Jump to content

On the pre-production status


Recommended Posts

22 minutes ago, anonim001 said:

Can someone explain, cause I can't find the answer anywhere... Is the device with LineageOS flashed but unrooted still SafetyNet approved? I'm using the banking app very often and I remember reading somewhere that flashing LineageOS can cause problems with some apps.

No, LineageOS does not pass SafetyNet as shipped.  It passes everything else though (eg. Play Store / Play Services will see the device as registered and authorized).

 

Folks that use custom ROMs and need SafetyNet compliance usually use magisk.  I can't say much else on the subject, as I don't need SafetyNet and never installed magisk.

 

  • Like 1
  • Thanks 1
Link to post
Share on other sites
  • Replies 4.1k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I just had to create an account to chime in as a voice of reason here, because there is some seriously toxic entitlement going on in this thread. I, as I'm sure pretty much everyone else who actu

Thanks for pointing out before the mass panic :). Corrected to January as it was meant.

Some pages ago during December I requested a refund for preorder, and decided to wait till FxTec could actually deliver. Everything has been processed in a friendly and timely manner :-). What I can a

Posted Images

Magisk will not be able to hide the open bootloader state from SafetyNet anymore in the near future, see: 

So everything is screwed either way then. You not using apps locking you out don't matter enough for anything to change (but it somehow matters enough to lock you out). You doing exactly the same things on your PC where you do have power is fine. Nothing makes sense these days.

 

  • Sad 1
Link to post
Share on other sites
20 minutes ago, tdm said:

Folks that use custom ROMs and need SafetyNet compliance usually use magisk.  I can't say much else on the subject, as I don't need SafetyNet and never installed magisk.

Thanks, that clears it up!

So what we'd now need would be someone who can say more on the subject 🙂 – anyone? 

I'd really like to use LineageOS when I get my phone, but unfortunately SafetyNet is a must, as I rely on at least two apps which need it  – one is a health related app, the other is my bank's app without which I cannot even log in to their banking website on my PC anymore. (Yes, and this is not even one of the flashy new Fintech startups, it's a bank with some history...)

Link to post
Share on other sites
8 minutes ago, elvissteinjr said:

Magisk will not be able to hide the open bootloader state from SafetyNet anymore in the near future

Bummer.

Does "in the near future" mean, though, that it still might with LineageOS 16 and 17?

Link to post
Share on other sites
20 minutes ago, Rob. S. said:

Thanks, that clears it up!

So what we'd now need would be someone who can say more on the subject 🙂 – anyone? 

I'd really like to use LineageOS when I get my phone, but unfortunately SafetyNet is a must, as I rely on at least two apps which need it  – one is a health related app, the other is my bank's app without which I cannot even log in to their banking website on my PC anymore. (Yes, and this is not even one of the flashy new Fintech startups, it's a bank with some history...)

This is my problem as well. I want to use the Pro1 for work and banking and a lot of apps required for those will not work without SafetyNet. And seeing @tdm's fantastic work on LineageOS, fixing all the issues that bothered me in the stock ROM, I'm leaning towards using LineageOS more and more but only if SafetyNet can work somehow.

Edited by AnnieC
  • Like 3
Link to post
Share on other sites
19 minutes ago, Rob. S. said:

Bummer.

Does "in the near future" mean, though, that it still might with LineageOS 16 and 17?

My understanding is that in R (which will surely be LineageOS 18), Google has implemented some sort of cryptographic authenticator using the TEE for safetynet attestation.  In layman's terms, this means the validation is happening in a place that cannot be easily seen or modified, and thus cannot be easily faked as it is now.  But keep in mind I am not an expert on SafetyNet -- I don't use it and generally don't care about it.  I only read a short post by John Wu on the subject.

 

  • Like 4
  • Thanks 1
Link to post
Share on other sites
56 minutes ago, tdm said:

No, LineageOS does not pass SafetyNet as shipped.  It passes everything else though (eg. Play Store / Play Services will see the device as registered and authorized).

If I enter settings in the android market and scrolls down, it says "Device is not certified" on lineage Test11

Link to post
Share on other sites
Just now, EskeRahn said:

If I enter settings in the android market and scrolls down, it says "Device is not certified" on lineage Test11

Yes, correct.  But certified is not the same as registered/authorized.  When the device is not registered/authorized, you are completely blocked from the Play Store.  Certified is probably related to SafetyNet stuff.

 

 

  • Like 1
  • Thanks 1
Link to post
Share on other sites
27 minutes ago, tdm said:

Yes, correct.  But certified is not the same as registered/authorized.  When the device is not registered/authorized, you are completely blocked from the Play Store.  Certified is probably related to SafetyNet stuff.

Well there are (at the least) three levels

  1. Authorized to run the Android Market
  2. the "Device is certified" within the Android Market
  3. Safetynet

So the Lineage pass the first, but not the second (and thus nor the third)

Link to post
Share on other sites

How can the PRO¹ be approved by google with the unlocked bootloader?

Quote

With the Pro1 you have the flexibility with the unlocked bootloader enabling you to load other popular

According to many of these news, the problems come from unlocking a locked bootloader and safetynet detecting the bootloader is unlocked.

In this case, the android being signed by google is being shipped on an unlocked bootloader. Could it be, due to that nuance, we are safe?

Link to post
Share on other sites
7 minutes ago, brunoais said:

How can the PRO¹ be approved by google with the unlocked bootloader?

According to many of these news, the problems come from unlocking a locked bootloader and safetynet detecting the bootloader is unlocked.

In this case, the android being signed by google is being shipped on an unlocked bootloader. Could it be, due to that nuance, we are safe?

That's outdated, current devices are shipped with a locked bootloader. First shipments were with an unlocked bootloader, but customers had to lock it to pass safetynet. See 

 

  • Thanks 1
Link to post
Share on other sites
8 minutes ago, brunoais said:

How can the PRO¹ be approved by google with the unlocked bootloader?

According to many of these news, the problems come from unlocking a locked bootloader and safetynet detecting the bootloader is unlocked.

In this case, the android being signed by google is being shipped on an unlocked bootloader. Could it be, due to that nuance, we are safe?

I'm pretty sure it (except the very first batch) is sent with an unlockable not an unlocked bootloader. It is only the last OTA that broke the safetynet test.

  • Like 2
  • Thanks 2
Link to post
Share on other sites

And.... There goes a reason to own this phone.... The keyboard can be good.... It appears to be very good. Maybe I can only hope that the software F(x)tec is hiring to be done is done appropriately...

I use bank apps and other apps which I'm sure they verify against safetynet...

Now I can only check and wait if this goes anywhere... I suggest you to star that ticket... It may help

When can I have a phone I can call mine and not have others define if my stuff is secure or not?!?! If it is not secure, it's my problem, not theirs.

Edited by brunoais
Emphasis
  • Thanks 1
Link to post
Share on other sites

It was always known that default LineageOS wouldn't pass safetynet. Only "new" information is that the stock software is perhaps subpar, but I wouldn't say that's news either and I expected that, and it's also subjective. I don't think this is even a problem with the phone, more so with proprietary apps being stupid.

  • Like 1
Link to post
Share on other sites
4 minutes ago, Zamasu said:

It was always known that default LineageOS wouldn't pass safetynet. Only "new" information is that the stock software is perhaps subpar, but I wouldn't say that's news either and I expected that, and it's also subjective. I don't think this is even a problem with the phone, more so with proprietary apps being stupid.

 

I will not comment on whether stock is subpar or not.  That is a subjective call.  But I will say that stock is pretty much just a basic BSP build with a few changes tossed in here and there (like landscape mode).  This is something that a developer team at any other company would use as a starting point for their stock software.  It is not a finished product that was meant to be used by consumers.

 

There are reasons for this, as I have mentioned -- IdeaLTE is a hardware company and FxTec cannot afford a software team.  But folks who choose to use stock should know about this situation so that their expectations are not set too high.

 

  • Like 3
Link to post
Share on other sites
26 minutes ago, brunoais said:

And.... There goes a reason to own this phone.... The keyboard can be good.... It appears to be very good. Maybe I can only hope that the software F(x)tec is hiring to be done is done appropriately...

.
.

When can I have a phone I can call mine and not have others define if my stuff is secure or not?!?! If it is not secure, it's my problem, not theirs.

On the first. Adding FinQwerty to me made all the difference in getting a good keyboard experience.

On the last, well yes and no. In some countries the consumers have a lot of rights on fraudulent activities, so obviously the banks want to protect themselves against any claims from the consumer that (s)he did not do a specific transaction. And the more secure the platform, the easier it is for them to prove that it actually was you.

Link to post
Share on other sites
On 3/12/2020 at 2:37 PM, elvissteinjr said:

Magisk will not be able to hide the open bootloader state from SafetyNet anymore in the near future, see: 

So everything is screwed either way then. You not using apps locking you out don't matter enough for anything to change (but it somehow matters enough to lock you out). You doing exactly the same things on your PC where you do have power is fine. Nothing makes sense these days.

 

Boooo!!!!  I'll refrain from including a list of expletives.

  • Like 1
Link to post
Share on other sites
8 hours ago, brunoais said:

And.... There goes a reason to own this phone.... The keyboard can be good.... It appears to be very good. Maybe I can only hope that the software F(x)tec is hiring to be done is done appropriately...

I use bank apps and other apps which I'm sure they verify against safetynet...

Right, so do I – but I have no need to use R for the time being. My plan is to use LineageOS 17 with SafetyNet cared for by Magisk (if I ever find out how this is done) as long as it is supported, and after that, if we're really out of luck with regard to SafetyNet + LineageOS then, I'll have another look at the state F(x)Tec's stock Android will be in. And maybe we're lucky and it will be good! Anyway, for me, that's the point in time to start worrying, not earlier. 

Edited by Rob. S.
  • Like 2
Link to post
Share on other sites

In reading the comments from that ticket, I like the idea of limiting (non-banking apps) so that they can tell if they (the apps) have been modified, not that something else in the system has been modified.  That seems like a good compromise for all involved.  Without that, and as aggressive as apps are getting about detecting system changes, AOSP and LOS could be hit hard by this.

Make the calls to the apis that detect system changes be certified and only allow banking/money related apps to be certified.  Let apps like snapchat and Netflix check to see if their apps have been modified, but not check if the system has been modified.

Link to post
Share on other sites
14 minutes ago, Rob. S. said:

My plan is to use LineageOS 17 with SafetyNet cared for by Magisk (if I ever find out how this is done) as long as it is supported

^^^This.  And stock android Q + Magisk.

Some of us will just have to hope we reach our expiration date before the rooted Pro1s we are holding in our crippled, old hands do.

  • Haha 1
Link to post
Share on other sites

Regarding SafetyNet I'm not entirely sure but I get the feeling that keeping an older Android version doesn't mean you'll be fine. I only have very surface level understanding, but while the key attestation is not fully enforced yet across the board, served sided checks and Play Services updates should bring it to older devices all the same. The server side check will prevent any modded Play Services to get around this. And since the data is signed by the hardware that you have no control over at all... yeah, good night.

  • Thanks 1
Link to post
Share on other sites
4 hours ago, elvissteinjr said:

Regarding SafetyNet I'm not entirely sure but I get the feeling that keeping an older Android version doesn't mean you'll be fine. I only have very surface level understanding, but while the key attestation is not fully enforced yet across the board, served sided checks and Play Services updates should bring it to older devices all the same. The server side check will prevent any modded Play Services to get around this. And since the data is signed by the hardware that you have no control over at all... yeah, good night.

Booo!!!! (not you, the issue)

Link to post
Share on other sites
1 hour ago, anonim001 said:

Another dumb question: can't we re-lock the BL after flashing LOS? Wouldn't it solve the problem? 

I'm not 100% sure how this all works, but I think that the bootloader check is just 1 of the safetynet checks. LOS wouldn't be verified by Google, which is also one of the checks.

  • Like 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

Terms