App thinks phone is rooted

haQ

One of my 2FA apps for citizen/government related stuff (not for work), AGOV, stopped working after the last update. It says: "Your device is rooted. Rooted devices are not supported by this application for security reasons".

I'm not an Android expert, but I thought GrapheneOS doesn't require a rooted phone? What happened since the last update, and does anyone have an idea how I can fix this? I already un- and reinstalled the app.

matchboxbananasynergy

GrapheneOS is not rooted, the app is simply wrong and is throwing a generic error message.

Things you can try:

Enable exploit protection compatibility mode for the app.
If number 1 doesn't work, disable exploit protection compatibility mode again, and then disable secure app spawning, reboot your phone, and try the app again.

The app could be simply disallowing all non-stock OSes, in which case neither of the above will do anything, but they're worth a try. One thing I can say for sure is that they have horrible error reporting, as GrapheneOS does not involve root.

DeletedUser370

matchboxbananasynergy If number 1 doesn't work, disable exploit protection compatibility mode again, and then disable secure app spawning, reboot your phone, and try the app again.

This was what made the root message go away when I tested this.

haQ

matchboxbananasynergy

Thank you for the quick reply, sadly only point 2 worked. Thankfully I only need the app a few times per year, so I might just disable SAS when I need the app.

matchboxbananasynergy

haQ That means that the app is doing misguided checks and thinks your phone is rooted because it detects something is out of the ordinary.

How ironic that the bank's "security feature" requires you to disable a security feature to be able to use the app.

dkn

I am part of the development team of the AGOV app.

Therefore I can confirm that the app shows the rooted error due to a current issue with the root detection on GrapheneOS. I can furthermore confirm that disabling the secure app spawning and rebooting the device solves this issue but should only be considered a workaround as secure app spawning is of course a security feature itself.
We currently do now know the root cause of this but are actively investigating possibilities to allow the AGOV app to work with GrapheneOS whilst keeping the apps security features in place and are confident that a future app version will work on GrapheneOS.

macrosploit

dkn If that is true, I am glad to hear you are investigating this. I ran into this also which was incredibly frustrating given that AGOV is now the only option to use certain government services.

I did find the following quote on this seemingly official page:

The AGOV access app must meet the highest security standards. For this reason, it is blocked from running on rooted devices and in system environments with modified operating systems. Rooted devices can bypass critical security mechanisms and thus pose a potential risk to the integrity of the app and the confidentiality of sensitive user data. Therefore, the use of the app is strictly limited to original Android versions, devices certified by Google, and iOS operating systems.

Being forced to use devices certified by Google or Apple seems problematic, especially in the current political climate. But then again, the government service I tried to access was also behind an unavoidable Cloudflare CAPTCHA, though that is an issue for a different day.

GrapheneOS

dkn Secure spawning changes the initial call stack. The app must be using checks for the initial call stack as a poor way of trying to detect hooking by a modified OS. This is trivial to bypass for anything actually doing that. We plan to eventually modify secure spawning to avoid this kind of incorrect security check triggering.

chinook

macrosploit from the sound of it this developer (dkn) is going to fight for the official support for GrapheneOS, so I wouldn't be surprised if they reworded it to be more accurate :)

I think that the "kind of" a root cause for these issues is, how much GrapheneOS sticks out -- obviously not "certified" and won't be, also modified, but also secure unlike all the other modified/unofficial (and nearly all official) Android flavours.

Development teams and companies just do not really comprehend what the Hardware Attestation can ensure and why it works for GOS, which is quite saddening knowing they're already subject to policies like SElinux, GPOs, hardening in general, so they should understand that the default state of affairs is pretty crap.

But I think that it's getting better, not worse.

dkn

chinook

Yes I can confirm that we are "fighting" for GrapheneOS support and I'm somewhat confident that it'll materialise in the near future. But this applies for GrapheneOS only, a lot of other open source Android OS exist "out there" and most of them cannot be considered to be secure.

Byteang3l

dkn I think most of this community would agree with the last part of your comment, most other "secure" OS's aren't very secure. I'll add that it's really nice to see this kind of collaboration and initiative, we appreciate your mindset.

NetRunner88

Give dkn a salary raise !