I can't fully switch to GrapheneOS and recommend it to people around me

Niwoboy

So almost everyone where I live uses Smart-ID which is an authentication app for banking and it doesn't work on GrapheneOS not only that but Google Wallet and some other banking or not banking apps don't work too. The reason why they don't work is because GrapheneOS doesn't pass the cts profile check.

But most of the custom ROMs that I have used over the years such as LineageOS didn't pass this check too so the solution was to use a Magisk module that fixes that, pretty straightforward right? NO!

GrapheneOS is the only OS that I used in my life that I can't do banking on regardless if I have root or not and I couldn't find a way to make it work.

This leads me to the problem that every time I want to recommend GrapheneOS to someone I remember that they will not be able to do their banking, use Google Wallet, or do anything that requires passing a cts profile check.

Another thing that isn't related but I think GrapheneOS could easily do is to make 5G work for everyone. Google Pixel hasn't enabled 5G in a lot of countries but it can be enabled with a few clicks if your phone is rooted. This makes me wonder how hard it is to make 5G work on GrapheneOS. If that was implemented it would be a huge selling point for GrapheneOS. I suffered with 4G on my Pixel with 4Mb/s speeds or even lower on peak hours and when I enabled 5G with the help of root I now enjoy 400+Mb/s speeds even at peak hours.

dc32f0cfe84def651e0e

Niwoboy Smart-ID is not the only authentication type: https://www.swedbank.lv/private/d2d/ebanking/authentication?language=ENG

treequell

Niwoboy So almost everyone where I live uses Smart-ID which is an authentication app for banking and it doesn't work on GrapheneOS

Other users have reported Smart-ID to be working on GrapheneOS. I suggest reading their comments to help you get the app working.

See: https://discuss.grapheneos.org/d/6552-smart-id-works-well-on-grapheneos

treequell

Hello there, and thanks for your interest in GrapheneOS.

The majority of banking apps do work on GrapheneOS though, as you say, not apps which use Play Integrity API to check device integrity. For some banking apps, you may just need sandboxed Google Play Services installed. For some you might also need to enable native code debugging. If there are any apps in particular you're having issues with, please let us know and we can help troubleshoot them.

GrapheneOS aims to provide private and secure devices with prompt security updates, amongst many other features: https://grapheneos.org/features

LineageOS is not a hardened OS. It substantially reduces security. It even regularly goes months not shipping critical security patches.

Rooting is strongly discouraged since it destroys the Android security model, and is therefore counter to the aims of GrapheneOS.

The number of countries for which 5G can be used on Google Pixel devices is increasing. GrapheneOS has recently "replaced our changes to AOSP APN and CarrierConfig configurations with a GrapheneOS CarrierConfig2 app for easier maintenance, improved MVNO support and support for recently added configuration options".
https://grapheneos.org/releases#:~:text=replace%20our%20changes%20to%20AOSP%20APN%20and%20CarrierConfig%20configurations%20with%20a%20GrapheneOS%20CarrierConfig2%20app%20for%20easier%20maintenance%2C%20improved%20MVNO%20support%20and%20support%20for%20recently%20added%20configuration%20options

[deleted]

In regards to GrapheneOS and banking, please refer to this: https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/

In regards to Google Wallet, please refer to this: https://discuss.grapheneos.org/d/475-wallet-google-pay

In regards to GrapheneOS and rooting, please refer to this: https://discuss.grapheneos.org/d/2275-will-gos-and-root-related-issues

The topics of banking, Google Wallet and rootings have been discussed numerous times on here as well as the GrapheneOS Matrix community rooms. A simple search will provide you with a plethora of knowledgeable information. The GrapheneOS website is also a worthwhile read and highly recommended and suggested.

GrapheneLover

A lot of banks do work on GrapheneOS, some do not though. You can try to play with all of the settings in the phone and seeing if it works or not after trying it, if it still does not work you can always use your bank login as a webapp. I have to do that with some of mine and its not really that frustrating, its doable for the security benefits that Graphene offers.

[deleted]

I suppose a workaround would be to use something like Mobile-ID instead. Despite GOS best efforts to make their OS a daily driver that just works (also happens to be my experience), running it might entail some compromises on the part of its users about which they are upfront about..

As others have chimed in already, rooting counters the aim of the project.

Niwoboy

[deleted] As others have chimed in already, rooting counters the aim of the project.

Well... This is overblown to oblivion, everyone just says the same thing but I actually have found a reasonable reply about rooting and here it is: https://discuss.grapheneos.org/d/6371-how-bad-is-using-my-own-rooted-unofficial-build-of-grapheneos/4

Most people in here act like rooting just eliminates any security and privacy, which is just so overblown and wrong.

treequell

Niwoboy If you decide to root, that's not something we can support you with here. You'd be on your own with that.

Niwoboy

treequell Process of rooting is straightforward, I don't need help with that.

I made this post to to ask for GrapheneOS devs to do something about cts profile checks so people can use their important apps with GrapheneOS. As of now I'm not aware of any possible way to make those apps work on GrapheneOS no matter if its rooted or not and this issue is only with GrapheneOS, there is no such issues with other operating systems, they either come with spoofing or you can pass these checks with a simple Magisk module.

The issue for this has been open on GitHub for quite some time too.

[deleted]

Niwoboy You've been given an answer. I apologize that it's not to your liking but please be respectful of others and the project. Getting upset that the answer is not to your liking is no way to respond.

[deleted]

Niwoboy My understanding is that google needs to act, not GOS devs. Google needs to add GOS to their list of certified OS.

treequell

Niwoboy Spoofing can work for a brief period of time, until it doesn't.

If GrapheneOS were to adopt spoofing of the Integrity checks, and users started using services that relied on that, and then the spoofing were to stop working, that would be hugely problematic.

GrapheneOS does not and will not develop half baked, unreliable solutions, and therefore will never spoof the device integrity checks.

Case in point here is that the SafetyNet Attestation API, which you refer to, is now obselete, and has been replaced by the Play Integrity API.

GrapheneOS woild never be able to meet device integrity based on Google's Play Integrity API, since GrapheneOS is not a Google certified OS.

Google could use the Android hardware attestation API instead, which provides a stronger form of verification, and which GrapheneOS passes: https://grapheneos.org/articles/attestation-compatibility-guide

Graphite

treequell If GrapheneOS were to adopt spoofing of the Integrity checks, and users started using services that relied on that, and then the spoofing were to stop working, that would be hugely problematic.

This already is problematic. Many banking apps stop working after changes. We're playing whack-a-mole here. It'll be nice to have another tool in the toolbox for compatibility, even if it wasn't 100% reliable. Don't let the perfect be the enemy of the good.

de0u

Graphite It'll be nice to have another tool in the toolbox for compatibility, even if it wasn't 100% reliable.

But that "tool" would be guaranteed to work for fewer people over time.

If the GrapheneOS developers were hypothetically to add spoofing, and 53 bank apps started working, but next month 7 of them were updated to use integrity checking instead, what would you say to the affected users? If you'd say "Sorry, your bank decided their app will run only on Google's OS and Samsung's, you'll need to fight with them", that already is true. The bank already decided to run only on stock OSs, and their users should already be complaining to them. And over time more banks will switch their app from the spoofable API to the non-spoofable one. No?

Niwoboy

So I have a Play Integrity API Checker installed on my device, and I pass everything except MEETS_DEVICE_INTEGRITY and MEETS_DEVICE_INTEGRITY: Corresponds to SafetyNet ctsProfileMatch. So that's the only thing that's needed to make all the apps work, so if GrapheneOS would spoof it, all of the apps would work.

Even if spoofing doesn't come with the OS, there is another way to pass on every single OS that I know, and that is by using Magisk and a Magisk module that does the spoofing, but GrapheneOS is the only OS that this module doesn't work on. Me and some other people haven't figured out how to pass this on GrapheneOS, even though it's as easy as one module on other OS's.

The problem is sandboxed Google Play Services: https://github.com/Displax/safetynet-fix/issues/18

That's the main reason why me and a lot of my friends and people that I know wouldn't switch to GrapheneOS.

[deleted]

Niwoboy suit yourself

treequell

Niwoboy

If you require using apps and services that require the phone to pass MEETS_DEVICE_INTEGRITY from the Play Integrity API, then I would suggest using stock Pixel OS.

That said, there are very few apps that require that, and app compatibility as a whole is very good on GrapheneOS.

We've had a chance to make our points, but I don't see how this conversation can proceed further in any productive manner, so I am locking it.