(We have noted in the FAQ that jailbreak and rooting prevent the SwissID app from being compatible)
That's a completely false claim. Rooting does decrease security but does not hinder compatibility on its own. (Not trying to imply that GrapheneOS is rooted by default, It is not.)
Our security filter cannot be changed.
The filter, which detects a rooted device, was approved by the audit exactly as it is and cannot be revised for this reason.
I don't think they (SwissID) are using their own checks, but if they are, that's a really stupid 'security filter'. They should stop using such mechanisms which actually are harmful and prevent people who bought an device with their own money from utilising It to its full potential.
iyanmv Can anyone give me good technical arguments to support GrapheneOS?
GrapheneOS is an security focused Operating system (OS) which has many substantial security improvements over the Android Open Source Project (AOSP), So it obviously won't have root.
Applications should not be using flawed security filters to detect whether the OS is rooted, which does nothing besides hampering user freedom, breaking compatibility unnesecarily and denying users access to the devices they bought on their own with their money.
The French ANSSI organization uses a bunch of GrapheneOS work and has given GrapheneOS developers suggestions along with reporting issues including a couple issues in hardened_malloc where it could have a false positive detection of memory corruption and wrongly abort the process.
iyanmv And maybe point them in the right direction to implement such a filter.
You should first ask them whether they really want to use such an filter, because every organisation/person has the right to create an OS and to not have their growth hampered by such security filters used by important apps like Banking apps, Insurance apps, Govt. Apps, etc. If they really want to implement such an filter, you can guide them to the Attestation Compatibility guide for at least support GrapheneOS.
iyanmv I got this reply after further explaining that my phone is not rooted.
You can Tweet them I guess? Also don't include any personal details in the Tweet because Tweets are public.