Just to clarify, did they specifically blacklist GrapheneOS (and presumably others like LineageOS) that way or did they just whitelist whatever string normal Android uses with everything else not allowed? If the former it would be very concerning that they go such lengths to block GOS.
Revolut mobile finance - not supported on devices with custom firmware problem
N1b Revolut is the only company we've seen specifically banning GrapheneOS so far, but some other apps might start working based on the changes we made to work around this.
Viewpoint0232 They specifically check for ro.build.user / ro.build.host being set to grapheneos which was the arbitrary value we chose for reproducible builds. We've changed them to build-user and build-host. Setting them to arbitrary strings other than grapheneos works fine. It is not because there's any special case for build-user and build-host which are not what the stock Pixel OS or other operating systems use, which varies a lot and has changed over time so it clearly wouldn't be safe to hard-wire checks for them. They aren't doing that but rather specifically banning GrapheneOS. Revolut likely had nothing to do with this themselves. They use several third party SDKs and are likely querying those to check if the device runs an alternate OS, so the detection is based on these poorly made checks by third parties. They aren't using hardware attestation and if they use the Play Integrity API, it isn't enforced by the their service beyond basic integrity yet.
Thanks grapheneos team for this and others who persevered in solving the problem
SilverCat38 It's not really solved since they'll likely start enforcing the Play Integrity API device integrity level soon from their service and that will end having any realistic way to work around it long term.
akc3n Wouldn't it have been better not to publicize this notice outside of here to avoid the "problem" being quickly corrected by the Revolut developers?
- Edited
GrapheneOS are there any hints what those 3rd party "security SDKs" are called? Perhaps it is possible to reach out to the company that created it and try to find out why are they blacklisting graphene?
GrapheneOS Did anyone tried IO (italian governament ID app) might start ro work again?
- Edited
grapheneos-enthusiast I have it installed on my Pixel 6 and it works. I'm just unable to upload my ID because "the device doesn't meet the security requirements".
IO version 2.80.0.9
GrapheneOS 15 build 2025011500
If anybody's in the Netherlands, this is what I got when complaining to the consumer agency here in the Netherlands about Revolut pulling the same shit:
Translated
Thank you for your message. In it, you write that with an Android phone, you can only use Revolut through Google. You want to know if this is allowed. Your question unfortunately falls outside our area of expertise. As a result, we do not have the right knowledge to help you further. We expect you to contact the Dutch Central Bank or the Netherlands Authority for the Financial Markets.
About De Nederlandsche Bank (DNB)
DNB is the central bank of the Netherlands. It oversees a safe and reliable payment system. And is the only bank responsible for issuing banknotes. Go to DNB's website for more information and contact.About the Netherlands Authority for the Financial Markets (AFM)
The AFM supervises the behaviour of financial institutions on behalf of the government. And on the products they offer. The AFM makes sure they give you clear and honest information about their products and services. If companies do not comply with the law, the AFM can fine companies. Go to the AFM's website for more information and contact.Translated with DeepL.com (free version)
Original
Dank voor uw bericht. Hierin schrijft u dat u met een Android telefoon alleen gebruik kan maken van Revolut via Google. U wilt weten of dit mag. Uw vraag valt helaas buiten ons werkgebied. Wij hebben daardoor niet de juiste kennis in huis om u verder te helpen. Wij verwachten dat u bij de Nederlandsche Bank of de Autoriteit Financiële Markten terechtkunt.
Over De Nederlandsche Bank (DNB)
DNB is de centrale bank van Nederland. Zij ziet toe op een veilig en betrouwbaar betalingsverkeer. En is als enige bank verantwoordelijk voor het uitgeven van bankbiljetten. Ga naar de website van DNB voor meer informatie en contact.Over de Autoriteit Financiële Markten (AFM)
De AFM houdt voor de overheid toezicht op het gedrag van financiële instellingen. En op de producten die zij aanbieden. De AFM let er op dat zij u duidelijke en eerlijke informatie geven over hun producten en diensten. Als bedrijven zich niet houden aan de wet, dan kan de AFM bedrijven een boete geven. Ga naar de website van de AFM voor meer informatie en contact.
I will be writing to those agencies linked there and if you're in the Netherlands, please do too. If you're in the EU, you can contact your European Consumer Center and they can help you find the right person/organisation to contact.
Let's not get steam-rolled by this.
GrapheneOS Is there any chance to push that temporary fix to Pixel 5a. At least I got the impression this is something I can't simply set by myself. The reason for this request is that I just don't wanna deal with their support in order to transfer out the money I still have on my account.
Strappazzon thank you but that's exactly the feature I was referring too (sorry that I didn't make it explicit). the app already worked except such feature.
Also the new OS release is not yet available so it's early to test
From Mastodon:
https://docs.seon.io/ is one of them. We don't know all of them or which one is directly responsible for specifically banning GrapheneOS but it's a high chance it's that one.
https://grapheneos.social/@GrapheneOS/113869616034352093
Also
It appears to be used to ban using any aftermarket OS in a very poorly done way but we think it's https://www.appsflyer.com/ that's specifically banning GrapheneOS since it's what's getting passed ro.build.user which they seem to check for it being grapheneos. We've worked around all of it for now but Revolut is likely going to adopt more of this nonsense including the Play Integrity API. [...]
Revolut doesn't run these checks in a userdebug build of the OS. That's potentially why people found it works on certain other operating systems.
GrapheneOS Revolut doesn't run these checks in a userdebug build of the OS.
That is definitely a novel security approach! 🤔🙃
I was considering becoming client of Revolut, but I've discarded it after reading this info.
Our next release successfully works around their ban on using GrapheneOS.
We've changed ro.build.host and ro.build.user (the build hostname and username) from grapheneos to other values. Nearly any other values work for those fields. Likely the only ones that are banned are ones consistently used by other aftermarket operating systems at least if they set them to a constant value as we do for reproducible builds. We chose to set them to android-user and r-0123456789abcdef-0123 to match the format currently used for the stock Pixel OS builds, which is specific to Google's build syste, and has changed multiple times over the years. Other devices do it differently. We don't expect any more issues from those.
Revolt also bans having ro.boot.verifiedbootstate set to yellow indicating using an aftermarket OS with the device locked and verified boot enabled. For some reason, they do permit ro.boot.verifiedbootstate being orange which means an unlocked device likely running a modified or aftermarket OS without security intact since at the very least verified boot and attestation are disabled, but likely much more security is lost too. They also don't use their checks on a userdebug build. To handle this, we're using standard infrastructure for setting compatibility values for properties for apps, which we've limited to user installed apps. In the future, we can also use this to match the stock OS build number, build hostname and other values if it ever proves necessary. We could do that proactively before we find apps banning GrapheneOS based on it in case some exist, but they probably don't so we probably won't do it without a known app requiring it.
It's incredibly strange that Revolut does this kind of nonsense. It's not clear what they're trying to achieve beyond harming GrapheneOS users. They haven't banned having a highly insecure device with no patches for 10 years and haven't even banned having the device unlocked with any aftermarket OS on it. They specifically banned having the device locked with an aftermarket OS or specifically having GrapheneOS. They also specifically banned several other aftermarket operating systems including LineageOS but those don't preserve the standard security model or set an honest security patch level so at least that could be weakly justified. Even that doesn't hold up to scrutiny when they permit a stock OS with no patches for 10 years and clearly unlocked devices. It's a complete joke.