Google Play Store, and not somewhere else
If so, I wouldn't mind forwarding them that information, and see if I can change their minds about the implementation.
Apathy Does anyone know of a way, to achieve the same as what they set out to do, but via hardware attestation instead?
https://grapheneos.org/articles/attestation-compatibility-guide
Though it is not clear to me why they should require that the app is installed from exactly one app store. Isn't the EU compelling Apple to support multiple app stores?
de0u I believe they're trying to avoid users having a version that's installed from other sources, as that's a dead giveaway for a fake app. I know that there's other legitimate app stores out there, so I'll try to convince them of a whitelist approach instead of only Google Play; whole thing is pretty ridiculous, since that field can easily be spoofed.
- Edited
Apathy Thanks. Based on the available evidence, I think this additional information pretty much confirms that they are using Google Play Integrity to check for a Google-certified OS.
The best bet, the way I see it, would be to try to convince them to implement hardware attestation. I have a feeling that making them back down on Play Integrity OS-checks specifically is going to be really hard, considering their very clear public announcement that it is "protecting users". I imagine they would be worried about criticisms regarding backing down on that practice.
I have written them back now, with my arguments, reasoning, and suggested phrasing. Hopefully we'll hear some good news soon, though I sadly doubt it; it is a public entity after all.
I ended up ordering a MitID kodeviser (hard token) Monday evening, it shipped Tuesday, arrived today, and it'll be working from tomorrow :)
Apathy did you ever get a response back from them? I am have begun to carry my MitID code authenticator with, as I fear that the MitID app might just stop working for me.
So a definitive answer, if you recieved, any at all, would be nice.
Does anyone know if theres been an update on this? I am interested in upgrading to a Pixel 9, but losing MitID authentication with my phone kinda sucks, so I might stay with my current phone until my previously activated MitID stops working. Alternatively, does anyone know if transferring Authenticators skips the Play Integrity check?
CutStandard8309 for me it doesn't work at this very moment. It just crashes
CutStandard8309 i must refer to my workaround in this threat from february 21. Please go read that, this fix still works making GPS only needed for initial setup. I use MitID everyday on my pixel 5
Duckduck That is not a viable solution anymore, as MitID has stated using Play Integrity during the activation process, so the presence of Play Services is no longer enough to activate MitID. Old installations of MitID work fine for the time, but activating a new authenticator is currently not possible.
I have, like @Apathy contacted MitID and suggested that they either start using hardware attestation or allow advanced users to somehow opt out of the Play Integrity checks.
There is a new version of MitID (3.4.2) with a few UI changes. I updated to it and it kept working without any (new) issues.
lbschenkel CONFORM the same, fingerprint is gone now.