lbschenkel

  • I was able to enroll with "OEM unlock" enabled and it worked. I did some authentication operations and confirmed that it works.
  • I rebooted the device without changing anything. Now it shows "Device is rooted" again.
  • Disabled "OEM unlocking". Rebooted. "Device is rooted".
  • Revoked, uninstalled, reinstalled app, re-enrolled (with "OEM unlocking" disabled). It worked.
  • Rebooted. Still works.
  • Enabled "OEM unlocking" to confirm that this is tripping the app. Rebooted. "Device is rooted". Confirmed that this is tripping the app.

I also saw what is happening at server-side, given the information provided in the website. Any time the app trips, it reports to the server which temporarily disables the app. This results in an entry in the activity log, and I also see that the specific installation is under a new section "Temporarily blocked authenticator".

I believe that this explains why it doesn't unblock once I disable "OEM unlocking": the app will not re-activate until the timeout passes. This "temporary block" must only happen once the app is enrolled and linked to a user profile, and that is why other reporters who have just installed it but not enrolled it see the state changing immediately.

Why is this tripping the app now, and not on previous versions of GrapheneOS? Any clue, @strcat? Was the state of "OEM unlock" invisible to apps before, but visible now?

Now I have disabled "OEM unlock", rebooted, and the app is still blocked but I believe it will come back to life once the temporary block expires. I will wait some hours and report what happens.

    OEM unlocking toggle state was always visible to apps. Nothing like that has changed has at all. I think you're wrongly tying this to an OS upgrade when they upgraded their service.

      strcat I understand what you're saying, but at the same time how do you explain all the different reports here of users that installed this very same version of the app on the previous GrapheneOS version, and the app immediately tripping after the OS upgrade? I'm trying to reason based on the evidence presented and on experimentation.

      The reason for why I'm asking for help from the developers is because you're empowered to build a new version that is the same as the previous one (since we can't roll back), and determine beyond any doubt if this is the case or not. Would GrapheneOS run in any kind of virtual machine? Then I could try to do those experiments myself.

          I I hope you figure this out ibschenkel. I had the same issue on a fresh GOS install on a pixel 6 pro, and have now ended up ordering an analog code reader instead of the app - since as you say, you are quite lost as a danish citizen without it - hoping this will work instead.

          Everything else works amazing though, and as a newbie I can say that the GOS team/developers has really outdone themselves.

          /Frank

          lbschenkel

              Frankdux When was this? Before adopting GOS around 1 year ago I did a test an tested all essential apps, including MitID, and it just worked flawlessly. This last update was the very first time that MitID complained.

                  After a new OS update the app again stopped working, this insane!

                    lbschenkel I agree, I have used GOS for over a 6 months and the second update and which is breaking the app.. If this will continue my adventure with GOS will end. Not be able to use this app is equal to not having the INTERNET.

                        Grkrz After a new OS update the app again stopped working

                        What was your OEM unlocking state when it happened?

                        Hypothesis: The MitID app developers in their infinite wisdom might be doing some root checks only when the app sees an OS update / build number change - which could confound your testing, because it would look like the OS update was the cause when it was really just the trigger.

                            Grkrz I agree with you in content but not in tone. Remember that this is a community project, and nobody is trying to break anything — the developers are trying to improve the OS and also having to perpetually catch up with Google regarding GmsCompat (sandboxed Play Services). The problem is that there is this single app which is essential to life in Denmark, and the app is aggressive in its "security" checks. And app compatibility is a thankless job; I am a software developer myself and I know this first hand.

                            That said, it is not a stretch to say that this particular update 'upset' the app in some way that it did not happen before. We have a number of reports there that confirmed it. I am also fairly confident that there is nothing in this update that should have upset the app, but the app has some stupid or buggy check that no longer passes. It would be nice to figure out what exactly it was to see if there is any workaround possible.

                            Unfortunately for us, Denmark is a small country. Were this app essential to life in US or another country of comparable importance, it would be such a deal breaker for any distro that the willingness to make it work (despite its faults) would be different.

                                rustybird I did reinstall the app and it worked for some time and I stopped working after some attempts. Not really sure what to do to make this app work.

                                  rustybird My phone has had "OEM unlocking" enabled ever since I bought it: I installed GOS and left it enabled since I want to eliminate the risk of having a bricked phone that does not boot and I cannot reflash from the bootloader.

                                  I tested MitID with this configuration from day one, it was one of the "must have" apps (out of necessity, not because I like it) that I have verified working before adopting GOS as a daily driver.

                                  I cannot explain why the update triggered the app, just that it happened for me and all the other reports here. Luckily it is still possible to have it with OEM unlocking disabled, which I have resigned myself to do. That is, until they enforce SafetyNet CTS profile checks — then it is game over.

                                  I recommend everyone to have the code dongle as a backup.

                                    lbschenkel Sure you are totally right. If this app doesn't work then this operating system is ussles in my case. The developers can ignore our issue and do not work on, it is there choice and I respect that.
                                    I think it is mitID which is trying to be secure that's why it is breaking. I just simply can't afford to spend every day couple hours on fixing the app if I want to access my bank etc.

                                      The last GOS update was pushed to my device and.... it locked itself again: "device is rooted". This is with 'OEM unlocking' disabled.

                                      That's it, game over. Will need to get used to carry the dongle with me at all times.

                                        It would appear having checked MtID that they are slow on updating the app:

                                        As of April, 2022, the following combinations are supported on mobile phones and tablets:

                                        Google Android 7, 8, 9, 10, 11 and 12 with latest version of Google Chrome, in-app (Custom tabs) or Samsung Browser 14 internet browser.
                                        We cannot guarantee that MitID will work with other operating systems or internet browsers than the ones listed.

                                        Having checked the Play Store listing it also targets SDK 32 (Android 12L).

                                        Latest review:

                                        Nobby Nobs
                                        My phone is NOT rooted and I guarantee it, but since the latest update the MitID app tells me that the device is rooted every time I try to log in, and that logging in has been blocked for an hour. I can assure you the fault is with the app, not my phone. It's worked just fine until I needed to use it this morning, and I have changed or installed nothing new on my phone since the app actually worked. Fix it. EDIT: Now it's blocked my MitID completely. I hate this app so much.

                                        Unless that is one of you then the issue definitely lies with the app not the OS and isnt something that can be mitigated or investigated until they officially update the SDK and advertise support for Android13.

                                        If you can create an issue on the tracker post crash etc with the appropriate bug report, without this it will be difficult to address.

                                        Some tidbits of information that I discovered by experimentation:

                                        • This latest lock-out of the app after today's GOS update happened without tripping server-side: the state is in "good standing" server-side, differently than before. But the app still refuses to work: "device rooted".

                                        • After a clean reinstall and with an un-enrolled app (*), just flipping "exploit protection compatibility mode" was enough to trigger "device rooted". Note that I tried this multiple times and it did not matter what the initial state was: the app did not complain until the switch was flipped. This makes me believe that what is happening is that the app is calculating some "stable" hash from the device state, and tripping when that hash changes because it interprets that as tampering. Maybe the recent kernel security and address randomization improvements (which go above and beyond what Google/AOSP does by default) is actually influencing some ill-implemented device hashing algorithm in MitID. New releases might be causing enough perturbation to trip it, in a way that "regular" Google/AOSP releases don't.

                                        Once I get a new activation code I will try yet another experiment: I am going to leave 'OEM unlocking' disabled and 'Exploit protection compatibility mode' enabled and set it up again, and see if/when it trips again.

                                        (*) Even waiting for 24h was not enough to revert the "temporary deactivation" of the authenticator once it trips; in my experience once you get "device rooted" there's no other recourse and you have to revoke it and start over.

                                        Can I ask where you are all downloading the app from?

                                        Aurora or Play Store? Another user on the Twitter Community had an issue with their bank not working when installed with former but worked with the latter.

                                        One of the Core dev team confirms apps can see what was used to install the app and refuse to work if the source is not whitelisted or recognised.