App thinks phone is rooted

haQ

One of my 2FA apps for citizen/government related stuff (not for work), AGOV, stopped working after the last update. It says: "Your device is rooted. Rooted devices are not supported by this application for security reasons".

I'm not an Android expert, but I thought GrapheneOS doesn't require a rooted phone? What happened since the last update, and does anyone have an idea how I can fix this? I already un- and reinstalled the app.

matchboxbananasynergy

GrapheneOS is not rooted, the app is simply wrong and is throwing a generic error message.

Things you can try:

Enable exploit protection compatibility mode for the app.
If number 1 doesn't work, disable exploit protection compatibility mode again, and then disable secure app spawning, reboot your phone, and try the app again.

The app could be simply disallowing all non-stock OSes, in which case neither of the above will do anything, but they're worth a try. One thing I can say for sure is that they have horrible error reporting, as GrapheneOS does not involve root.

DeletedUser370

matchboxbananasynergy If number 1 doesn't work, disable exploit protection compatibility mode again, and then disable secure app spawning, reboot your phone, and try the app again.

This was what made the root message go away when I tested this.

haQ

matchboxbananasynergy

Thank you for the quick reply, sadly only point 2 worked. Thankfully I only need the app a few times per year, so I might just disable SAS when I need the app.

matchboxbananasynergy

haQ That means that the app is doing misguided checks and thinks your phone is rooted because it detects something is out of the ordinary.

How ironic that the bank's "security feature" requires you to disable a security feature to be able to use the app.

dkn

I am part of the development team of the AGOV app.

Therefore I can confirm that the app shows the rooted error due to a current issue with the root detection on GrapheneOS. I can furthermore confirm that disabling the secure app spawning and rebooting the device solves this issue but should only be considered a workaround as secure app spawning is of course a security feature itself.
We currently do now know the root cause of this but are actively investigating possibilities to allow the AGOV app to work with GrapheneOS whilst keeping the apps security features in place and are confident that a future app version will work on GrapheneOS.

macrosploit

dkn If that is true, I am glad to hear you are investigating this. I ran into this also which was incredibly frustrating given that AGOV is now the only option to use certain government services.

I did find the following quote on this seemingly official page:

The AGOV access app must meet the highest security standards. For this reason, it is blocked from running on rooted devices and in system environments with modified operating systems. Rooted devices can bypass critical security mechanisms and thus pose a potential risk to the integrity of the app and the confidentiality of sensitive user data. Therefore, the use of the app is strictly limited to original Android versions, devices certified by Google, and iOS operating systems.

Being forced to use devices certified by Google or Apple seems problematic, especially in the current political climate. But then again, the government service I tried to access was also behind an unavoidable Cloudflare CAPTCHA, though that is an issue for a different day.

GrapheneOS

dkn Secure spawning changes the initial call stack. The app must be using checks for the initial call stack as a poor way of trying to detect hooking by a modified OS. This is trivial to bypass for anything actually doing that. We plan to eventually modify secure spawning to avoid this kind of incorrect security check triggering.

chinook

macrosploit from the sound of it this developer (dkn) is going to fight for the official support for GrapheneOS, so I wouldn't be surprised if they reworded it to be more accurate :)

I think that the "kind of" a root cause for these issues is, how much GrapheneOS sticks out -- obviously not "certified" and won't be, also modified, but also secure unlike all the other modified/unofficial (and nearly all official) Android flavours.

Development teams and companies just do not really comprehend what the Hardware Attestation can ensure and why it works for GOS, which is quite saddening knowing they're already subject to policies like SElinux, GPOs, hardening in general, so they should understand that the default state of affairs is pretty crap.

But I think that it's getting better, not worse.

dkn

chinook

Yes I can confirm that we are "fighting" for GrapheneOS support and I'm somewhat confident that it'll materialise in the near future. But this applies for GrapheneOS only, a lot of other open source Android OS exist "out there" and most of them cannot be considered to be secure.

DeletedUser588

dkn I think most of this community would agree with the last part of your comment, most other "secure" OS's aren't very secure. I'll add that it's really nice to see this kind of collaboration and initiative, we appreciate your mindset.

alti4

dkn Do you have an update regarding compatibility of AGOV with GrapheneOS? I still have to disable "secure app spawning" to be able to use the application

NetRunner88

Give dkn a salary raise !

Watermelon

alti4 I still have to disable "secure app spawning" to be able to use the application

In the recent months/weeks, I've seen posts from the GrapheneOS project account saying they want to change the secure app spawning feature to mimic Android, so these buggy apps would stop complaining about it. They're very busy though with important unpredicted stuff, they commented about it recently:
https://discuss.grapheneos.org/d/27068-grapheneos-security-preview-releases/93
It seems that maybe things are going a bit faster now, judging by the recent OS updates with lots of improvements. But you'll have to be patient, I guess.

alti4

Watermelon Thank you for your answer. My question was rather directed to the devs of AGOV, because they said back in August 25 that they are investigating possibilities to make AGOV work (as alot of other apps work without problems even with secure app spawning enabled, it should be possible).

helicoptangerine

I sometimes wonder whether the recurring "this app needs to be very secure" argument these kind of apps push is less about applying the strongest security practices, and more about risk transfer and accountability.

From a public-sector sponsor’s perspective, relying exclusively on mainstream platforms (Google-certified Android / Apple iOS) would make post-incident narratives much simpler: if something goes wrong, responsibility can be deflected toward a large, industry-standard tech and/or vendor.

By contrast, supporting a hardened but non-mainstream OS like GrapheneOS removes that safety net. Any vulnerability would be surgically analysed in depth by a technically competent community, and shortcomings in the app’s own design or implementation would likely be identified very quickly, leaving far less room for external finger-pointing... particularly when the response is likely to come in the now famous GrapheneOS form of a blunt, evidence-based technical breakdown rather than a carefully worded public-sector damage-control communiqué.

IMHO, "security" here may be conflated with institutional defensibility, not necessarily with objective technical robustness.

Fingers crossed though that internal AGOV lobbying from technical experts conveys courage to Leadership.

Plethora9278

Hi all - +1 here supporting @dkn way of addressing this issue. Thanks already!

Plethora9278

Hi all
AGOV replied to my support request as follows:

_Unsere Nachforschungen haben ergeben, dass das Betriebssystem auf Ihrem Smartphone (GrapheneOS) derzeit nicht den von der App geforderten Sicherheitsstandards entspricht.

Die Access-App prüft das Betriebssystem auf Vertrauenswürdigkeit und verwendet dazu eigene Algorithmen, die nicht offengelegt werden. Mit anderen Worten: Wenn die App entscheidet, auf Ihrem Smartphone nicht zu funktionieren, gibt es für den Benutzer keine Möglichkeit, dies zu umgehen. Sie müssen einen anderen Loginfaktor registrieren (z. B. ein anderes Smartphone, ein Tablet oder einen FIDO-Key).

Wenn Sie AGOV weiterhin nutzen möchten, stehen Ihnen folgende Alternativen zur Verfügung:

Ein Tablet oder Smartphone mit iOS oder einem zugelassenen Android-Betriebssystem
Ein Sicherheitsschlüssel, z. B. https://agov.token2.ch/
Link zur Liste der unterstützten Sicherheitsschlüssel: Sicherheitsschlüssel
Nicht unterstützt: Ein Windows 11 Computer/Laptop mit Windows Hello (hardwarebasiert)

Wir bedauern die eingeschränkten Möglichkeiten und hoffen dennoch, dass Sie eine für Sie gangbare Lösung finden._

No reference nor indication that they're working on solving this issue. Can we get an update here from @dkn eventually? Thanks!

shiaido

The same problem occurs with Austrias Government-App "ID-Austria". Neither Step1 nor Step2 helps, the app is always "detecting" root. I am using Yubikey because of this.

Drimagon

shiaido
ID-Austria is running on my device (P9 Pro) without any issues. I don't need to enable Exploit Protection.
Installed it through owner and pushed it to secondary user without GPS.

It worked even with the old app but it detected the false positive root. But you could just "accept the risk".

shiaido

Drimagon
Thanks to your answer I tried again and reinstalled it. It detects root again, but now there was the Button "auf eigene Gefahr fortfahren" = "Proceed at your own risk" and registration was possible.
Thank you!