Hello,

After some recent update, SwissID app (https://play.google.com/store/apps/details?id=com.swisssign.swissid.mobile) stopped working.
The app opens but it gives the following error message and then closes:

REF: 7144:7FA6 1900000 Magisk Detected by App

I contact them and this is their reply:

Thank you for your request

Your device is detected as a rooted device and for this reason we cannot do anything about it.
(We have noted in the FAQ that jailbreak and rooting prevent the SwissID app from being compatible).

Why is that?
Unfortunately, we cannot say exactly, as devices can be rooted for various reasons.
In some cases, Magisk is used on individual Android devices from Android 12.0 and higher.
Magist is a rooting tool that expands the possibilities in terms of using the device.
I have picked out a link to possible rooting software. Maybe this can help you: https://support.google.com/accounts/answer/9924802?hl=de&co=GENIE.Platform%3DAndroid.

SwissID on our site:
Our security filter cannot be changed.
The filter, which detects a rooted device, was approved by the audit exactly as it is and cannot be revised for this reason.

Conclusion:

  • Your device has been rooted (possible through apps, among other things).
  • The SwissID app cannot do anything about it and the support can only point out the alternative possibilities.
  • In any case, I recommend that you contact the device manufacturer to find out if there have been any recent changes (Android 12).

Alternatives:

  • Use another mobile device (also for SwissID Sign).
  • Carry out the identity check in person

We regret the inconvenience and thank you for your understanding

Of course, I think their new filter is not correct and it's given a false positive. Can anyone give me good technical arguments to support GrapheneOS? And maybe point them in the right direction to implement such a filter. I know bank apps must do something similar but they work just fine with GrapheneOS.

    • [deleted]

    iyanmv The developers of the app have made it quite clear that they do not know what they are talking about and would rather make excuses than provide you with any sort of assistance. GrapheneOS does not implement any sort of rooting whatsoever since, among various reasons, it severely weakens the security model and exposes a massive privilege escalation risk for apps. Verified boot would have to be disabled which would mean that a user would not be able to verify that the OS they're booting has not been maliciously tampered with or corrupted. That removes a large part of the security model it stands on.

    Here's a great previous discussion on GrapheneOS and root that's a worthwhile read: https://discuss.grapheneos.org/d/2275-will-gos-and-root-related-issues.

      • [deleted]

      [deleted] Verified boot would have to be disabled

      Not nessecarily, but rooting will reduce the security nonetheless.

      Their support team is terrible. I got this reply after further explaining that my phone is not rooted.

      Our app developer has a Pixel 6A
      I tested with him whether his device is also considered rooted.
      This is not the case.
      This means. The error is not in our function, but on your device.
      You already know that the non-standard operating system quite likely includes a magisk file to remove the barrier set up by Android and Google.
      This is called rooting.
      Root your device back to standard, or use another device.
      Kind regards

      So I guess it will not be useful to discuss further with them.

        • [deleted]

        • Edited

        (We have noted in the FAQ that jailbreak and rooting prevent the SwissID app from being compatible)

        That's a completely false claim. Rooting does decrease security but does not hinder compatibility on its own. (Not trying to imply that GrapheneOS is rooted by default, It is not.)

        Our security filter cannot be changed.
        The filter, which detects a rooted device, was approved by the audit exactly as it is and cannot be revised for this reason.

        I don't think they (SwissID) are using their own checks, but if they are, that's a really stupid 'security filter'. They should stop using such mechanisms which actually are harmful and prevent people who bought an device with their own money from utilising It to its full potential.

        iyanmv Can anyone give me good technical arguments to support GrapheneOS?

        1. GrapheneOS is an security focused Operating system (OS) which has many substantial security improvements over the Android Open Source Project (AOSP), So it obviously won't have root.

        2. Applications should not be using flawed security filters to detect whether the OS is rooted, which does nothing besides hampering user freedom, breaking compatibility unnesecarily and denying users access to the devices they bought on their own with their money.

        3. The French ANSSI organization uses a bunch of GrapheneOS work and has given GrapheneOS developers suggestions along with reporting issues including a couple issues in hardened_malloc where it could have a false positive detection of memory corruption and wrongly abort the process.

        iyanmv And maybe point them in the right direction to implement such a filter.

        You should first ask them whether they really want to use such an filter, because every organisation/person has the right to create an OS and to not have their growth hampered by such security filters used by important apps like Banking apps, Insurance apps, Govt. Apps, etc. If they really want to implement such an filter, you can guide them to the Attestation Compatibility guide for at least support GrapheneOS.

        iyanmv I got this reply after further explaining that my phone is not rooted.

        You can Tweet them I guess? Also don't include any personal details in the Tweet because Tweets are public.

        iyanmv So I guess it will not be useful to discuss further with them.

        Maybe you could get a tech journalist to publicly mock them?

        While I am not Swiss, I have built a ReVanced patch which should get rid of these checks (unless there are more annoyoning once which I oversaw) - Currently having a problem with getting the ReVanced package to build, but then it should be ready.

          • [deleted]

          1fexd Hi, is SwissID using Play Integrity API or something else?

            [deleted] Nope, it appears as if they are just simply using a root detection library (called RootBeer).

            I haven't seen anything suspicious else, so if any Swiss person is willing to try out the patch before I submit it to the official ReVanced patches repo send me a message either here (is that possible?) or to 1fexd [at] 420blaze.it

            By the way, my Github is 1fexd, just to give myself some "credibility"

            2 months later

            1fexd
            Hi ! I'm swiss (since a week ago) and can test your patch on SwissID if you want. What a coincidence, I just wanted to verify my identity on SwissID and just see your post that is 2 hours old. I can attest if it works or not on the whole verification process.

            I don't know why I can't fool swissid, even with Shamiko or magisk hide. That the first time I can't bypass this, I could bypass yris, the french equivalent without any issue.

              11 days later

              SaladCesar Hi, thanks! I have already found someone who is also willing to try, but sadly I haven't been able to fully bypass it yet. Will do some further investigation and reach out to you, should I need someone else to test it.

              @1fexd Aren't they either using the hardware key attestation API or the Play Integrity API? Hardware key attestation API can be used to detect green verified boot state without a way to spoof it (it can be bypassed via an exploit for leaking keys but not spoofed).

              So from my findings they do a simple root/bootloader unlocked check via the RootBeer library which is quite trivial to remove from the app with a patch built on the ReVanced framework. It appears, however, that they are indeed also using PlayIntegrity. I am currently checking if they associate the verdict with the app installation ID or something similar, because the behavior I have observed is that the app launches, appears to do a "classic" PlayIntegrity check, then shows a toast error message and shuts down the app. Maybe it is possible to just patch out the code that shuts down the app.

              20 days later

              I think they decided to rewrite the app after getting so many 1 stars in G Play and people complaining about it. The latest version works just fine, even with memory tagging enabled and native debugging disabled).

                iyanmv

                iyanmv The latest version works just fine, even with memory tagging enabled and native debugging disabled).

                I'm not a Swiss citizen so can't properly test this, but I confirm that I'm able to launch the app and proceed to the account registration page without issues. No exploit protection compatibility mode was needed.

                If the app proceeds to work fine after that, this is really great news!

                5 months later

                They broke the app again with the recent updates. Now the app starts and shows a screen that says: "Device appears to be rooted. For security reasons, you can not use the SwissID App on a rooted phone. We are happy to welcome you back one your phone has been restored to a non-rooted state."

                I'm contacting support again with zero hope that they will understand or help anything. Not only that, now the app also uses native code debugging, and they introduced some memory bug that is detected by the memory tagging of the Pixel 8.

                Hi all
                just got an answer from Swiss ID Suppport that they change again:

                Seit dem letzten Update haben wir ein anderes appdome als Root-SDK verwendet und sind dabei, es durch ein anderes zu ersetzen, das andere Identifikationsprinzipien hat.

                Wir arbeiten daran, und Sie werden benachrichtigt, sobald das Problem behoben ist.

                Als alternative Verifizierungsmethode können Sie stattdessen eine SMS anfordern, während Sie Ihr Passwort eingeben.

                Vielen Dank im Voraus für Ihre Antwort und Ihr Verständnis.

                Mit freundlichen Grüssen

                  claib Could someone please translate the text? I think I understand what it's saying but my German is quite rusty.

                    fid02 From DeepL Translate:

                    Since the last update we have been using a different appdome as root SDK
                    and are in the process of replacing it with another one that has different
                    identification principles.

                    We are working on this and you will be notified as soon as the issue is resolved.

                    As an alternative verification method, you can request an SMS while entering your password instead.

                    Thank you in advance for your response and understanding.

                    Yours sincerely