iyanmv So I guess it will not be useful to discuss further with them.

Maybe you could get a tech journalist to publicly mock them?

While I am not Swiss, I have built a ReVanced patch which should get rid of these checks (unless there are more annoyoning once which I oversaw) - Currently having a problem with getting the ReVanced package to build, but then it should be ready.

    • [deleted]

    1fexd Hi, is SwissID using Play Integrity API or something else?

      [deleted] Nope, it appears as if they are just simply using a root detection library (called RootBeer).

      I haven't seen anything suspicious else, so if any Swiss person is willing to try out the patch before I submit it to the official ReVanced patches repo send me a message either here (is that possible?) or to 1fexd [at] 420blaze.it

      By the way, my Github is 1fexd, just to give myself some "credibility"

      2 months later

      1fexd
      Hi ! I'm swiss (since a week ago) and can test your patch on SwissID if you want. What a coincidence, I just wanted to verify my identity on SwissID and just see your post that is 2 hours old. I can attest if it works or not on the whole verification process.

      I don't know why I can't fool swissid, even with Shamiko or magisk hide. That the first time I can't bypass this, I could bypass yris, the french equivalent without any issue.

        11 days later

        SaladCesar Hi, thanks! I have already found someone who is also willing to try, but sadly I haven't been able to fully bypass it yet. Will do some further investigation and reach out to you, should I need someone else to test it.

        @1fexd Aren't they either using the hardware key attestation API or the Play Integrity API? Hardware key attestation API can be used to detect green verified boot state without a way to spoof it (it can be bypassed via an exploit for leaking keys but not spoofed).

        So from my findings they do a simple root/bootloader unlocked check via the RootBeer library which is quite trivial to remove from the app with a patch built on the ReVanced framework. It appears, however, that they are indeed also using PlayIntegrity. I am currently checking if they associate the verdict with the app installation ID or something similar, because the behavior I have observed is that the app launches, appears to do a "classic" PlayIntegrity check, then shows a toast error message and shuts down the app. Maybe it is possible to just patch out the code that shuts down the app.

        20 days later

        I think they decided to rewrite the app after getting so many 1 stars in G Play and people complaining about it. The latest version works just fine, even with memory tagging enabled and native debugging disabled).

          iyanmv

          iyanmv The latest version works just fine, even with memory tagging enabled and native debugging disabled).

          I'm not a Swiss citizen so can't properly test this, but I confirm that I'm able to launch the app and proceed to the account registration page without issues. No exploit protection compatibility mode was needed.

          If the app proceeds to work fine after that, this is really great news!

          5 months later

          They broke the app again with the recent updates. Now the app starts and shows a screen that says: "Device appears to be rooted. For security reasons, you can not use the SwissID App on a rooted phone. We are happy to welcome you back one your phone has been restored to a non-rooted state."

          I'm contacting support again with zero hope that they will understand or help anything. Not only that, now the app also uses native code debugging, and they introduced some memory bug that is detected by the memory tagging of the Pixel 8.

          Hi all
          just got an answer from Swiss ID Suppport that they change again:

          Seit dem letzten Update haben wir ein anderes appdome als Root-SDK verwendet und sind dabei, es durch ein anderes zu ersetzen, das andere Identifikationsprinzipien hat.

          Wir arbeiten daran, und Sie werden benachrichtigt, sobald das Problem behoben ist.

          Als alternative Verifizierungsmethode können Sie stattdessen eine SMS anfordern, während Sie Ihr Passwort eingeben.

          Vielen Dank im Voraus für Ihre Antwort und Ihr Verständnis.

          Mit freundlichen Grüssen

            claib Could someone please translate the text? I think I understand what it's saying but my German is quite rusty.

              fid02 From DeepL Translate:

              Since the last update we have been using a different appdome as root SDK
              and are in the process of replacing it with another one that has different
              identification principles.

              We are working on this and you will be notified as soon as the issue is resolved.

              As an alternative verification method, you can request an SMS while entering your password instead.

              Thank you in advance for your response and understanding.

              Yours sincerely

              12 days later

              claib I think they answered you nicely because you asked in Germany. For me, as in the past, they were quite rude and unhelpful, even though I tried to give as much information as possible to help the devs. They should really train their first level support better...

              I have the same problem. The support confirms running a custom ROM breaks compatibility. Their advice is to factory reset the phone or use another phone.

              The severity of the bug has increased because the SwissID is now mandatory for many governmental services such as the Electronic Patient File.

              They are so incompetent because as a fallback you have to use SMS OTP which is not phishing resistant. You cannot switch off SMS OTP.

              Is there any collaboration between Graphene and the developers of those root-detecting SDKs? To me it looks like this is a malfunction of an SDK since the phone is not rooted.

              8 days later

              Just came here to say that I have the same problem on a Pixel 6a with GrapheneOS BUT also on a Motorola which has stock Android, is not rooted or has any other modification. It's a completely new phone. So their root detection is clearing broken.