Duckduck I installed MitID on a secondary profile, it does not freeze and I can attempt to do the activation flow.

The flow ends up failing with an error message, as expected. Unfortunately, since this is a secondary profile, I don't get the notifications nor the settings related to Play Integrity so I cannot test what happens if I block it. I don't expect it to work, but it would be interesting to see what the error message is nonetheless...

As my working MitID in the primary profile, I can't/won't mess with it to test that out.

      • fid02

        • Post #317

        lbschenkel Unfortunately, since this is a secondary profile, I don't get the notifications nor the settings related to Play Integrity so I cannot test what happens if I block it.

        I think the notification should work in secondary profiles? At least it works fine in Private Space.

        The settings only appear for the app if Sandboxed Google Play has detected Play Integrity API usage.

            fid02 I know for a fact they use Integrity (they said it themselves from the very beginning), I even see in the logs, but I only get the error from the app and no notification from GOS and the setting does not appear in GOS.

            But this is only during the activation flow, which I'm not going to do in the primary profile as I'll permanently lock myself out.

            I will test some other apps that use Integrity in this same secondary profile to see what happens.

              The plot thickens. I have used the Android Integrity Checker app in the secondary profile and I can see the notification and setting. So I was too fast to assume that the secondary profile was an issue here.

              But no sort of thing shows up with MitID. Therefore it is "lying" when claiming it's checking Integrity, or perhaps it's doing some other ad-hocs checks that fail before getting to the point that does an Integrity check?

              I will try again and pay more attention to the logs. I have tried the "ID scan" flow but I will also try a different flow as well.

              OK, so I have tried again. My problem in the 1st attempt was that I already had 3 authenticators enrolled, which is the limit, so they were not letting me enrol another one (but the error message was a generic error which had no mention of this).

              I removed one of my authenticators and tried again. Now I got the Integrity popup, as expected. I got the error message from the app, as expected. I then tried to block Integrity API but I get the exact same error message. Therefore blocking Integrity does not work as a workaround, unfortunately.

              I checked the logs but nothing useful there. Basically the same thing gets logged if Integrity check fails or it's blocked.

              GOS users remain out of luck and will keep needing the dongle.

                lbschenkel many thanks for your time, knowledge and testing. A bit more advanced that i would be able too.

                Too bad this didnt change anything, i had my hopes up. But also very interesting that the check isnt actually the check they say they do.

                  But also very interesting that the check isnt actually the check they say they do.

                  But it is. Why do you say that?

                    lbschenkel very weird i cannot get past the boot screen. I assume you didnt fickle with the app settings, such as the compabality thing?
                    But as you found out, for now i doesnt make it work either way

                      I assume you didnt fickle with the app settings, such as the compabality thing?

                      I had to, didn't you get the notification? You have to change the default.

                        lbschenkel maybe i misunderstood what the changes are to the gps api then. Anyways, thanks for the clarification

                          We have another app in Denmark that also is using play Integrity API, I'm guessing that is the same as MitID is claiming to use. Or maybe I have misunderstood it. At least when I use Mobil-pay and this Play Integrity API pops up, It is still possibly to use Mobil-pay without any problems.
                          If GOS with Mobil-pay works with play integrity, shouldn't MitID be able to do the same. I have read the whole tread, but itś possible that I have misunderstood something due to my lack of full technical insight :-)

                            toddvarg Play Integrity is a Google API. The app uses it and it will return a result. In GOS the result will be that it passes "basic" integrity, but it fails "strong" integrity. What happens next is up to the app. They might be using this API just to gather information and report back to the server but without really enforcing anything, or they might be happy if it just passes "basic" integrity. Nothing that enforces "strong" integrity will work on GOS as it won't pass. Only devices certified by Google can pass this integrity level.

                                lbschenkel OK, thanks. I didn't know it was different levels of integrity.

                                    13 days later

                                    So coming to graphene about 14 days ago. Been using the mitid token for quite a while prior together with the app.

                                    I am wondering if an already logged in mitid app could be transferred from my old android with apk, meta data and user data and all to have an activated mitid app?

                                    My thoughts are that the app most have some key somewhere that the server somewhere associates to my real identity.

                                    If that key can be transferred then the app should be an active app?

                                    Secondly: is it anywhere remotely possible to install and app from my old android google play store directly onto the new pixel through USB? The app would then use the old android phones OS for activation?

                                    I am thinking something similar to having a remote server license authenticating my access to a local program?

                                    Or am I complete in the dark for some of these things?

                                    Digitaliseringsstyreksen was quit nice and polite in their answer and forwarded my letter of improve to feature request hardware attestation directly instead of play api.

                                    Next up is getting DR to explain this issue with mitID app to truly be able to get more freedom of choice and choose European alternatives if one wants to..........

                                    https://www.dr.dk/nyheder/viden/teknologi/ud-med-google-og-instagram-her-er-de-europaeiske-alternativer

                                    a month later

                                    Just writing this in case someone needs a recent update on this issue. I tried activating MitId both by transferring from another device and by using my passport. None of the methods work. I get the Play Integrity notification and then the error screen. Have ordered the hard token.

                                      toddvarg think you are mixing play integrity and play services. Mobilepay will work with play services enables. Actually Mitid, kørekort and sundhedskort does not require play services, and passes the basic integrity. This means you do not nedd all the google bloat on your phone. But as said, MitID has another (not nedded) check that GOS does not pass.

                                      Mobilepay will only work with alle the google bloat

                                        DjBeau for now, this is the only way. Before we had a workout but they closed it. We hoped the new play integrity stuff here on GOS could make it work, but sadly it did not. We do not expect it to work in the future. But thanks for your testing, was a good idea