Another data point:

GOS has once again updated to latest version (TP1A.221005.002.2022110600) but this time MitID didn't break, and kept working. The combination that seems to be stable is "OEM unlock" disabled and "exploit protection compatibility mode" enabled.

This is on MitID 2.3.4, I delibetary did not update the app because I wanted to check if this problematic version would trip agan on a new GOS update.

    After reinstaling the APP and setting again the user the app worked. I did a test and removed all the google play store services. MIT Id have worked, no issue ,nem id did not want to start saying app needs play services etc.
    I did restarted the phone and after the reset mitid did not worked. "Device is rooted".
    After installing the play services etc as it was before the app still did not worked.
    I had to once more reinstall the app to make it work.
    Next day the APP worked but in aurora I got google play update , could not make it update the system did not allowed I think.
    I reinstalled the app and did the same as @lbschenkel . will see how long it will take till it breaks again.

      2 months later

      lbschenkel I am on the fence on installing GrapheneOS, as I am also a user of the MitID app.
      Are the issue resolved or have you found a workaound?

      lbschenkel Is there any acknowledgement from their development team as to whether that's expected or not, and if they're planning to do anything about it?

      I'm asking because the topic of this app comes up from time to time, so I would like to be able to give as much current information as possible to assist them.

      Their support said the next release (now current) would fix it but nothing changed. Given the reviews on Play Store it seems to be a widespread issue, and they simply don't care.

      Given that they are a goverment mandated monopoly, it is not like you can choose a competitor's implementation...

        lbschenkel Funnily enough, in an old phone that I use for experimentation (rooted with Magisk) I can fake it enough to make the app work, but in a non-rooted, hardened device like GOS it refuses to work and falsely claims that it is rooted.

          lbschenkel That is starting to sound like Play Integrity API or something of that sort...

          Would you happen to know whether those other reviews are from people not running an alternative OS? If it is a widespread issue with the app in general, I suppose it's expected for it to also not work on GrapheneOS. Likewise, if they're choosing to only let Google certified OSes use the app, that's unfortunate but understandable. There's only something actionable for us here if the app is only broken on GrapheneOS, which isn't sounding like it's the case...

          Very unfortunate for what seems like a very important app to many people, they should really get their act together.

          If it is Play Integrity API, the only realistic option would be to get them to implement this:

          https://grapheneos.org/articles/attestation-compatibility-guide

            matchboxbananasynergy I have no idea, but I think they are not using the integrity API because then the app should refuse to work from the very start.

            Given what I have experienced after a lot of experimentation, I think they are doing some ad-hoc checks client-side together with measurements being sent server-side, and perhaps the server implements heuristics to revoke clients. Given that the app needs network permission to do anything useful (its purpose is to sign incoming auth requests from the server), it is not possible to prevent it from being victim of server-side shenigans.

            But it is very possible that the integrity verification is one of the measuments involved. I just don't believe it is the sole one.

            lbschenkel
            Thank you for the update. I use MitID both private and in my company, so that would be cumbersome to switch permanent to the code display unit.
            Have a great weekend.

            Sorry if the question will sound stupid. Does the app at least work with a profile setup with sandboxed Google Play?

              garret Unfortunately not. Everything being discussed here is with Google Play installed.

              2 months later

              Another update: I decided to give it a new shot and MitID is now working again for me. I have it set up for 2-3 weeks now without triggering the "rooted" alert, and I'm sure there was at least one OS update in that time frame.

              I'm not getting my hopes up that it will stay working for too long, but maybe the developers improved the detection logic to be more resilient.

                Grkrz @"lbschenkel are you using Aurora or google play store? I am wondering if using Aurora for such apps like MitID or banking apps is secure?
                I have heard that Aurora might provide outdated apps or there are another issues with this app.
                Please let me know how you have done it?
                If you use Play Store do you need to have google account to download apps?

                  Grkrz Play Store, and you have to have a Google account.

                  Aurora downloads from Google's servers, so it won't serve you malware (at least not malware that is not already on the Play Store). The issues with Aurora is that (1) it uses a throwaway account from a potential different country/language/device, which may trigger a download of a version that would not have been served to you otherwise and (2) apps can detect if they have been installed via the Play Store app or from some other one, and act differently.

                  For 99% of the apps Aurora is just fine, but for something as finicky as MitID that stops working for whatever bogus reason I suggest doing things in the most standard/boring way possible, in this way you minimize the chance of the app flagging your installation as being "rooted".