Hello,
I've an app that does not initiate login. Normally, when pressing the login button, it'd redirect to a login page. On GOS, hitting the login button doesn't proceed, nothing happens.

Here's an extract of the logs:

W libc : Access denied finding property "ro.debuggable"
W libc : Access denied finding property "odsign.verification.success"
W libc : Access denied finding property "ro.product.name_for_attestation"
W libc : Access denied finding property "ro.product.manufacturer_for_attestation"
W libc : Access denied finding property "ro.product.brand_for_attestation"
W libc : Access denied finding property "ro.product.model_for_attestation"

I auditd : avc=type=1400 audit(0.0:15852): avc: denied { read } for comm="app_process64" name="u:object_r:userdebug_or_eng_prop:s0" ...
I auditd : avc=type=1400 audit(0.0:15856): avc: denied { getattr } ... path="/apex/apex-info-list.xml" ...

W ART APEX data files are untrusted.
W ziparchive: Unable to open '/gmscompat_fd_64.dm': No such file or directory
W DynamiteModule: Local module descriptor class for com.google.android.gms.googlecertificates not found.

Is this the device attestation failing?

I've tried any of the proposed steps in post #1 (without secure spawing (yet)).
GMS is installed, with full network access.

Any advice very much appreciated. Thank you.

5 days later

Are the steps under "6. Capture a bug report" replaced by the feature located in Settings > System > View logs? Or does the Developer options feature "Bug report" capture more comprehensive logs / system info?

    fid02 Good point. I think for app compatibility we'd just send the specific app's logs (in Settings > Apps > All apps > *app* > View logs, not the full system logs.

    a month later

    I have problem with Bank Norwegian app, when I install it and select Denmark as country, then it requires access to Chrome settings. I don't want to use Chrome as web-browser. I have followed the suggested methods in the thread, but none of them work. Here is the link for the app;

    https://play.google.com/store/search?q=bank+norwegian&c=apps&gl=us
    https://play.google.com/store/search?q=bank+norwegian

    Anyone has experienced this problem or have a suggestion, how to solve it?

      lbr20a Looks like the app is using MitID for authentication. MitID is known to be a problematic app. It does weird stuff. There's a long thread on it here: https://discuss.grapheneos.org/d/1520-status-of-mitid-app/

      In any case, it looks like you will have to install Chrome and set it as the default web browser in the same profile for the verification to be able to start. The app doesn't say that it requires access to "Chrome settings", but that Chrome needs to be the default browser. Try setting Chrome as the default web browser, and after verification you can try to revert that setting back to your desired web browser. Hopefully Bank Norwegian will just work after the initial verification.

      If the app continues to insist on having Chrome as the default browser after the verification, that is very weird behaviour and if that is the case, you should contact the app developers.

      a month later

      Some people considering GrapheneOS are maybe afraid switching to GrapheneOS fearing that their banking apps may not work.

      However for my case I use many different banking apps and they do not cause troubles. I am based in Switzerland. I think the issue is overrated. But of course you may have bad luck.

        schweizer
        Ich kann mich auch über keine Banken App aus der Schweiz beklagten.
        Dafür hackt es bei mir mit Parking Pay hast du hier selbe Probleme?

          Regarding 4. Alternative frontend clients
          Some apps only check this if it's open by the "main activity" meaning opening the app the canonical way by tapping the app icon. However on some apps you can work around this, if the devs of the app implemented the check sloppily, by creating a shortcut. Tap and hold the app icon and then select a shortcut (if one exists - not always the case). Delete the original app icon from your home screen and from now on start the app in question with this "app shortcut". An example is CouchSurfing. Maybe it changed.

          Otherwise you can also enable ADB, change the installation app (which persists after updates, but not reinstalls) and disable ADB afterwards. Important! Beware, enabling ADB debugging is not recommended by the GrapheneOS project.

          2 months later

          Hi! I am new here and new to GrapheneOS. I could successfully install it from my Linux via terminal. I strictly do not use anything from Google. But I have to use several apps, which are not available from F-Droid and can only be found on GooglePlay or apkpure.com etc. Of course I want to control those apps by apps like AdAway or AF-Wall as I used to on my old Samsung Galaxy with LineageOS in rooted status:

          The first is AF-Wall. But it is only operable on rooted devices. I would like to have a replacement for this, because I want to have detailed control, whether an app may use WiFi or mobile net or nothing. There are many apps, which do not need any network connection.
          So I have tried NetGuard Firewall, which will insert a virtual VPN within the device. But it seems to be incompatible with GrapheneOS, because after installation and activation, no app could connect to network services.
          I miss a app with a firewall function on GrapheneOS. – Or is it, that such Firewall is not necessary on GrapheneOS?

          Second I would lie to use AdAway. This app will function without root access, but the will insert a virtual VPN similar to NetGuard Firewall and with the same result: No other app can connect to network services any more. So my question is, whether there is no need for an app like AdAway on GrapheneOS, because it would suppress unwanted ads on system level. Or does someone know of an app, which would be compatible with GrapheneOS?

          Third, I would like to control the charge levels of the battery in order to increase battery life. The only apps, I know, demand root. So my question is, whether there is an app, which would control battery charging and is compatible with GrapheneOS.

            I have a fourth one:
            Fourth: I always had an app, which checks the correct PIN, to unlock the screen. If someone enters a wrong PIN more often than xx times, then the entire phone gets wiped. Reason, why I like such an app: I am working as a practitioner for mental health and there are some very sensible data from my clients on my phone. If the device gets stolen or misused, I want the device being wiped for security. The app, I had used all the time, requires root access. So my question is: Which app could do this without needing a root access? Til now, I don't know any.

              • Edited

              Rapunzli Welcome to the forum!

              You should open a new topic so that you're more likely to receive relevant replies. It also makes it easier for others with the same questions to search for your topic.

              But to quickly answer your questions:

              Rapunzli I want to have detailed control, whether an app may use WiFi or mobile net or nothing. There are many apps, which do not need any network connection.

              You don't need firewall apps as GrapheneOS implements the Network permission toggle which can be found from Settings > Apps > [App name] > Permissions > Network or by holding on the app's icon and pressing App info.

              Rapunzli So my question is, whether there is no need for an app like AdAway on GrapheneOS, because it would suppress unwanted ads on system level. Or does someone know of an app, which would be compatible with GrapheneOS?

              The recommended approach is to choose a DNS server that blocks ad domains. Ad-blocking apps are unrecommended.

              Rapunzli Third, I would like to control the charge levels of the battery in order to increase battery life. The only apps, I know, demand root. So my question is, whether there is an app, which would control battery charging and is compatible with GrapheneOS.

              I don't have the answer to this so I can't say anything. You should open a new topic 🙂.

              Rapunzli I am working as a practitioner for mental health and there are some very sensible data from my clients on my phone. If the device gets stolen or misused, I want the device being wiped for security.

              GrapheneOS has a duress PIN/password feature which securely wipes the phone, unlike incomplete third-party implementations which allow interrupting the wipe. This might not be what you're looking for, but Google Pixels have some of the strongest hardware implementations against bruteforcing. You can also enable Auto reboot.

                yore

                The recommended approach is to choose a DNS server that blocks ad domains.

                We recommend doing it as part of DNS resolution which can either be done with the Private DNS feature or a local DNS filtering app via the VPN service app feature. If you use a VPN, we recommend not mixing that with Private DNS so a VPN app able to handle local filtering of DNS should be used, or a VPN service which can filter it remotely. Filtering can be detected by websites, etc. and they can enumerate what's being filtered vs. not filtered so bear that in mind.

                  Rapunzli Those have unfortunately never been a correct implementation of this feature and it was always trivially bypassed in the past. It's still trivially bypassed on most Android-based operating systems.

                  Rapunzli

                  The first is AF-Wall. But it is only operable on rooted devices. I would like to have a replacement for this, because I want to have detailed control, whether an app may use WiFi or mobile net or nothing. There are many apps, which do not need any network connection.

                  This is a badly designed app which massively reduces OS security. You should read our FAQ sections on these topics where we mention apps like RethinkDNS able to do local filtering which also using a VPN. We don't specifically recommend RethinkDNS but unfortunately there aren't other examples without bigger issues.

                  So I have tried NetGuard Firewall, which will insert a virtual VPN within the device. But it seems to be incompatible with GrapheneOS, because after installation and activation, no app could connect to network services.

                  It's not incompatible with GrapheneOS. It's incompatible with the standard Android leak blocking toggle because of implementation flaws. It shouldn't be used.

                  Second I would lie to use AdAway. This app will function without root access, but the will insert a virtual VPN similar to NetGuard Firewall and with the same result: No other app can connect to network services any more. So my question is, whether there is no need for an app like AdAway on GrapheneOS, because it would suppress unwanted ads on system level. Or does someone know of an app, which would be compatible with GrapheneOS?

                  You're trying to use the Android leak blocking toggle with a VPN app not providing traffic routing. The leak blocking toggle is working as designed and preventing all the non-DNS traffic from leaking. This is a configuration error on your part. There's nothing about this specifically incompatible with GrapheneOS. It's a bad implementation of this though and it encourages massively reducing OS security. Recommend avoiding this app too.

                  NetGuard is meant to actually filter traffic and SHOULD be compatible with the leak blocking toggle like RethinkDNS. None of this is specific to GrapheneOS. We improve the leak blocking but it does not break any of these apps. They would break with it on the stock Pixel OS too, it's just not enabled by default in the setup screen there.

                  I am sorry to have not seen the number 68 in the URL to this thread. I have only seen: "app-compatibility-with-grapheneos" and therefor I thought, it could be the right plave for my questions.

                  I thank you for your quick answers and I will need some time to understand all this in detail. And I will regard your hints to the manual or the FAQ.

                  4 days later
                  • Edited

                  It's been reported here that certain Google AI features stop working after unlocking the bootloader. Has anybody with a P9 tested this? I mean it's probably not a big deal considering that many users here wouldn't touch that anyway but it's good for full disclosure and future users who might consider jumping ships to GrapheneOS. (Apologies if this issue has been discussed somewhere else. A quick forum scan did not yield any results on this.)

                    Phead It's been reported here that certain Google AI features stop working after unlocking the bootloader.

                    Quote from the article you linked:

                    Unrooting and locking the bootloader seems to be the only reliable fix so far.

                    If you are following the official install instructions, GrapheneOS will not be rooted and the bootloader will be locked. So this is a non-issue. 😊

                      fid02 If you are following the official install instructions, GrapheneOS will not be rooted and the bootloader will be locked. So this is a non-issue.

                      True, but you have to unlock the bootloader first, before you lock it again. My question was if the mere unlocking prevents the Google AI stuff from working or if it's the state of beeing unlocked (wich, in our case should not be a problem since we lock it in one the final install steps, as you correctly pointed out).

                        • Edited

                        Phead My question was if the mere unlocking prevents the Google AI stuff from working or if it's the state of beeing unlocked (wich, in our case should not be a problem since we lock it in one the final install steps, as you correctly pointed out).

                        The article says that unrooting and re-locking solves the problem. If that is true (I have no idea) then the problem is being unlocked. I don't see how to read that text any other way.

                        If the problem is a strong Play integrity check, then those apps likely won't run on GrapheneOS, period.

                        It is plausible that clicking through to the XDA posts will reveal more details.