Hanma1963

You can follow this guide (you'll need revanced manager), but on the newest version (3.0.3) they don't care anymore that your OS is modified.

Revanced Manager can also "fix" aome other apps.

akc3n 3.1 - Temporarily disable secure app spawning.

Setting ➔ Security ➔ Enable secure app spawning

3.2 - Restart device. Launch app to see if this GrapheneOS feature caused the compatibility issue. The app may be refusing to run if it detects a different spawning mechanism.

Significant security loss and directly affecting some privacy using Zygote
Disabling exec-based spawning reverts to using the traditional Zygote spawning model AOSP's app processes
Spawned as a clone of the Zygote
Each app process has the same random secrets for ASLR, SSP, memory tagging, pointer authentication, setjmp canaries, and heap randomization
Half of the userspace is made of app processes
Applies across all profiles
App in profile A and profile B have same random values, which they can see

3.3 - Revert to secure spawning by enabling it again and restart device.
See step 3.1 above.

I suspect I wouldn't be the first person to suggest this, and I also wouldn't be surprised if the devs have already rejected the idea, but does anyone know if there's any consideration of adding, in the future, Per-app Secure Spawning?

I imagine this would work by following the normal Secure Spawning process for most apps, but somehow caching whatever's the default (insecure) Zygote spawn process. Then if an app does misbehave, the user can disable Secure Spawning for that app only, in which case that app will use the cached insecure process. No idea if this would work in practice, but it would be a real nice compatibility feature. I currently have Secure Spawning disabled because a single app (that I can't live without) crashes when it's enabled. It's a waste, and a big security hole.

20 days later

2WsF I've been trying to reproduce this and so far am unable to in both owner and secondary profiles.

Do you use the default launcher? What is your OS version (Settings > About Phone > Build number)?

Is this consistently reproducible for you?

8 days later
  • [deleted]

  • Edited

I encountered a few hurdles, and thanks to this comprehensive post, I got the necessary information. 💗

Thanks for these suggestions and although my banking app opens (Triodos) I am unable to set it up as it is wanting to scan a qr code located on my previous device. When I go through this process it ends up saying: Something went wrong,please try again or contact us if this error persists. I contacted the bank and they were clueless as to why this was the case. I have tried all the above and given the app all the permissions it wants but still the problem persists. Any pointers gratefully received. Many Thanks

    4 days later

    Phospher I am unable to set it up as it is wanting to scan a qr code located on my previous device

    Do you have Play Services installed and gave it permission to use the camera? Some banking apps use Play Services for QR code or invoice scanning.

      14 days later

      A general question about app compatibility when switching to GOS with sandboxed GPS: Are apps which have been working fine on an old phone with MicroG expected to work as well with sanboxed Google Play Services on GOS? I am asking this because I have read various times that compatibility with sandboxed GPS is far better than MicroG. So if I have e.g. banking apps that run perfectly with MicroG, are they likely to run on GOS, too?

        Themble they should work fine, but keep in mind that some OSes get around Play Integrity in hacky ways that GrapheneOS does not. It's possible the bank app will check if your phone is running a certified OS (which GrapheneOS isn't) and just choose not to work.

        8 days later

        Are these errors are caused by this commit?

        • de0u replied to this.

          eersya Are these errors are caused by this commit?

          Probably not, but it's hard to say before specific errors are specified. So... which errors?

          24 days later
          6 days later
          9 days later

          Hello,
          I've an app that does not initiate login. Normally, when pressing the login button, it'd redirect to a login page. On GOS, hitting the login button doesn't proceed, nothing happens.

          Here's an extract of the logs:

          W libc : Access denied finding property "ro.debuggable"
          W libc : Access denied finding property "odsign.verification.success"
          W libc : Access denied finding property "ro.product.name_for_attestation"
          W libc : Access denied finding property "ro.product.manufacturer_for_attestation"
          W libc : Access denied finding property "ro.product.brand_for_attestation"
          W libc : Access denied finding property "ro.product.model_for_attestation"

          I auditd : avc=type=1400 audit(0.0:15852): avc: denied { read } for comm="app_process64" name="u:object_r:userdebug_or_eng_prop:s0" ...
          I auditd : avc=type=1400 audit(0.0:15856): avc: denied { getattr } ... path="/apex/apex-info-list.xml" ...

          W ART APEX data files are untrusted.
          W ziparchive: Unable to open '/gmscompat_fd_64.dm': No such file or directory
          W DynamiteModule: Local module descriptor class for com.google.android.gms.googlecertificates not found.

          Is this the device attestation failing?

          I've tried any of the proposed steps in post #1 (without secure spawing (yet)).
          GMS is installed, with full network access.

          Any advice very much appreciated. Thank you.

          5 days later

          Are the steps under "6. Capture a bug report" replaced by the feature located in Settings > System > View logs? Or does the Developer options feature "Bug report" capture more comprehensive logs / system info?

            fid02 Good point. I think for app compatibility we'd just send the specific app's logs (in Settings > Apps > All apps > *app* > View logs, not the full system logs.

            a month later

            I have problem with Bank Norwegian app, when I install it and select Denmark as country, then it requires access to Chrome settings. I don't want to use Chrome as web-browser. I have followed the suggested methods in the thread, but none of them work. Here is the link for the app;

            https://play.google.com/store/search?q=bank+norwegian&c=apps&gl=us
            https://play.google.com/store/search?q=bank+norwegian

            Anyone has experienced this problem or have a suggestion, how to solve it?

              lbr20a Looks like the app is using MitID for authentication. MitID is known to be a problematic app. It does weird stuff. There's a long thread on it here: https://discuss.grapheneos.org/d/1520-status-of-mitid-app/

              In any case, it looks like you will have to install Chrome and set it as the default web browser in the same profile for the verification to be able to start. The app doesn't say that it requires access to "Chrome settings", but that Chrome needs to be the default browser. Try setting Chrome as the default web browser, and after verification you can try to revert that setting back to your desired web browser. Hopefully Bank Norwegian will just work after the initial verification.

              If the app continues to insist on having Chrome as the default browser after the verification, that is very weird behaviour and if that is the case, you should contact the app developers.

              a month later

              Some people considering GrapheneOS are maybe afraid switching to GrapheneOS fearing that their banking apps may not work.

              However for my case I use many different banking apps and they do not cause troubles. I am based in Switzerland. I think the issue is overrated. But of course you may have bad luck.