App compatibility with GrapheneOS

Great guide, please leave it pinned for new people to always see.

Also big thanks to all the mods here who spend a lot of time to share their knowledge, be available and organize the threads. This is my go-to tech forum because of the combined expertise and organization, thank you so much for this!

Hi, I get a message "An operating system modification (bootloader unlocking and/or rooting) has been detected on your device. Therefore, for security reasons, logging in cannot be performed.)". Any workaround in this case? I followed GrapheneOS installation instructions, so bootloader is locked, but it seems like this app detects modification (https://www.oesterreich.gv.at/app-digitales-amt/faq/app_digitales_amt.html#fehler).

akc3n 12 — Please see the Attestation compatibility guide on using remote attestation in a way that's compatible with GrapheneOS and how you can help.

Hello, Is there an API that somehow pings a list of approved Operating systems (to which OS developers can submit a request for their OS too) for apps like Banking apps, Premium apps, Health apps, etc. and uses Hardware attestation / server side checks to prevent tampering? Allowing only Operating systems approved by Google and just One third-party OS isn't Ideal.

akc3n Thanks for the answer. I followed the steps in your guide, i hope correctly. Will contact the app's developers.

[deleted] I admit I don't really know how this all works very well, but there's a very detailed article on the GrapheneOS website that covers this topic: https://grapheneos.org/articles/attestation-compatibility-guide

Can these settings only be used for "normal" programs or for multiplayer players ? Or are there other settings recommended or necessary ?

Rhinos These sttings can be used to troubleshoot any application.

Thanks for the info, because I get the game CSR 2 on my Google Pixel Tablet in multiplayer just not run and do not know what it is, I get no error message, nothing, it turns a wheel when I start this and endlessly, that's it !

Hanma1963 hi, i did contact the "Bürgerservice" back in June already and this is what i got back (in July).
"Wir analysieren aktuell, wie die App „Digitales Amt“ unter Einhaltung der rechtlichen und technischen Vorgaben auch auf Geräten mit anderen Systemen nutzbar werden kann. Wir berücksichtigen dabei gerne Ihre Inputs und bitten noch um etwas Geduld. "

In short: authorities/app devs will check if there is any possibility (legal and tech wise) to allow it on alternative OS as well.

Yee, i did send them the link to the attestation-compatibility-guide...

Hope that helps

@akc3n FWIW there's a typo in step 2, "Turning off the exploit protection compatibility toggle reduces system security" should be turning on

other8026 Its good and detailed but not related to my query.

[deleted] I guess I misunderstood then. And now that I see my response again, I linked the same link you quoted so my reply was kind of useless. But as far as I know, the APIs listed in the linked article (Play Integrity and SafetyNet) are the most common ones that apps use. It would be nice if there were a non-Google alternate that apps could use as well, but until one is available app devs would have to add OSes individually.

Wonderful...

ok I have here two Apps, where I should can do this BUT

This is only practical when the Apps are installed in the owner Profil BECAUSE
if not and you have two Passwords with each 128 characters (This little bug that nobody can solve but god mother google herself, who doesn't think it's important to solve the problem) , do you know how many time it will cost to creat a little bug report no one will be solved, because the app dev doesn't give a shit if his app runs on a fringe product like GrapheneOS?

Should I give a try?

Sorry, but this is the reality...

WhoTheFuckisAlice two Passwords with each 128 characters

Obviously you can do whatever you'd like with your phone, but it's not really necessary considering the secure element forces delays between password guesses if being brute forced. I've read project members say that a 6 digit PIN is enough. The only reason you'd be using such a long password is if you don't trust the secure element.

WhoTheFuckisAlice This little bug that nobody can solve but god mother google herself, who doesn't think it's important to solve the problem

what little bug?

other8026 Obviously you can do whatever you'd like with your phone, but it's not really necessary considering the secure element forces delays between password guesses if being brute forced. I've read project members say that a 6 digit PIN is enough. The only reason you'd be using such a long password is if you don't trust the secure element.

This password is not the key for the encryption of the user data partition in every profile?
Why do I still assign passwords when you can solve this so elegantly... every electronic device should have such a secure element. God bless your security management !

other8026 what little bug?

https://discuss.grapheneos.org/d/5731-bug-fingerprint-unlock-disabled-after-profile-change
https://github.com/GrapheneOS/os-issue-tracker/issues/1611

WhoTheFuckisAlice This password is not the key for the encryption of the user data partition in every profile?

You'll want to read this section of the website about how all that works: https://grapheneos.org/faq#encryption. Here's a relevant quote:

Sensitive data is stored in user profiles. User profiles each have their own unique, randomly generated disk encryption key and their own unique key encryption key is used to encrypt it.

And another:

Using a secondary profile for regular usage allows you to make use of the device without decrypting the data in your regular usage profile. It also allows putting it at rest without rebooting the device. Even if you use the same passphrase for multiple profiles, each of those profiles still ends up with a unique key encryption key and a compromise of the OS while one of them is active won't leak the passphrase. The advantage to using separate passphrases is in case an attacker records you entering it.

https://discuss.grapheneos.org/d/5731-bug-fingerprint-unlock-disabled-after-profile-change
https://github.com/GrapheneOS/os-issue-tracker/issues/1611

I didn't realize that this was still a problem that people were experiencing. I used to have this issue from time to time, but not anymore. I can understand that this is very annoying, especially when using really long passwords.