Important Update: December 1, 2023 – Compatibility of Banking Apps with GrapheneOS

[akc3n]

Banking apps usage guide

Important

If you receive a warning from your banking app indicating that your device may be INSECURE, JAILBROKEN, or ROOTED, this is usually due to the SafetyNet/Play Integrity API. Specifically, your device fails to pass MEETS_DEVICE_INTEGRITY and/or as well as MEETS_STRONG_INTEGRITY.

For more details, see the planned feature on this topic at the GrapheneOS issue tracker: Issue #1986

As of now, there are no direct solutions available to users. However, you can help by contacting your bank. Inform them of this issue and suggest they refer to the GrapheneOS Attestation Compatibility Guide for their developers, available here: Attestation Compatibility Guide.

Tip

This pinned issue might not always be as frequently up-to-date. For the most current and updated information, please refer to the primary source thread App compatibility with GrapheneOS.

---

Official announcement news update:

GrapheneOS supports hardware attestation and has much stronger security than even the stock Pixel OS but isn't Google certified. Play Integrity and legacy SafetyNet Attestation check for Google certification, not any form of security. We have concrete plans to address this issue.

Due to hardware attestation and the support for it via the strong mode for Play Integrity and legacy SafetyNet Attestation, spoofing the Google certification checks is a lost cause over the long term. This is why we refrained from spoofing the much more commonly used basic mode.

Long term, the solution will be to convince organizations to support GrapheneOS by switching to directly using the hardware attestation API which has alternate OS support. See https://grapheneos.org/articles/attestation-compatibility-guide. This is much easier to use now that there's an official library for it.

In the meantime, we've decided to work on spoofing the software certification checks due to greatly expanding adoption of this security theater. We could add a notification for apps using this telling users to ask the developers to do it in a better way, not Google certification.

We're aware that an SDK used by many banking apps has recently adopted the weak software Google certification checks. This has greatly increased the priority of a short term workaround. When we have time, we'll contact company making the SDK and some of the banks with our guide.

At some point, these SDKs are going to start using the strong mode and it's going to end the ability to spoof the checks. It's why we refrained from doing it because we know it's setting up events in the future where many apps suddenly lose compatibility from server side updates.

Extending our Sandboxed Google Play compatibility layer to support Android Auto is currently a top priority. It's nearly ready to ship, and after that the developer working on it will move on to a workaround for this to delay needing app developers or governments to solve it.

Primary source of announcement:
Twitter / Nitter | Mastodon | Bluesky