Moderator note: you can find a document detailing which versions of the app work on GrapheneOS here, maintained by @lbschenkel:

https://gist.github.com/lbschenkel/4199be415f2a139b64688ae74c92a7fc


  • Pixel 6
  • GrapheneOS TP1A.221005.002.2022102600
  • MitID version 2.3.4 (version code 55)

MitID is the official authentication app in Denmark. It is used to authenticate against all government services, banks, and other private websites. It is basically indispensable and you cannot do anything digitally in Denmark without it.

I tried to open MitID app today and now it refuses to work and displays the following message:

Device is Rooted.

We have detected that your OS is rooted. Remove root to continue.

The app has been working fine until now. I don't remember when I last used it, but it must have been 4-5 days ago. The problem is that in the last 24 hours both the app and GrapheneOS got updated so I do not know which update resulted in the app stopping working.

Naturally the phone does not have root. Either the app is detecting something else, or it's now enforcing attestation.

Can anybody that has not yet updated GrapheneOS to TP1A.221005.002.2022102600 check if you can install https://play.google.com/store/apps/details?id=dk.mitid.app.android and if it shows the message above when opened? No account needed, all you need is to open the app and wait a few seconds. If you don't see the message above but the welcome screen then the check passed and the regression is in GrapheneOS.

I am really hoping that this is a regression in GrapheneOS (maybe GmsCompat) that can be addressed because if this app no longer works it will be a deal-breaker for me and most users in Denmark.

    Hello Ibschenkel, my setup:

    • Pixel 4a
    • GrapheneOS TP1A.221005.002.2022102300
    • MitID version 2.3.4 (versionCode 55)

    Works normally, meaning I am able to launch the app and I get the "Get started with MitID screen.
    I can tap the Get started button and I get the "Choose how you want to proceed" screen.
    Not being a citizen of Denmark I cannot proceed any further.

      fromTom This is enough. When the app does not like your device, you cannot even see this screen: a "device is rooted" pop-up shows up and overlays the app.

      It looks like, given your report, that it can be a GrapheneOS regression.

        @lbschenkel: I also could easily install MidID and start it. I had to stop, where the Passport should be scannend.

        Pixel 6
        GrapheneOS TP1A.221005.002.2022102300
        MitID version 2.3.4 (versionCode 55)

          Play Services version 22.41.13 (190400-480714934)

          • Pixel 4a

          • GrapheneOS TP1A.221005.002.2022102300

          • MitID version 2.3.4 (versionCode 55) WORKING FINE

          • Play Services version 22.41.13 (190400-480714934), com.google.android.gms versionCode 224113044

          You need to file a bug report with the app developers, not with us. We didn't make any changes in the most recent release which would break an app not doing anything completely unreasonable to stop users from using it via GrapheneOS or another alternate OS. If people who want this app to work want the compatibility issue resolved, they'll need to determine what the problem is and provide a way to work around it without rolling back important security features for everyone else. One way or another, this app was going to break if it doesn't want to run on aftermarket operating systems since they will eventually switch to the Play Integrity API. Nothing we can do about that.

            Toophei8 You should test again with the latest GrapheneOS release. Per the original post, it likely stopped working with 2022102600. It may somehow be incompatible with the kernel lockdown mode, but it's strange for anything to be impacted by that kernel change which is almost entirely an internal change in the OS.

            https://grapheneos.org/releases#2022102600

            strcat I believe that there was a bit of misunderstanding here. I was not stating that changes needed rolling back. What I meant to say is that all evidence points to something new in this release tripping the app. As we cannot roll back the OS, I was hoping that the developers could give a hand in figuring out what exactly tripped the app by quickly trying custom builds with a subset of changes in 2022102600: only with kernel changes, only with GmsCompat changes, etc. in order to narrow it down.

            My intent was to narrow down and find the cause, and then I'm in a better position to have a conversation with the MitID app maintainers (I already contacted them, by the way). Also, depending on what the cause is, it might not be impossible that a per-app compatibility flag could end up being useful. This was already done to work around some buggy apps (games, etc.) which are way less "mission critical" as this particular one.

            And with all honesty, I want to press on this a bit further because in the past I also reported other bugs in which I was immediately brushed off and the issue closed, but the problem ended up being GmsCompat issues that ultimately were addressed.

            Another weird behaviour: sometimes when I force stop the app and run it again, I don't get the "Device is rooted" error but a different pop-up: "There is a problem. Please try again. If you experience the problem again, you can find help at MitID.dk."

            Unfortunately no other information or error code is given. I checked logcat again but I can see nothing that catches my attention: no error, no stack trace, nothing.

            If I disable and enable the app I get either the "rooted" or the "there is a problem" message, apparently at random. I also saw "there is a problem" for a brief instant, then "device is rooted" showing up and overlaying it.

            This is the logcat of a launch resulting in the "rooted" message:

            10-28 09:01:21.033  1606  1967 I ActivityTaskManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10000000 pkg=dk.mitid.app.android cmp=dk.mitid.app.android/.activity.MainActivity} from uid 1000
            10-28 09:01:21.034  1606  1967 D CompatibilityChangeReporter: Compat change id reported: 194480991; UID 10137; state: ENABLED
            10-28 09:01:21.038  1606  1967 D CompatibilityChangeReporter: Compat change id reported: 174042980; UID 10137; state: DISABLED
            10-28 09:01:21.038  1606  1967 D CompatibilityChangeReporter: Compat change id reported: 184838306; UID 10137; state: DISABLED
            10-28 09:01:21.039  1606  1967 D CompatibilityChangeReporter: Compat change id reported: 185004937; UID 10137; state: DISABLED
            10-28 09:01:21.040  1606  1967 D CompatibilityChangeReporter: Compat change id reported: 205907456; UID 10137; state: DISABLED
            10-28 09:01:21.044  1606  1967 D CompatibilityChangeReporter: Compat change id reported: 194833441; UID 10137; state: DISABLED
            10-28 09:01:21.045  1606  1717 D CompatibilityChangeReporter: Compat change id reported: 135634846; UID 10137; state: DISABLED
            10-28 09:01:21.045  1606  1717 D CompatibilityChangeReporter: Compat change id reported: 177438394; UID 10137; state: DISABLED
            10-28 09:01:21.045  1606  1717 D CompatibilityChangeReporter: Compat change id reported: 135772972; UID 10137; state: DISABLED
            10-28 09:01:21.045  1606  1717 D CompatibilityChangeReporter: Compat change id reported: 135754954; UID 10137; state: ENABLED
            10-28 09:01:21.046  1606  1726 D CompatibilityChangeReporter: Compat change id reported: 143937733; UID 10137; state: ENABLED
            10-28 09:01:21.046  1606  1967 D CompatibilityChangeReporter: Compat change id reported: 168419799; UID 10137; state: DISABLED
            10-28 09:01:21.048  1606  1704 D CoreBackPreview: Window{b99114f u0 Splash Screen dk.mitid.app.android}: Setting back callback OnBackInvokedCallbackInfo{mCallback=android.window.IOnBackInvokedCallback$Stub$Proxy@c0bb5e5, mPriority=0}
            10-28 09:01:21.060  1606  1726 I ActivityManager: Start proc 23106:dk.mitid.app.android/u0a137 for next-top-activity {dk.mitid.app.android/dk.mitid.app.android.activity.MainActivity}
            10-28 09:01:21.060 23106 23106 W Zygote  : Can't access app profile directory: /data_mirror/cur_profiles/0/dk.mitid.app.android
            10-28 09:01:21.068 23106 23106 E tid.app.android: Not starting debugger since process cannot load the jdwp agent.
            10-28 09:01:21.125 23106 23106 D AndroidRuntime: >>>>>> START com.android.internal.os.RuntimeInit uid 10137 <<<<<<
            10-28 09:01:21.126 23106 23106 W tid.app.android: type=1400 audit(0.0:446914): avc: denied { read } for name="u:object_r:odsign_prop:s0" dev="tmpfs" ino=241 scontext=u:r:untrusted_app:s0:c137,c256,c512,c768 tcontext=u:object_r:odsign_prop:s0 tclass=file permissive=0 app=dk.mitid.app.android
            10-28 09:01:21.128 23106 23106 E cutils-trace: Error opening trace file: No such file or directory (2)
            10-28 09:01:21.129 23106 23106 W dk.mitid.app.android: ART APEX data files are untrusted.
            10-28 09:01:21.126 23106 23106 W tid.app.android: type=1400 audit(0.0:446915): avc: denied { getattr } for path="/apex/apex-info-list.xml" dev="tmpfs" ino=67 scontext=u:r:untrusted_app:s0:c137,c256,c512,c768 tcontext=u:object_r:apex_info_file:s0 tclass=file permissive=0 app=dk.mitid.app.android
            10-28 09:01:21.130 23106 23106 W tid.app.android: type=1400 audit(0.0:446916): avc: denied { lock } for path="/system/framework/arm64/boot.art" dev="dm-10" ino=1406 scontext=u:r:untrusted_app:s0:c137,c256,c512,c768 tcontext=u:object_r:system_file:s0 tclass=file permissive=0 app=dk.mitid.app.android
            10-28 09:01:21.130 23106 23106 W tid.app.android: type=1400 audit(0.0:446917): avc: denied { lock } for path="/system/framework/arm64/boot-core-libart.art" dev="dm-10" ino=1358 scontext=u:r:untrusted_app:s0:c137,c256,c512,c768 tcontext=u:object_r:system_file:s0 tclass=file permissive=0 app=dk.mitid.app.android
            10-28 09:01:21.130 23106 23106 W tid.app.android: type=1400 audit(0.0:446918): avc: denied { lock } for path="/system/framework/arm64/boot-okhttp.art" dev="dm-10" ino=1388 scontext=u:r:untrusted_app:s0:c137,c256,c512,c768 tcontext=u:object_r:system_file:s0 tclass=file permissive=0 app=dk.mitid.app.android
            10-28 09:01:21.192 23106 23106 D dk.mitid.app.android: Time zone APEX ICU file found: /apex/com.android.tzdata/etc/icu/icu_tzdata.dat
            10-28 09:01:21.192 23106 23106 D dk.mitid.app.android: I18n APEX ICU file found: /apex/com.android.i18n/etc/icu/icudt70l.dat
            10-28 09:01:21.219 23106 23106 E dk.mitid.app.android: Unable to find pattern file or unable to map it for am
            10-28 09:01:21.237 23106 23106 D CompatibilityChangeReporter: Compat change id reported: 171979766; UID 10137; state: ENABLED
            10-28 09:01:21.260 23106 23106 W dk.mitid.app.android: unable to execute idmap2: Permission denied
            10-28 09:01:21.276 23106 23106 V GraphicsEnvironment: ANGLE Developer option for 'dk.mitid.app.android' set to: 'default'
            10-28 09:01:21.276 23106 23106 V GraphicsEnvironment: ANGLE GameManagerService for dk.mitid.app.android: false
            10-28 09:01:21.556 23106 23106 D CompatibilityChangeReporter: Compat change id reported: 183155436; UID 10137; state: DISABLED
            10-28 09:01:21.557 23106 23106 I FirebaseCrashlytics: Initializing Firebase Crashlytics 18.2.4 for dk.mitid.app.android
            10-28 09:01:21.587  1606  1967 D CompatibilityChangeReporter: Compat change id reported: 161145287; UID 10137; state: DISABLED
            10-28 09:01:21.602 23106 23154 W dk.mitid.app.android: Failed to determine odex file name: Dex location /gmscompat_fd_58 has no extension.
            10-28 09:01:21.602 23106 23154 W ziparchive: Unable to open '/gmscompat_fd_58.dm': No such file or directory
            10-28 09:01:21.641 23106 23187 I FA      :   adb shell setprop debug.firebase.analytics.app dk.mitid.app.android
            10-28 09:01:21.662 23106 23106 D CompatibilityChangeReporter: Compat change id reported: 210923482; UID 10137; state: DISABLED
            10-28 09:01:21.662 23106 23106 D CompatibilityChangeReporter: Compat change id reported: 37756858; UID 10137; state: ENABLED
            10-28 09:01:21.688 23106 23106 D CompatibilityChangeReporter: Compat change id reported: 160794467; UID 10137; state: ENABLED
            10-28 09:01:21.780 23106 23106 D CompatibilityChangeReporter: Compat change id reported: 171228096; UID 10137; state: ENABLED
            10-28 09:01:21.781 23106 23106 E ConstraintLayout: layout_constraintHeight_default="wrap" is deprecated.
            10-28 09:01:21.781 23106 23106 E ConstraintLayout: Use layout_height="WRAP_CONTENT" and layout_constrainedHeight="true" instead.
            10-28 09:01:21.793  1606 17983 D CoreBackPreview: Window{adebde9 u0 dk.mitid.app.android/dk.mitid.app.android.activity.MainActivity}: Setting back callback OnBackInvokedCallbackInfo{mCallback=android.window.IOnBackInvokedCallback$Stub$Proxy@68c032b, mPriority=0}
            10-28 09:01:21.796  1606 17983 D CoreBackPreview: Window{4674121 u0 dk.mitid.app.android/dk.mitid.app.android.activity.MainActivity}: Setting back callback OnBackInvokedCallbackInfo{mCallback=android.window.IOnBackInvokedCallback$Stub$Proxy@845a707, mPriority=0}
            10-28 09:01:21.805 23106 23158 D CompatibilityChangeReporter: Compat change id reported: 194532703; UID 10137; state: DISABLED
            10-28 09:01:21.805  1606 17983 D CompatibilityChangeReporter: Compat change id reported: 194532703; UID 10137; state: DISABLED
            10-28 09:01:21.811 23106 23167 E cutils-trace: Error opening trace file: No such file or directory (2)
            10-28 09:01:21.846  1606  1714 I ActivityTaskManager: Displayed dk.mitid.app.android/.activity.MainActivity: +811ms
            10-28 09:01:21.896  1606  1704 D CompatibilityChangeReporter: Compat change id reported: 214016041; UID 10137; state: DISABLED
            10-28 09:01:22.149  1606  3541 D CoreBackPreview: Window{b99114f u0 Splash Screen dk.mitid.app.android EXITING}: Setting back callback null
            10-28 09:01:22.149  1606  1704 W InputManager-JNI: Input channel object 'b99114f Splash Screen dk.mitid.app.android (client)' was disposed without first being removed with the input manager!
            10-28 09:01:22.863  1606  1967 D CoreBackPreview: Window{adebde9 u0 dk.mitid.app.android/dk.mitid.app.android.activity.MainActivity}: Setting back callback null
            10-28 09:01:22.867  1606  1967 W InputManager-JNI: Input channel object 'adebde9 dk.mitid.app.android/dk.mitid.app.android.activity.MainActivity (client)' was disposed without first being removed with the input manager!
            10-28 09:01:27.222  1606  1919 E ContextHubClientManager: Cannot send message to unregistered client (host endpoint ID = -28638)
            10-28 09:01:27.225  1606  1919 E ContextHubClientManager: Cannot send message to unregistered client (host endpoint ID = -28638)

            grepped by (mitid|10137|compat| E ) (10137 is the UID of the app).

            Actually I noticed this now, which may be relevant:

            10-28 09:04:08.952 23311 23311 W dk.mitid.app.android: unable to execute idmap2: Permission denied
            10-28 09:04:08.952 23311 23311 W OverlayConfig: 'idmap2 create-multiple' failed: no mutable="false" overlays targeting "android" will be loaded

            Also, on every app launch Google Play Services triggers this error:

            10-28 09:04:09.664  2731 23251 W NetworkScheduler: Error inserting flex_time=2452000 job_id=-1 period=4905000 source=16 requires_charging=0 preferred_network_type=1 target_class=com.google.android.gms.measurement.PackageMeasurementTaskService user_id=0 target_package=com.google.android.gms tag=Measurement.PackageMeasurementTaskService.UPLOAD_TASK_TAG task_type=0 required_idleness_state=0 service_kind=0 source_version=224113000 persistence_level=1 preferred_charging_state=1 required_network_type=0 runtime=1666940649661 retry_strategy={"maximum_backoff_seconds":{"3600":0},"initial_backoff_seconds":{"30":0},"retry_policy":{"0":0}} last_runtime=0 [CONTEXT service_id=218 ]
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: android.database.sqlite.SQLiteConstraintException: UNIQUE constraint failed: pending_ops.tag, pending_ops.target_class, pending_ops.target_package, pending_ops.user_id (code 2067 SQLITE_CONSTRAINT_UNIQUE)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at android.database.sqlite.SQLiteConnection.nativeExecuteForLastInsertedRowId(Native Method)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at android.database.sqlite.SQLiteConnection.executeForLastInsertedRowId(SQLiteConnection.java:961)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at android.database.sqlite.SQLiteSession.executeForLastInsertedRowId(SQLiteSession.java:790)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at android.database.sqlite.SQLiteStatement.executeInsert(SQLiteStatement.java:89)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at android.database.sqlite.SQLiteDatabase.insertWithOnConflict(SQLiteDatabase.java:1868)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at android.database.sqlite.SQLiteDatabase.insertOrThrow(SQLiteDatabase.java:1763)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at brdb.g(:com.google.android.gms@224113044@22.41.13 (190400-480714934):52)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at brbu.n(:com.google.android.gms@224113044@22.41.13 (190400-480714934):3)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at brbu.u(:com.google.android.gms@224113044@22.41.13 (190400-480714934):20)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at brbu.h(:com.google.android.gms@224113044@22.41.13 (190400-480714934):3)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at bqxl.run(:com.google.android.gms@224113044@22.41.13 (190400-480714934):9)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at zyr.c(:com.google.android.gms@224113044@22.41.13 (190400-480714934):6)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at zyr.run(:com.google.android.gms@224113044@22.41.13 (190400-480714934):7)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at aadw.run(:com.google.android.gms@224113044@22.41.13 (190400-480714934):0)
            10-28 09:04:09.664  2731 23251 W NetworkScheduler: 	at java.lang.Thread.run(Thread.java:1012)

            Hello @lbschenkel,
            this night I received an upgrade to TP1A.221005.002.2022102600.
            Right after an upgrade I tried to run MitID with the same result as you had described - "device is rooted".
            However, a few minutes later I obtained an automatic update of one of Google services app (unfortunatelly I am not sure which one it was) and voila - MitID works fine again.

              fromTom That is very interesting. Do you mind opening "Apps" and reporting the version of GmsCompat and each Google app that you have?

              Mine:

              • GmsCompat config: 13
              • Play Store: 83281810
              • Play Services: 224113044
              • Play Services Framework: 33

                strcat No I don't, both have network permissions enabled: Play Service needs it for notifications, and Play Store needs to download apps.

                The MitID app also has network permissions enabled.

                The same issue here after updating to stable version.!
                "One of your MitID apps is temporarily blocked. "
                Please un-do the changes ,it rather serious issue that this app is not working.

                  Why the OS was pushed to stable if somebody reported a problem?

                  Grkrz I believe that "undo-ing" is a strong statement. I believe that we should have an idea of what started tripping the app first, and then figuring out what can be done about that. It is very likely that the problem is in the app being too aggressive on its checks, and it's tripping on something innocuous. If we can find out what that is, then we have a better chance of complaining to MitID or it might be possible to introduce a workaround in GrapheneOS side (hopefully a per-app switch like the one that already exists).

                  To non-Danish users: it is hard to overstate how essential this app is to daily life. You cannot interact with the government, you cannot open your digital mail (that you are legally required to read), you cannot do any banking with any bank, you cannot pay your bills, you cannot use your card online, you cannot login to a great deal of websites if you are locked out of NemID. Even if you try calling, they want you to prove who you are by using the app. It is like if everything only had Google sign-in and your Google account gets banned. You become a "non-citizen". Naturally none of this is GrapheneOS' fault, but I'm just explaining what the situation is. If no solution is found, GrapheneOS will be a complete non-starter to Danish users. I expect that the potential user base is much larger now because Pixel 7 is being officially sold in Denmark, unlike previous models. (Sweden is in a similar boat: everything requires the use of BankID, and if the app stops working, you become a "non-citizen".)

                  (I have a backup dongle that can be ordered but I guess the majority of users will not put up with it.)