App compatibility with GrapheneOS

DDaRon · Nov 13, 2023

d4f2
Yes, installed...
Google Services Framework: network and phone
Google Play Services: network, phone and nearby devices
Google Play store: network

akc3n
i am glad to help, but do you think it makes sense to add this report to the "banking apps compatibility list", although this is not a banking app at all?
"Digitales Amt" is issued from the government, which can be used as second factor for logging in to certain government websites, or as second factor to "electronically sign" documents and similar services
"eAusweise" on the other hand will enable Austrians to have their IDs (drivers licence, personal id, Health insurance) with them on the smartphone.

akc3n · Nov 13, 2023

DaRon

My apologies, I may have misunderstood and should have looked more closely. I was under the assumption that it would be related to these similar government ID apps that can be used for banking related access:

https://github.com/PrivSec-dev/banking-apps-compat-report/issues/173

https://github.com/PrivSec-dev/banking-apps-compat-report/issues/310

I'll take a closer look in the next following days.

Thank you

DDaRon · Nov 13, 2023

akc3n
All good. No offense ;)

Dd4f2 · Nov 13, 2023

DaRon
Thx for the feedback!
@akc3n
+1 for adding to the list or maintaining a similar list, these eGoverment apps "identify yourself electrically", may well become sort of mandatory...

akc3n · Nov 14, 2023

d4f2 @DaRon

Yes... on point with this:

EU-wide digital wallet: MEPs reach deal with Council

Parliament and Council negotiators reached a provisional agreement on Wednesday on the creation of a pan-European digital identity framework.

Key points:

An EU wallet to authenticate and access public and private services, store, share and e-sign documents.
A wallet to be used on a strictly voluntary basis.
Privacy dashboard to give users full control over their data

Next Steps

The legislation will now have to be endorsed by both Parliament and Council before it becomes law. The Industry, Research and Energy Committee will hold a vote on the file on 28 November

Primary source

Eepistax · Nov 19, 2023

Is there a list/resource where people contribute information about what apps seem to have issues? I see two banking apps listed off an earlier post in the PrivSec-dev github. I've got a Pixel 8 on the way and I wanted to start out with Graphene OS. I use apps that help me collaborate with others integrated with the Googleverse (Keep, Sheets), as well as home automation in connection with Google Wifi, and I am concerned what I'll be in for. I don't use Google Assistant from my phone, but I do set it up via the Home app for my.. home.

Maybe I'm overthinking this and the vast majority of things most users want to do will just work, meaning GOS doesn't need a big fancy database of app compatibility like Wine.

Thanks!

spring-onion · Nov 19, 2023

epistax Maybe I'm overthinking this and the vast majority of things most users want to do will just work

Sounds about right, I don't think you need to worry. You could search for the apps in question here on the forum and on matrix if you like, you may come across some reported experiences... or not, that could also indicate it just works.

Eepicshitter · Dec 1, 2023

Android Sytem Intelligence and pixel launcher requires system level permission without which it does not work and it looks like GOS devs are reluctant to support that via GMSCompat which is sad.

KKottonballs · Dec 2, 2023

Is this soley for banking apps or for apps in general complaining about the env? The Marriott app now complains about Magisk being detected and is solved by #3 above.

Ddecadentist · Dec 22, 2023

Hanma1963

You can follow this guide (you'll need revanced manager), but on the newest version (3.0.3) they don't care anymore that your OS is modified.

Revanced Manager can also "fix" aome other apps.

Hhemlockiv · Dec 23, 2023

akc3n 3.1 - Temporarily disable secure app spawning.

Setting ➔ Security ➔ Enable secure app spawning

3.2 - Restart device. Launch app to see if this GrapheneOS feature caused the compatibility issue. The app may be refusing to run if it detects a different spawning mechanism.

Significant security loss and directly affecting some privacy using Zygote
Disabling exec-based spawning reverts to using the traditional Zygote spawning model AOSP's app processes
Spawned as a clone of the Zygote
Each app process has the same random secrets for ASLR, SSP, memory tagging, pointer authentication, setjmp canaries, and heap randomization
Half of the userspace is made of app processes
Applies across all profiles
App in profile A and profile B have same random values, which they can see

3.3 - Revert to secure spawning by enabling it again and restart device.
See step 3.1 above.

I suspect I wouldn't be the first person to suggest this, and I also wouldn't be surprised if the devs have already rejected the idea, but does anyone know if there's any consideration of adding, in the future, Per-app Secure Spawning?

I imagine this would work by following the normal Secure Spawning process for most apps, but somehow caching whatever's the default (insecure) Zygote spawn process. Then if an app does misbehave, the user can disable Secure Spawning for that app only, in which case that app will use the cached insecure process. No idea if this would work in practice, but it would be a real nice compatibility feature. I currently have Secure Spawning disabled because a single app (that I can't live without) crashes when it's enabled. It's a waste, and a big security hole.

22WsF · Jan 12, 2024

I'm having an issue where you can still interact with mull browser where you can still interact with it even when the app switcher is pulled up. You can see a screen recording in this issue, but I'm posting here because they suggested it's OS specific. Has anyone else seen this? https://gitlab.com/divested-mobile/mull-fenix/-/issues/89

matchboxbananasynergy · Jan 13, 2024

2WsF I've been trying to reproduce this and so far am unable to in both owner and secondary profiles.

Do you use the default launcher? What is your OS version (Settings > About Phone > Build number)?

Is this consistently reproducible for you?

[deleted] · Jan 20, 2024

I encountered a few hurdles, and thanks to this comprehensive post, I got the necessary information. 💗

PPhospher · Jan 24, 2024

Thanks for these suggestions and although my banking app opens (Triodos) I am unable to set it up as it is wanting to scan a qr code located on my previous device. When I go through this process it ends up saying: Something went wrong,please try again or contact us if this error persists. I contacted the bank and they were clueless as to why this was the case. I have tried all the above and given the app all the permissions it wants but still the problem persists. Any pointers gratefully received. Many Thanks

TTheGodfather · Jan 28, 2024

Phospher I am unable to set it up as it is wanting to scan a qr code located on my previous device

Do you have Play Services installed and gave it permission to use the camera? Some banking apps use Play Services for QR code or invoice scanning.

Pphos15 · Jan 29, 2024

TheGodfather that's great thanks it worked cheers

TThemble · Feb 12, 2024

A general question about app compatibility when switching to GOS with sandboxed GPS: Are apps which have been working fine on an old phone with MicroG expected to work as well with sanboxed Google Play Services on GOS? I am asking this because I have read various times that compatibility with sandboxed GPS is far better than MicroG. So if I have e.g. banking apps that run perfectly with MicroG, are they likely to run on GOS, too?

other8026 · Feb 12, 2024

Themble they should work fine, but keep in mind that some OSes get around Play Integrity in hacky ways that GrapheneOS does not. It's possible the bank app will check if your phone is running a certified OS (which GrapheneOS isn't) and just choose not to work.

Eeersya · Feb 20, 2024

Are these errors are caused by this commit?