lbschenkel I am on the fence on installing GrapheneOS, as I am also a user of the MitID app.
Are the issue resolved or have you found a workaound?
Status of MitID app
No workaround. The app appears to work, then it stops working and claims that the device is rooted... it might happen minutes or days/weeks later. I have resigned myself to using the dongle.
lbschenkel Is there any acknowledgement from their development team as to whether that's expected or not, and if they're planning to do anything about it?
I'm asking because the topic of this app comes up from time to time, so I would like to be able to give as much current information as possible to assist them.
Their support said the next release (now current) would fix it but nothing changed. Given the reviews on Play Store it seems to be a widespread issue, and they simply don't care.
Given that they are a goverment mandated monopoly, it is not like you can choose a competitor's implementation...
lbschenkel Funnily enough, in an old phone that I use for experimentation (rooted with Magisk) I can fake it enough to make the app work, but in a non-rooted, hardened device like GOS it refuses to work and falsely claims that it is rooted.
- Edited
lbschenkel That is starting to sound like Play Integrity API or something of that sort...
Would you happen to know whether those other reviews are from people not running an alternative OS? If it is a widespread issue with the app in general, I suppose it's expected for it to also not work on GrapheneOS. Likewise, if they're choosing to only let Google certified OSes use the app, that's unfortunate but understandable. There's only something actionable for us here if the app is only broken on GrapheneOS, which isn't sounding like it's the case...
Very unfortunate for what seems like a very important app to many people, they should really get their act together.
If it is Play Integrity API, the only realistic option would be to get them to implement this:
https://grapheneos.org/articles/attestation-compatibility-guide
- Edited
matchboxbananasynergy I have no idea, but I think they are not using the integrity API because then the app should refuse to work from the very start.
Given what I have experienced after a lot of experimentation, I think they are doing some ad-hoc checks client-side together with measurements being sent server-side, and perhaps the server implements heuristics to revoke clients. Given that the app needs network permission to do anything useful (its purpose is to sign incoming auth requests from the server), it is not possible to prevent it from being victim of server-side shenigans.
But it is very possible that the integrity verification is one of the measuments involved. I just don't believe it is the sole one.
lbschenkel
Thank you for the update. I use MitID both private and in my company, so that would be cumbersome to switch permanent to the code display unit.
Have a great weekend.
Sorry if the question will sound stupid. Does the app at least work with a profile setup with sandboxed Google Play?
garret Unfortunately not. Everything being discussed here is with Google Play installed.
Another update: I decided to give it a new shot and MitID is now working again for me. I have it set up for 2-3 weeks now without triggering the "rooted" alert, and I'm sure there was at least one OS update in that time frame.
I'm not getting my hopes up that it will stay working for too long, but maybe the developers improved the detection logic to be more resilient.
lbschenkel thank you for update , I will try it also.
Grkrz @"lbschenkel are you using Aurora or google play store? I am wondering if using Aurora for such apps like MitID or banking apps is secure?
I have heard that Aurora might provide outdated apps or there are another issues with this app.
Please let me know how you have done it?
If you use Play Store do you need to have google account to download apps?
- Edited
Grkrz Play Store, and you have to have a Google account.
Aurora downloads from Google's servers, so it won't serve you malware (at least not malware that is not already on the Play Store). The issues with Aurora is that (1) it uses a throwaway account from a potential different country/language/device, which may trigger a download of a version that would not have been served to you otherwise and (2) apps can detect if they have been installed via the Play Store app or from some other one, and act differently.
For 99% of the apps Aurora is just fine, but for something as finicky as MitID that stops working for whatever bogus reason I suggest doing things in the most standard/boring way possible, in this way you minimize the chance of the app flagging your installation as being "rooted".
lbschenkel lbschenkel thank you.- Done, I will keep you updated when it breaks.
lbschenkel Thank you for the update, do keep us in the loop because we often get questions about whether this app works.
lbschenkel Unfortunately for us, Denmark is a small country. Were this app essential to life in US or another country of comparable importance, it would be such a deal breaker for any distro that the willingness to make it work (despite its faults) would be different.
I'm not sanguine that the U.S. government would leave room for the right outcome to happen (based on living here)--I can easily imagine they would turn on full attestation and then game over. Regardless, here is a wild idea produced by somebody who lives in a large country and has a hopeful fantasy about what might be possible in a small country:
- Find an existing Danish non-profit organization with an interest in Internet privacy.
- Offer to donate one low-end Pixel device per year, plus technical expertise.
- Have the non-profit approach the Danish government and/or the MitID app developers, offering to donate one device per year plus N hours per month of technical expertise. Now it's not two strange people named @Grkrz and @lbschenkel complaining at them about phones running some weird OS they've never heard of and getting lost in the complaint stream, but instead an official problem report from the official liaisons of the Danish Internet Privacy Alliance (or whatever).
- If that works, explain what you did to somebody in another country. Maybe Estonia? Maybe Germany? If another country can replicate this, great! It will increase the likelihood that Denmark will keep the cooperation going.
- Maybe it will be possible to convince European governments in general that this is the civilized European thing to do (not like those boorish Americans with their giant duopoly tech system). Maybe some influential press organ could do a piece documenting the cooperative software-diversity-tolerating European approach (perhaps after being fed the story idea).
- Then perhaps you have a cousin in Canada who might convince Canada?
- Eventually, if Europe and Canada are doing something sensible, maybe it will be possible for the U.S. to realize it's a sensible thing too.
Just an idea!
- Edited
Word of warning:
Yesterday MitID got updated to version 3.0.2 (version code 75). Then the app got permanently stuck in the initial blue / logo screen. I was not able to get the app "unstuck" (force stop, rebooting phone, changing permissions). Note that there is no error, no "rooted" message, nothing — the app simply doesn't load.
I thought that something might have gone wrong with the data migration, so I tried revoking the authenticator, uninstalling the app, and installing it again. That didn't solve it. Whatever is wrong, has nothing to do with the data but a more general app issue.
I recommend that anybody who didn't update yet go to Play Store and disable automatic updates for this app. If you did update, just wait for a new update that might fix the app — uninstalling/wiping won't work and you will need to revoke and set it up again in the future.
I have another, non-GOS backup phone, in which I updated the MitID to this same version. It did not get stuck at the loading screen. I'm theorizing that MitID misbehaviour might be related to either some difference in GOS or being unable to cope with sandboxed Play Services with a reduced set of permissions. I only have granted Play Services the following permissions: Location, Network, Notifications and Sensors.
I used Aurora to manually download version 73 (3.0.1) — 74 was not available. That worked, and the app is not stuck at the loading screen. Whatever broke, it was due to a change in version 75.
Since I need to re-activate my authenticator now, I may try updating to 75 again and check if giving more permissions to Play Services changes anything.
lbschenkel I was about to post it that after the update the app stopped working. The same issue as described upper.
- Edited
I tried played around with 75 and giving more permissions to Play Services and all permissions to MitID. Still stuck.
This is what I'm going to do from now on: I'm going to manually install version 73 via Aurora, and disable automatic updates in Google Play. I will only update to newer versions when I see evidence that the new version works in GrapheneOS.
Maybe we have to find someone who does not have a connection to Denmark (who doesn't care if the app breaks or not) to be our guinea pig and once in a while install the app and report if it shows the welcome screen or if it shows the "rooted" message or does not load at all.
I wish I had another GOS phone for doing these experiments, but Google phones are expensive and I can't afford to have a spare one.