True Money Banking App - Thailand - Works

curiousexplorer2

True Money (TrueMoney) Thailand works on GOS with exploit compatibility mode enabled. Note! I couldn't get it to work on the owner profile because it detected a "harmful app" / "unsafe app" and refused to run (After it got funded). Installing TrueMoney into its own user profile with no other apps resolved this issue.

Secure App Spawning ON
Exploit compatibility mode ON
Dedicated User Profile

I can't make a github account, if someone wants to tell the privsec guys about this report, I'd appreciate it: https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/

Since the bangkok bank mobile app has recently totally stopped working, I needed to find a QR prompt pay way to pay... hence my exploration of True Money

@akc3n

Markdown template for non-GitHub users. Contact with completed form:
- [@akc3n:grapheneos.org](https://matrix.to/#/@akc3n:grapheneos.org) | https://akc3n.page | https://privsec.dev/about#akc3n

##  Usage

Items with an asterisk are required to fill, i,e., *
To mark an item add x between [], e.g., - [x]

Answer questions by replacing placeholder examples after >
E.G., > BMO Mobile Banking must be replace with yours > Your Banks App Name


##  Is there an existing issue for this? `*`
There is not a issue for this. 

Please search to see if an issue already exists to avoid creating duplicates.
- [X] I have searched the existing issues

## App name `*`

What is the banking app called?
> BMO Mobile Banking

True Money Wallet 
## Link to app `*`

Paste the download link (Play Store preferably) or tell us where to get the app if possible
> https://play.google.com/store/apps/details?id=com.bmo.mobile
https://play.google.com/store/apps/details?id=th.co.truemoney.wallet
## App version `*`

What version of the app did you test it with?  
`Settings` ➔ `Apps` ➔ `<App_name>` ➔ `Version`  
> v1.3.3.7
v5.72.0
## Country of the app `*`

Specify what country the app is for (it is assumed you're using it in the same country here)
> Canada
Thailand
## Build number `*`

What version of GrapheneOS are you currently using?  
`Settings` ➔ `About phone` ➔ `Build number`  
> TP1A.221105.002.2022111000
2025102601
## Device list `*`

Which Pixel(s) have you tested this with? (Mark one or multiple)
- [] Pixel 8 Pro
- [] Pixel 8
- [] Pixel Fold
- [] Pixel Tablet
- [X] Pixel 7a
- [] Pixel 7 Pro
- [] Pixel 7
- [] Pixel 6a
- [] Pixel 6 Pro
- [] Pixel 6
- [] Pixel 5a
- [] Pixel 5 (EOL/ESR)
- [] Pixel 4a5g (EOL/ESR)
- [] Pixel 4a (EOL/ESR)
- [] Pixel 4 XL (EOL/ESR)
- [] Pixel 4 (EOL/ESR)
- [] Pixel 3a XL (Obsolete)
- [] Pixel 3a (Obsolete)
- [] Pixel 3 XL (Obsolete)
- [] Pixel 3 (Obsolete)

Pixel 7a
## Profile app tested in? `*`

Which user profile was this test on? (Mark one or multiple)
- [] Owner profile
- [X] Secondary profile(s)
- [X] Work profile (Add details in extra notes below, i.e., device manager app name)
Works in secondary profile with nothing else installed, does not work in work profile with many other things installed. 
## Google Play installed? `*`

Do you have Google Play installed in the profile you tested in?
- [] Installed
- [X] Not installed
Google pay was not installed in the secondary profile for the app to work
### Where did you install this app from? `*`

Select your banking app installation method.
- [X] Google Play Store
- [] Aurora Store
- [] Other (extra notes below)
Installed from the googe play store. 
### Google Play services Network permission revoked?

If you have Google Play installed, was the Network permission for Google Play services revoked?
- [] Revoked
- [X] Not revoked
- [] I did not have Google Play services installed
Google play network permissions not revoked
### Native code debugging

Was [native code debugging](https://grapheneos.org/usage#banking-apps) enabled or disabled during the testing?  
`Owner Profile` ➔ `Settings` ➔ `Security` ➔ `Enable native code debugging`  

- [X] Allowed
- [] Blocked
Yes, Native code debugging was allowed. 
### Exploit protection compatibility mode

Was per-app [exploit protection compatibility mode](https://grapheneos.org/usage#bugs-uncovered-by-security-features) enabled or disabled during the testing?  
`Settings` ➔ `Apps` ➔ `<App_name>` ➔ `Advanced` ➔ `Exploit protection compatibility mode`  

- [X] Enabled
- [] Disabled
App ONLY works with exploit protection compatibility mode
## Stock OS compatibility

Does this app work on stock OS?
- [X] Works
- [] Does not work
- [] Not tested

## NFC Payments

Does this app allow NFC payments?
- [] Works
- [] Works, but requires another service
- [] Does not work
- [X] N/A (Not supported by app)
- [] Not tested

## Description of the app's functionality  

What happens when you use the app? What tasks do work and don't work? What is the expected outcome of each thing you do? Did you test any other configurations and setups? Please mention all the steps to reproduce any issues. Do not leave out any information.

Tip: You can attach images by clicking this area to highlight it and then dragging files in.

Can send and receive standard Thai banking QR code prompt pay funds. App needs to be setup without a VPN, but once registered it does work with a VPN. 

> Please either write a short description if you feel there is something significant that must be included, or `All features and options work as expected` or optionally mark the items below. Up to you.

> Example:
> - [x] Login / Registration
> - [x] Verification Code
>    + [] SMS  
>    + [x] E-mail
>    + [x] Phone 
> - [] Biometrics
> - [] Deposit a Cheque
> - [x] Alerts
Everything works as expected. 
> Note: you can just leave this empty as well and simply write "Works"

## Are there any extra notes you think users should know about?

Did you do any workarounds other users should know that aren't listed here?
Tip: You can attach images by clicking this area to highlight it and then dragging files in.



> If you marked the Work profile item under the Profile app tested in section above, please provide specific name of the device management app used, e.g., Shelter, Insular, etc.

### ADB logcat of the app if necessary

If you have any logs that come up that the app is creating relevant to anything mentioned like app crashes, SafetyNet, etc, please send a GitHub Gist of them. Do not send a bug report ZIP to us. They may expose sensitive information. If you wish to send a bug report ZIP, please do so directly to a GrapheneOS project member or developer.

Tip: You can attach images by clicking this area to highlight it and then dragging files in.

> Note: this is just a random copy and paste filler below as an example. Insert your logcat data between the codeblock below or include logcat file when submitting your banking app report via contact info located at beginning of this file.

spring-onion

Hey, thank you for the report!

https://github.com/PrivSec-dev/banking-apps-compat-report/issues/784

There's a few questions missing because we haven't updated the standalone template yet, please fill me in on the following points:

Dynamic code loading via storage
Dynamic code loading via memory
Does this app use the play integrity api?

curiousexplorer2

spring-onion

DCL Storage - Allowed because of Compatibility mode
DCL Memory - Allowed because of Compatibility mode

Does this app use the play integrity api? It tries to, but installed in a profile with no google play services it still works.

Please note - The app refuses to run if it can see other apps it doesn't like (I'm not sure which) but it HAD to be installed isolated in its own profile. I haven't figured it out, but maybe fdroid/google translate with accessibility features