Does GrapheneOS pass ctsProfileMatch?

Dreadhawk177

Followed the setup instructions for installing Graphene on my new Pixel 6a. It's been 2 weeks of use and my SafetyNet check fails with a cts profile match fail. I've verified that the bootloader is locked. I had developer options enabled at first, but have disabled without any change. Any advice?

qr1

Dreadhawk177

https://grapheneos.org/usage#banking-apps

GrapheneOS passes the basicIntegrity check but isn't certified by Google so it fails the ctsProfileMatch check. Most apps currently only enforce weak software-based attestation which can be bypassed by spoofing what it checks.

matchboxbananasynergy

This is expected. GrapheneOS doesn't pass ctsProfileMatch.

Dreadhawk177

Jeez, Google really does own you nowadays.

matchboxbananasynergy

Dreadhawk177 To be fair, this is something that apps can choose to implement. It's not forced on apps.

Furthermore, there's a way for apps to use SafetyNet/Play Integrity API while whitelisting GrapheneOS, as explained here:

https://grapheneos.org/articles/attestation-compatibility-guide