nrt

  • Joined Jun 10, 2022
  • In App compatibility with GrapheneOS

    Possible workaround solutions

    UPDATE

    This guide will be revised with the latest changes shortly. (Jan 26, 2025, 17:40 Pacific)

    For some problematic apps, including some banking apps.

    Purpose: Utilize as a reference permalink for consistent citing on duplicates across platforms. e.g.

    Table of contents

    Important announcements

    December 1, 2023 – Compatibility of Banking Apps with GrapheneOS

    If you receive a warning from your banking app indicating that your device may be insecure, jailbroken, or rooted, this is usually due to the SafetyNet/Play Integrity API. Specifically, your device fails to pass MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY.

    As of now, there are no direct solutions available to users. However, you can help by contacting your bank. Inform them of this issue and suggest they refer to the GrapheneOS Attestation Compatibility Guide for their developers, available here: Attestation Compatibility Guide.

    Banking app compatibility with GrapheneOS

    To submit, view, and/or track international banking apps compatibility with GrapheneOS, please use this issue-tracker.

    A 3rd party community-sourced effort containing banking app compatibility information is maintained by PrivSec.dev. GrapheneOS does not make any guarantees regarding the list's validity.

    Possible workaround solutions

    1. Native code debugging

    Allow the app to make use of native code debugging. Launch app.
    If unsuccessful, proceed to step 2.

    SettingsAppsApp in questionExploit protectionNative code debugging

    2. Exploit protection compatibility mode

    Enable the per-app exploit protection compatibility mode. Launch app.
    If unsuccessful, proceed to step 3 for testing only.

    SettingsAppsApp in questionExploit protectionExploit protection compatibility mode

    Turning on the exploit protection compatibility toggle reduces system security but may allow the application to run without crashing. The app crashed because GrapheneOS detected a memory corruption bug that may be exploitable by an attacker.

    3. Secure app spawning

    3.1 - Temporarily disable secure app spawning.

    SettingsSecurity & privacyExploit protectionSecure app spawning

    3.2 - Disable the exploit protection compatibility mode as described in step 2.

    3.3 - Restart device. Launch app to see if this GrapheneOS feature caused the compatibility issue. The app may be refusing to run if it detects a different spawning mechanism.

    Significant security loss and directly affecting some privacy using Zygote

    • Disabling exec-based spawning reverts to using the traditional Zygote spawning model AOSP's app processes
    • Spawned as a clone of the Zygote
    • Each app process has the same random secrets for ASLR, SSP, memory tagging, pointer authentication, setjmp canaries, and heap randomization
    • Half of the userspace is made of app processes
    • Applies across all profiles
    • App in profile A and profile B have same random values, which they can see

    3.4 - Revert to secure spawning by enabling it again and restart device.
    See step 3.1 above.

    4. Alternative frontend clients

    Potential use of an unofficial/alternative Google Play Store frontend client may be problematic for misguided apps:

    • They can check if they were installed from the Play Store and can choose to refuse to work if they were not installed from the Play Store.
    • Some forbid usage on non-stock OS (most OSes are insecure)
    • May cause your Google Account to be disabled/blocked/blacklisted by Google.
    • Anonymous account usage may have negative consequences and have a less secure connection to the Play Store servers.

    General recommendation: Install Sandboxed Google Play. Optionally use a throwaway account.

    5. Search the existing issues

    Search the forum, os-issue-tracker, and/or within the community for keyword(s) specific to the app name.
    If unsuccessful with finding a solution, only than proceed to step 6.

    6. Capture a bug report

    6.1 - To view the specific app's logs, go to SettingsAppsAll appsAPPView logs.

    Note: With the release of 2024011300, GrapheneOS developers have introduced a log viewer, accessible via SettingsSystemView logs. This LogViewer avoids the need for developer options to create useful bug reports and inspect the device for issues.

    6.2 - Attempt to reproduce the issue by capturing a 'Bug report' using the feature in Developer options if you still run into the app aborting at launch.

    • Enable Developer option by tapping the 'Build number' 7 times.
      SettingsAbout phoneDevice identifiersBuild number

    • Capture a bug report.
      SettingsSystemDeveloper optionsBug ReportInteractive reportREPORT

    Note: If you are doing a bug report, the .zip file can contain sensitive info.

    6.3 - Alternatively, using logcat.

    Example:

    • Prepare for reproduction
    • adb logcat -c to clear previous logs
    • Reproduce the issue
    • In a timely manner to avoid unecessary logs:
      • adb logcat -d > issue.log to dump the logs in a file named issue.log

    6.4 - Disable the developer options.

    SettingsSystemDeveloper optionsUse developer options

    We recommend disabling developer options as a whole for a device that's not being used for app or OS development.

    7. Submit a bug report

    Open a new issue, provide a description and make contact via the appropriate channels with a similar message like "Bug report capture for issue #104". in order to submit the bug report capture zip privately. (Replace the issue # number).

    Next steps

    Problematic applications

    It's plausible that this is app-related, rather than a compatibility issue with GrapheneOS - acknowledging this factor must be considered. (Ref. 2568#issuecomment-1766887298)

    Not compatible

    Due to the deprecation of SafetyNet attestations, there is increasing changes among some apps on the Play Store to switch over to the new Play Integrity API. Consequently, some of these apps are known to set themselves as unavailable for devices that do not pass Play Integrity checks at various levels.

    See View and restrict your app's compatible devices and Store listing visibility

    Turn on integrity checks for your store listing so that Google Play can check that devices pass integrity checks before making your store listing visible to users.

    This feature is primarily intended for use only by apps using the Play Integrity API. It aims to prevent users from encountering a poor experience by installing these apps, only to find they do not function properly on their devices.

    Please see the Attestation compatibility guide on using remote attestation in a way that's compatible with GrapheneOS and how you can help.

    GrapheneOS users are strongly encouraged to share this documentation with app developers enforcing only being able to use the stock OS. Send an email to the developers and leave a review of the app with a link to this information. Share it with other users and create pressure to support GrapheneOS rather than locking users into the stock OS without a valid security reason. GrapheneOS not only upholds the app security model but substantially reinforces it, so it cannot be justified with reasoning based on security, anti-fraud, etc.

    • In Can't install PWAs

      Lukas I can't reproduce this issue. When I tap Add to home screen, the app gets installed, and the icon gets added to the highest available spot on my home screen .

        • In How would you send things between profiles?

          Hat I don't personally use Syncthing, but the last time I tested it, I believe either was possible.

          • nrt likes this.
          • In How do I use a sim card safely and non traceably

            • [deleted]

            • Post #13

            Not possible.

            • nrt likes this.
          • In A message for Grapos developers. whats your recomendation?

            • [deleted]

            • Post #3

            Welcome to the world of a discussion forum. What you described in terms of user interaction happens everywhere, including the Matrix community. Unfortunately, that's just what happens sometimes. People have their opinions/views on things and they don't always align with other ones.

            Telling you what to do isn't exactly straightforward since one person's threat model can differ from someone else's. Sandboxed Google Play may be perfectly fine for one person but not for another.

            • nrt likes this.
          • In Can google apps send data though sandboxed google play services?

            Hey! This is a topic that has been discussed numerous times before - you can likely find other instances of it being discussed if you look for it on here.

            That said, apps in the same profile can communicate with each other with mutual consent. Mutual consent means that both apps have to agree to be able to share data. If one party (one app) is unwilling, another app can't just take another app's data. All apps are sandboxed and their app data is isolated.

            This is in no way specific to Google apps, it's something that apps can do in general. IPC is not some evil thing, you probably see it in practice when using your phone every day, and you don't even realize it.

            If you don't want two apps to be able to communicate with each other in this manner, even if they mutually consent, you can put them in different profiles, which would prevent them from being able to see or communicate with each other.

            Furthermore, GrapheneOS will likely have a feature in the future that will allow you to prevent app communication in the same profile as you choose. You can see a proof of concept of this here:

            https://twitter.com/GrapheneOS/status/1636042398043086850

            The feature is in the research phase, because the project wants it to provide meaningful benefits, and not a false sense of security, so there are multiple things that this feature would have to adjust for it to provide a tangible benefit and actually do what it says on the tin. There is no ETA for when this feature will be added.

            I hope that helps!

            • In Is it clever that Graphene runs exclusively on Google phones??

              Knox Lets presume google would discontinue the Pixel Phones or make some significant hardware changes.. would it mean that the whole Graphene project would be dead instantly?

              If Google stopped issuing new Pixels, or stopped issuing Pixels usable by GrapheneOS, at that moment there would be a huge supply of devices which would still have years of support remaining. Since it would take only months for the developers to identify the next-best platform and port to it, "dead instantly" seems unlikely.

              • nrt likes this.
              • In Tethering is being detected by T-Mobile...
              • In Donate and support GrapheneOS!
              • In Are apps able to see the network they are connected to?

                TREX
                Only if they have the correct permission. I believe the location permission gives access to the current SSID.

                • In Why Google Play Store have access to other apps on GrapheneOS?

                  Goofiness1142 Is this true for every other apps? Can they know all apps that I have in my phone?

                  Yes. There is a feature request about hiding apps from other apps' view but at the moment if you want to prevent an app from seeing which other apps are installed, you need to use profiles.

                    • In pixel tablet telephony apps
                    • In Google apps and Google accounts

                      As others have already said there's no way to avoid this if you run all apps in the same user profile.

                      If you don't want your other Google apps associated with your Google account, I suggest the following set-up:

                      • Install sandboxed Google Play Services in the owner profile and sign into Google Play Store there to install and keep up to date the apps you require
                      • Setup a secondary profile in which you do not sign into a Google account
                      • Use the install available apps feature in GrapheneOS to install required apps from owner profile to secondary profile
                      • Keep the apps you want to use in the secondary profile disabled in the owner profile.

                      With that setup, Google Play Store in the owner profile will keep the apps updated across all profiles. But you'll have the Google apps in your secondary profile separate from your Google account in the owner profile.

                      • In pixel tablet launcher

                        The GrapheneOS team are unlikely to deviate from UI/UX of AOSP for features such as this, unless it can be well justified. Because the development team is small, and they're focussed on developing private and secure devices. Such a feature might be simple to implement, but a number of these features can stack up, and make maintenance of the OS much more onerous, and would likely mean that it takes a lot longer for the development team to update the OS, especially for new Android version releases. That's rather counter to the aims of the project, and therefore is avoided.

                      • In Screen Cast on GrapheneOS
                      • In Google play store versus aurora/fdroid

                        Seeing as you have a Google account made specifically for this purpose, and especially if you're going to be using Sandboxed Google Play for app compatibility with apps that require it, I don't see the point in not using Play Store, given that it would already have to be installed either way.

                        • In Disable Google Play apps when not in use
                        • In Crowdfunding to implment call recording?

                          Toasty

                          Yeah, it's not high on priority. Especially with apps that work reasonably well, the legal grey area, it's a tough sell that the OS should do it natively.

                          I think fixing the Backup solution should be something we should help fund.

                            • In Feature REQ: Turn flashlight on/off by holding power button

                              dirksche I understand totally.
                              My concern comes from the fact that in the FOSS community it's common for consumers to expect so much from developers that developers often quit out of frustration. Call me selfish but I'd hate for GrapheneOS to go under because the community became too toxic for the devs to handle.

                                • In GrapheneOS is part of the Proton 2022 Lifetime Account Charity Fundraiser

                                  https://twitter.com/GrapheneOS/status/1603770947873415170

                                  GrapheneOS will be receiving funds from Proton in order to help fund our team and work on upcoming features to the project. One of these features will be contact scopes, where you will be able to selectively choose which contacts you expose to an app, much like how you can selectively choose which files you expose to app with our storage scopes feature. We also plan to have many user onboarding experience improvements, as we want to make GrapheneOS even more user friendly! As part of doing so we will be writing a new SetupWizard application, which provides the onboarding screens you see when you first power on a GrapheneOS installation or create a new profile.

                                  Check out Proton's blogpost here: https://proton.me/blog/2022-lifetime-account-charity-fundraiser

                                  This was only possible because of our community, and on behalf of the team, thank you!