Possible workaround solutions
For some problematic apps, including some banking apps.
Purpose: Utilize as a reference permalink for consistent citing on duplicates across platforms. e.g.
Table of contents
Important announcements
December 1, 2023 – Compatibility of Banking Apps with GrapheneOS
If you receive a warning from your banking app indicating that your device may be insecure, jailbroken, or rooted, this is usually due to the SafetyNet/Play Integrity API. Specifically, your device fails to pass MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY.
As of now, there are no direct solutions available to users. However, you can help by contacting your bank. Inform them of this issue and suggest they refer to the GrapheneOS Attestation Compatibility Guide for their developers, available here: Attestation Compatibility Guide.
Banking app compatibility with GrapheneOS
To submit, view, and/or track international banking apps compatibility with GrapheneOS, please use this issue-tracker.
A 3rd party community-sourced effort containing banking app compatibility information is maintained by PrivSec.dev. GrapheneOS does not make any guarantees regarding the list's validity.
Possible workaround solutions
1. Native code debugging
Allow the app to make use of native code debugging. Launch app.
If unsuccessful, proceed to step 2.
Settings
➔ Apps
➔ App in question
➔ Exploit protection
➔ Native code debugging
2. Exploit protection compatibility mode
Enable the per-app exploit protection compatibility mode. Launch app.
If unsuccessful, proceed to step 3 for testing only.
Settings
➔ Apps
➔ App in question
➔ Exploit protection
➔ Exploit protection compatibility mode
Turning on the exploit protection compatibility toggle reduces system security but may allow the application to run without crashing. The app crashed because GrapheneOS detected a memory corruption bug that may be exploitable by an attacker.
3. Secure app spawning
3.1 - Temporarily disable secure app spawning.
Settings
➔ Security & privacy
➔ Exploit protection
➔ Secure app spawning
3.2 - Disable the exploit protection compatibility mode as described in step 2.
3.3 - Restart device. Launch app to see if this GrapheneOS feature caused the compatibility issue. The app may be refusing to run if it detects a different spawning mechanism.
Significant security loss and directly affecting some privacy using Zygote
- Disabling exec-based spawning reverts to using the traditional Zygote spawning model AOSP's app processes
- Spawned as a clone of the Zygote
- Each app process has the same random secrets for ASLR, SSP, memory tagging, pointer authentication, setjmp canaries, and heap randomization
- Half of the userspace is made of app processes
- Applies across all profiles
- App in profile A and profile B have same random values, which they can see
3.4 - Revert to secure spawning by enabling it again and restart device.
See step 3.1 above.
4. Alternative frontend clients
Potential use of an unofficial/alternative Google Play Store frontend client may be problematic for misguided apps:
- They can check if they were installed from the Play Store and can choose to refuse to work if they were not installed from the Play Store.
- Some forbid usage on non-stock OS (most OSes are insecure)
- May cause your Google Account to be disabled/blocked/blacklisted by Google.
- Anonymous account usage may have negative consequences and have a less secure connection to the Play Store servers.
General recommendation: Install Sandboxed Google Play. Optionally use a throwaway account.
5. Search the existing issues
Search the forum, os-issue-tracker, and/or within the community for keyword(s) specific to the app name.
If unsuccessful with finding a solution, only than proceed to step 6.
6. Capture a bug report
6.1 - To view the specific app's logs, go to Settings
➔ Apps
➔ All apps
➔ APP
➔ View logs
.
Note: With the release of 2024011300, GrapheneOS developers have introduced a log viewer, accessible via Settings
➔ System
➔ View logs
. This LogViewer avoids the need for developer options to create useful bug reports and inspect the device for issues.
6.2 - Attempt to reproduce the issue by capturing a 'Bug report' using the feature in Developer options if you still run into the app aborting at launch.
Enable Developer option by tapping the 'Build number' 7
times.
Settings
➔ About phone
➔ Device identifiers
➔ Build number
Capture a bug report.
Settings
➔ System
➔ Developer options
➔ Bug Report
➔ Interactive report
➔ REPORT
Note: If you are doing a bug report, the .zip
file can contain sensitive info.
6.3 - Alternatively, using logcat.
Example:
- Prepare for reproduction
adb logcat -c
to clear previous logs
- Reproduce the issue
- In a timely manner to avoid unecessary logs:
adb logcat -d > issue.log
to dump the logs in a file named issue.log
6.4 - Disable the developer options.
Settings
➔ System
➔ Developer options
➔ Use developer options
We recommend disabling developer options as a whole for a device that's not being used for app or OS development.
7. Submit a bug report
Open a new issue, provide a description and make contact via the appropriate channels with a similar message like "Bug report capture for issue #104". in order to submit the bug report capture zip privately. (Replace the issue #
number).
Next steps
Problematic applications
It's plausible that this is app-related, rather than a compatibility issue with GrapheneOS - acknowledging this factor must be considered. (Ref. 2568#issuecomment-1766887298)
Not compatible
Due to the deprecation of SafetyNet attestations, there is increasing changes among some apps on the Play Store to switch over to the new Play Integrity API. Consequently, some of these apps are known to set themselves as unavailable for devices that do not pass Play Integrity checks at various levels.
See View and restrict your app's compatible devices and Store listing visibility
Turn on integrity checks for your store listing so that Google Play can check that devices pass integrity checks before making your store listing visible to users.
This feature is primarily intended for use only by apps using the Play Integrity API. It aims to prevent users from encountering a poor experience by installing these apps, only to find they do not function properly on their devices.
Please see the Attestation compatibility guide on using remote attestation in a way that's compatible with GrapheneOS and how you can help.
GrapheneOS users are strongly encouraged to share this documentation with app developers enforcing only being able to use the stock OS. Send an email to the developers and leave a review of the app with a link to this information. Share it with other users and create pressure to support GrapheneOS rather than locking users into the stock OS without a valid security reason. GrapheneOS not only upholds the app security model but substantially reinforces it, so it cannot be justified with reasoning based on security, anti-fraud, etc.