Vipps (Norwegian banking app)

DeletedUser370

Ok, yesterday Vipps displayed the message about my device being rooted. Previously I just got a generic error message. That was after I reinstalled Vipps yet again, then activated the app with BankID, then unlocked the app several times with fingerprint – which successfully worked until after I activated tap to pay successfully, then when I next unlocked the app I received the root message and was unable to proceed. I "rebooted" the profile (ended the session) several times to see if the message went away. It was slightly interesting that Vipps did not call the Play Integrity API during the unlock attempts where it displayed the root message, but upon successful unlock attempts it definitely does (although it could've just performed this check once and then flagged my install permanently without relying on a new check).

I'm not entirely convinced that Vipps is simply using Play Integrity to ban non-GMS licensed OSs. It's well known that some banking apps check for specific configs as part of fraud prevention attempts. I'm trying to experiment with various setups to see if there's any specific device configurations that Vipps is checking for.

This was my setup when Vipps gave me the message about root:

Vipps installed with Play Store in Owner
Vipps was pushed to a secondary profile using the "Install available apps" feature
Vipps was marked as having been installed from Play Store in the secondary profile
The secondary profile had Play services installed before I pushed the app to it
OEM unlocking was disabled
Developer options were disabled
Exploit protection compatibility mode was disabled
Secure app spawning was enabled
I activated Vipps' biometrics feature

Naturally, my device isn't rooted.

I'm now testing Vipps in the owner profile to see if I can trigger the root message from there. I installed it yesterday evening and have been testing the unlock feature since then.

Current testing environment:

Owner profile
Vipps installed from Play Store
Exploit protection compatibility mode disabled
Secure app spawning disabled
OEM unlocking disabled
Developer options disabled
Vipps' Biometrics feature enabled

So far so good. I have activated tap to pay successfully. I have also transferred money without issues. I have unlocked the app several times without issues. I have rebooted the device several times.

People have reported that the message appears after some time, so it's not clear what specifically should be done to try to replicate this quickly. But one way to quickly trigger Play Integrity usage is to disable and then re-enable Vipps' Biometrics feature. It users the the API every time it triggers biometrics unlock.

Vipps version 8.24.1
Pixel 6a

Gratis

other8026
After giving up on the older versions (same issue, likely server-side like fld02 said) I begrudgingly tested out by using the legit Google Play Store yesterday. I uninstalled the Aurora version, re-installed from GPS and that's it. All default settings on the app in terms of compatibility and such.

It has worked for about a day now without issues.

So yes, it has to do with Play Integrity and likely in combination with some kind of server-side setting they enabled is my guess, as when installed from the GPS it works perfectly fine (at least for now, hopefully I didn't jinx it).

Also fantastic report by DeletedUser370

As for my settings:

No extra profiles, just the owner
Installed from Play Store
Compatibility disabled, everything default
Secure app spawning enabled
OEM unlock disabled
Developer options enabled
Fingerprint in Vipps enabled.

I'd love to rant about how Google Play Store enforcement, Google accounts and Play Integrity makes my blood boil, but this is a privacy focused OS and forum so I'd be preaching to the choir.

I'll do an experiment tomorrow if the app still works in GPS, by re-installing the Aurora version and see if it goes haywire again. Most likely it will. Very frustrating that they had to go this way with an app that is almost required in Norwegian society.

DeletedUser370

To add to my previous report (DeletedUser370 ), earlier today I enabled secure app spawning again (but did not reinstall Vipps), rebooted, and tested the app throughout the day without encountering issues. I unlocked the app several times, deactivated and reactivated the biometrics feature, deactivated and reactivated tap to pay and used it in two stores, worked fine. So that's promising.

Next I'll reinstall and activate the app with secure app spawning enabled during activation to see if that will cause Vipps to act up or not.

DeletedUser370

Gratis I've never installed it from Aurora Store. But have always used it from a secondary profile, until now.

Quantum

My vipps is working fine(8.23.0). In a secondary profile with Google services and all that. All of the google stuff doesn't have any permissions though. I'm only using a pin in Vipps, no tap to pay either. Developer options on. Every setting is restricted for Vipps also. Vipps is installed through Aurora.

OsnapViking

My Vipps app also stopped working 8 days ago, and my experience is exactly as described in the thread. So I guess we are a few that are seeing the same thing. In my case it has worked flawlessly since i started using GOS about 2 years ago. Until now. I have always had it installed through the Aurora Store, with sandboxed G Play Services running, and without issues. The error message that started to appear on the app logon page has been "Something went wrong. Please try again later", and has today changed to "Security check failed. Vipps can't be used on a 'rooted' device." I've tried all the usual tricks, but it refuses to start. It's v 8.24.1 now but it was the same thing on the previous two versions. It's running under my standard/first profile and always has. I managed to get it to run temporarily by deleting and reinstalling the app (5 days ago), and once i was in it worked as normal. Once i closed the app, it was back to refusing to start. It's the only app that behaves like this. A similar security sensitive app (the BankID app) is running normally.

DeletedUser370

DeletedUser370 Next I'll reinstall and activate the app with secure app spawning enabled during activation to see if that will cause Vipps to act up or not.

So I did this yesterday, and Vipps has worked fine since then, including unlocking the app several times with biometrics and using tap to pay in a store. So it doesn't look like it's reacting to secure app spawning.

It looks like the combination of Owner profile + installed from Play Store is a combination that Vipps deems acceptable. I'm trying out Vipps in a secondary profile on stock PixelOS right now to see if it's reacting to being used in a secondary profile generally, but so far unlocking the app has worked fine.

OsnapViking Are you able to try installing Vipps in the owner profile using Play Store and see if it successfully works? It seems like that's a combo it considers acceptable.

DeletedUser370

The differing reports are a bit confusing. It might help to know whether the people who are getting the root message had recently (let's say within a couple of days of the message appearing) installed/reinstalled and activated the app.

Quantum

DeletedUser370 No messages popping up. I'm just trying to use Vipps, Google services and Aurora in a simple and strict way.

DeletedUser370

Quantum No messages popping up.

Ok, but did you recently reinstall the app or not? If it only occurs for people who recently installed and activated it then we'll be able to distinguish between the various reports.

Quantum

DeletedUser370 I've had it for a long time.

Quantum

DeletedUser370 Is secure app spawning not on by default?

OsnapViking

DeletedUser370 Thanks for your effort and extensive investigation on this. I have tried to look a bit deeper into this myself (but I am faaaar from an expert...). To me it appears that something has changed either on either on the GOS side (which I doubt) or with the Vipps app (which I suspect). I've tried to look at Vipps' GitHub page to look to see if anything has happened in relation to things like the GPS 'ctsProfileMatch' code check which I think GOS will fail, or similar security or "genuine Android" checks, but haven't been able to find anything useful. Though I don't really know how to navigate around in GitHub, and the chances that source code commits and comments would be in the open repositories are slim...

If I understand you correctly @DeletedUser370 , your Vipps is working now, but you have installed it directly (as in logged into) the Google Play Store directly (+Owner profile) - is that correct?
I am very reluctant to using the Play Store directly on my phone, so I will investigate some more before I try that.

I have however, reinstalled Vipps again about 20 mins ago, and it is working fine so far, including with force stop and respawning. I haven't changed any settings or toggles in GOS, and the reinstalls I have tried are with both code only and fingerprint biometric as well, both worked. But I don't have high hopes that it will stay that way for long. The last time i tried the reinstall, it worked for a while too, then went into the 'rooted phone' error message. (My previous post was a little imprecise, it didn't immediately go into lock - I used it 2-3 times during the course of around one hour. When I used it again later that day, it was back to the 'rooted phone' error message. My apologies for remembering incorrectly).

Apart from that, this is how I remember it:
i started seeing the 'Something went wrong' message on v8.22.0 or v8.23.0. The 'rooted phone' error started appearing after i had 8.24.1 installed. Phone is Pixel 6a.

Update: Now 45 mins. later Vipps is locked again with the same rooted phone error message...yup...

DeletedUser370

Quantum Is secure app spawning not on by default?

Yes, but I disabled it in order to test whether or not Vipps was reacting negatively to it. A few apps are known to do that.

Quantum

OsnapViking You can manually install a previous version in Aurora if you have the version code. I'm using Aurora and it works. Maybe try my setup?

DeletedUser370

Ok, after some more testing I think I can say (with reasonable confidence) that Vipps is banning being used on GrapheneOS when:

Vipps is installed from something other than Play Store
and/or
Vipps is running in a secondary profile

Also:

Vipps is doing these checks shortly after having registered the app with BankID
A reliable way to reproduce this is to register the app, wait the 30 minute grace period, then activate tap to pay and reboot the device (or end the session for the secondary profile)
It affects older app versions as well, so these checks are likely done server-side
Existing installs from before Vipps started doing these checks seem to be spared
Enabling Exploit protection compatibility mode makes no difference
Disabling Exploit protection compatibility mode and disabling secure app spawning and then rebooting makes no difference
Vipps works fine when being run in a secondary profile on stock PixelOS

OsnapViking If I understand you correctly @fid02 , your Vipps is working now, but you have installed it directly (as in logged into) the Google Play Store directly (+Owner profile) - is that correct?

Yes.

DeletedUser370

Quantum You can manually install a previous version in Aurora if you have the version code. I'm using Aurora and it works. Maybe try my setup?

The posts so far indicate that this "root check" only occurs shortly after a recent app activation. You said that you have had Vipps installed for some time (or at least that's how I interpreted your previous reply), so I don't think it's a given that your setup will work for people who are now registering the app again. Actually, I have shown that your setup of registering the app anew in a secondary profile does not work for me. (It shows the root message after some time after registration), even when Vipps is installed from Play Store.

Also, other people in this thread have shown that installing previous versions of Vipps does not solve the problem.

Quantum

DeletedUser370 My bad then. Guess I'll update if my "old" setup stops working just so people can see if its affecting more and more people. I've not updated the app to the newest version yet though, I'll hold off doing that for a while I think.

DeletedUser370

DeletedUser370 Ok, after some more testing I think I can say (with reasonable confidence) that Vipps is banning being used on GrapheneOS when:

Vipps is installed from something other than Play Store
and/or
Vipps is running in a secondary profile

Actually, that last bullet point seems to not be the case.

After some assistance from @other8026 I found that Vipps does work successfully for me in a secondary profile as long as it's both installed from Play Store in that profile and you stay signed in to a Google account in Play during activation of Vipps and possibly every time it contacts the Play Integrity API.

Neither GrapheneOS nor stock PixelOS meets the basic integrity check by Play Integrity unless I'm signed in to Play in the profile where the check is performed, so Vipps does not work successfully for me on stock PixelOS either unless I sign in to Play.

It would be nice if the people who got the root message could (if you want to, of course) reinstall Vipps from Play Store and stay signed in to Play Store and report back whether this works or not.

It seems that Vipps can no longer work successfully when installed from Aurora, on GrapheneOS and stock PixelOS.

p-marg

I have no issues with my new Pixel 9a running GrapheneOS. I can log in, and the app functions without any issues. Additionally, I have been regularly sharing the attestation compatibility article with them every few months!

Edit: I have google play installed, and downloaded Vipps from google play, memory tagging is enabled, native code debugging is blocked, WebView JIT is disabled, and Dynamic code loading via memory and storage is restricted!

« Previous Page Next Page »