tdm 2,322 Posted March 12, 2020 Share Posted March 12, 2020 22 minutes ago, anonim001 said: Can someone explain, cause I can't find the answer anywhere... Is the device with LineageOS flashed but unrooted still SafetyNet approved? I'm using the banking app very often and I remember reading somewhere that flashing LineageOS can cause problems with some apps. No, LineageOS does not pass SafetyNet as shipped. It passes everything else though (eg. Play Store / Play Services will see the device as registered and authorized). Folks that use custom ROMs and need SafetyNet compliance usually use magisk. I can't say much else on the subject, as I don't need SafetyNet and never installed magisk. 1 1 Quote Link to post Share on other sites
elvissteinjr 359 Posted March 12, 2020 Share Posted March 12, 2020 Magisk will not be able to hide the open bootloader state from SafetyNet anymore in the near future, see: So everything is screwed either way then. You not using apps locking you out don't matter enough for anything to change (but it somehow matters enough to lock you out). You doing exactly the same things on your PC where you do have power is fine. Nothing makes sense these days. 1 Quote Link to post Share on other sites
Rob. S. 1,661 Posted March 12, 2020 Share Posted March 12, 2020 20 minutes ago, tdm said: Folks that use custom ROMs and need SafetyNet compliance usually use magisk. I can't say much else on the subject, as I don't need SafetyNet and never installed magisk. Thanks, that clears it up! So what we'd now need would be someone who can say more on the subject 🙂 – anyone? I'd really like to use LineageOS when I get my phone, but unfortunately SafetyNet is a must, as I rely on at least two apps which need it – one is a health related app, the other is my bank's app without which I cannot even log in to their banking website on my PC anymore. (Yes, and this is not even one of the flashy new Fintech startups, it's a bank with some history...) Quote Link to post Share on other sites
Rob. S. 1,661 Posted March 12, 2020 Share Posted March 12, 2020 8 minutes ago, elvissteinjr said: Magisk will not be able to hide the open bootloader state from SafetyNet anymore in the near future Bummer. Does "in the near future" mean, though, that it still might with LineageOS 16 and 17? Quote Link to post Share on other sites
AnnieC 115 Posted March 12, 2020 Share Posted March 12, 2020 (edited) 20 minutes ago, Rob. S. said: Thanks, that clears it up! So what we'd now need would be someone who can say more on the subject 🙂 – anyone? I'd really like to use LineageOS when I get my phone, but unfortunately SafetyNet is a must, as I rely on at least two apps which need it – one is a health related app, the other is my bank's app without which I cannot even log in to their banking website on my PC anymore. (Yes, and this is not even one of the flashy new Fintech startups, it's a bank with some history...) This is my problem as well. I want to use the Pro1 for work and banking and a lot of apps required for those will not work without SafetyNet. And seeing @tdm's fantastic work on LineageOS, fixing all the issues that bothered me in the stock ROM, I'm leaning towards using LineageOS more and more but only if SafetyNet can work somehow. Edited March 12, 2020 by AnnieC 3 Quote Link to post Share on other sites
tdm 2,322 Posted March 12, 2020 Share Posted March 12, 2020 19 minutes ago, Rob. S. said: Bummer. Does "in the near future" mean, though, that it still might with LineageOS 16 and 17? My understanding is that in R (which will surely be LineageOS 18), Google has implemented some sort of cryptographic authenticator using the TEE for safetynet attestation. In layman's terms, this means the validation is happening in a place that cannot be easily seen or modified, and thus cannot be easily faked as it is now. But keep in mind I am not an expert on SafetyNet -- I don't use it and generally don't care about it. I only read a short post by John Wu on the subject. 4 1 Quote Link to post Share on other sites
EskeRahn 5,460 Posted March 12, 2020 Share Posted March 12, 2020 56 minutes ago, tdm said: No, LineageOS does not pass SafetyNet as shipped. It passes everything else though (eg. Play Store / Play Services will see the device as registered and authorized). If I enter settings in the android market and scrolls down, it says "Device is not certified" on lineage Test11 Quote Link to post Share on other sites
tdm 2,322 Posted March 12, 2020 Share Posted March 12, 2020 Just now, EskeRahn said: If I enter settings in the android market and scrolls down, it says "Device is not certified" on lineage Test11 Yes, correct. But certified is not the same as registered/authorized. When the device is not registered/authorized, you are completely blocked from the Play Store. Certified is probably related to SafetyNet stuff. 1 1 Quote Link to post Share on other sites
EskeRahn 5,460 Posted March 12, 2020 Share Posted March 12, 2020 27 minutes ago, tdm said: Yes, correct. But certified is not the same as registered/authorized. When the device is not registered/authorized, you are completely blocked from the Play Store. Certified is probably related to SafetyNet stuff. Well there are (at the least) three levels Authorized to run the Android Market the "Device is certified" within the Android Market Safetynet So the Lineage pass the first, but not the second (and thus nor the third) Quote Link to post Share on other sites
brunoais 334 Posted March 13, 2020 Share Posted March 13, 2020 How can the PRO¹ be approved by google with the unlocked bootloader? Quote With the Pro1 you have the flexibility with the unlocked bootloader enabling you to load other popular According to many of these news, the problems come from unlocking a locked bootloader and safetynet detecting the bootloader is unlocked. In this case, the android being signed by google is being shipped on an unlocked bootloader. Could it be, due to that nuance, we are safe? Quote Link to post Share on other sites
Zamasu 258 Posted March 13, 2020 Share Posted March 13, 2020 7 minutes ago, brunoais said: How can the PRO¹ be approved by google with the unlocked bootloader? According to many of these news, the problems come from unlocking a locked bootloader and safetynet detecting the bootloader is unlocked. In this case, the android being signed by google is being shipped on an unlocked bootloader. Could it be, due to that nuance, we are safe? That's outdated, current devices are shipped with a locked bootloader. First shipments were with an unlocked bootloader, but customers had to lock it to pass safetynet. See 1 Quote Link to post Share on other sites
EskeRahn 5,460 Posted March 13, 2020 Share Posted March 13, 2020 8 minutes ago, brunoais said: How can the PRO¹ be approved by google with the unlocked bootloader? According to many of these news, the problems come from unlocking a locked bootloader and safetynet detecting the bootloader is unlocked. In this case, the android being signed by google is being shipped on an unlocked bootloader. Could it be, due to that nuance, we are safe? I'm pretty sure it (except the very first batch) is sent with an unlockable not an unlocked bootloader. It is only the last OTA that broke the safetynet test. 2 2 Quote Link to post Share on other sites
brunoais 334 Posted March 13, 2020 Share Posted March 13, 2020 (edited) And.... There goes a reason to own this phone.... The keyboard can be good.... It appears to be very good. Maybe I can only hope that the software F(x)tec is hiring to be done is done appropriately... I use bank apps and other apps which I'm sure they verify against safetynet... Now I can only check and wait if this goes anywhere... I suggest you to star that ticket... It may help When can I have a phone I can call mine and not have others define if my stuff is secure or not?!?! If it is not secure, it's my problem, not theirs. Edited March 13, 2020 by brunoais Emphasis 1 Quote Link to post Share on other sites
Zamasu 258 Posted March 13, 2020 Share Posted March 13, 2020 It was always known that default LineageOS wouldn't pass safetynet. Only "new" information is that the stock software is perhaps subpar, but I wouldn't say that's news either and I expected that, and it's also subjective. I don't think this is even a problem with the phone, more so with proprietary apps being stupid. 1 Quote Link to post Share on other sites
tdm 2,322 Posted March 13, 2020 Share Posted March 13, 2020 4 minutes ago, Zamasu said: It was always known that default LineageOS wouldn't pass safetynet. Only "new" information is that the stock software is perhaps subpar, but I wouldn't say that's news either and I expected that, and it's also subjective. I don't think this is even a problem with the phone, more so with proprietary apps being stupid. I will not comment on whether stock is subpar or not. That is a subjective call. But I will say that stock is pretty much just a basic BSP build with a few changes tossed in here and there (like landscape mode). This is something that a developer team at any other company would use as a starting point for their stock software. It is not a finished product that was meant to be used by consumers. There are reasons for this, as I have mentioned -- IdeaLTE is a hardware company and FxTec cannot afford a software team. But folks who choose to use stock should know about this situation so that their expectations are not set too high. 3 Quote Link to post Share on other sites
EskeRahn 5,460 Posted March 13, 2020 Share Posted March 13, 2020 26 minutes ago, brunoais said: And.... There goes a reason to own this phone.... The keyboard can be good.... It appears to be very good. Maybe I can only hope that the software F(x)tec is hiring to be done is done appropriately... . . When can I have a phone I can call mine and not have others define if my stuff is secure or not?!?! If it is not secure, it's my problem, not theirs. On the first. Adding FinQwerty to me made all the difference in getting a good keyboard experience. On the last, well yes and no. In some countries the consumers have a lot of rights on fraudulent activities, so obviously the banks want to protect themselves against any claims from the consumer that (s)he did not do a specific transaction. And the more secure the platform, the easier it is for them to prove that it actually was you. Quote Link to post Share on other sites
brunoais 334 Posted March 13, 2020 Share Posted March 13, 2020 As I said. It was a (one) reason to own the phone. There are many other reasons to own this phone in detriment of others. I believe the keyboard and FinQWERTY installed, as you, @EskeRahn, mention; are reasons to still have it. Quote Link to post Share on other sites
david 929 Posted March 13, 2020 Share Posted March 13, 2020 On 3/12/2020 at 2:37 PM, elvissteinjr said: Magisk will not be able to hide the open bootloader state from SafetyNet anymore in the near future, see: So everything is screwed either way then. You not using apps locking you out don't matter enough for anything to change (but it somehow matters enough to lock you out). You doing exactly the same things on your PC where you do have power is fine. Nothing makes sense these days. Boooo!!!! I'll refrain from including a list of expletives. 1 Quote Link to post Share on other sites
Rob. S. 1,661 Posted March 13, 2020 Share Posted March 13, 2020 (edited) 8 hours ago, brunoais said: And.... There goes a reason to own this phone.... The keyboard can be good.... It appears to be very good. Maybe I can only hope that the software F(x)tec is hiring to be done is done appropriately... I use bank apps and other apps which I'm sure they verify against safetynet... Right, so do I – but I have no need to use R for the time being. My plan is to use LineageOS 17 with SafetyNet cared for by Magisk (if I ever find out how this is done) as long as it is supported, and after that, if we're really out of luck with regard to SafetyNet + LineageOS then, I'll have another look at the state F(x)Tec's stock Android will be in. And maybe we're lucky and it will be good! Anyway, for me, that's the point in time to start worrying, not earlier. Edited March 13, 2020 by Rob. S. 2 Quote Link to post Share on other sites
david 929 Posted March 13, 2020 Share Posted March 13, 2020 In reading the comments from that ticket, I like the idea of limiting (non-banking apps) so that they can tell if they (the apps) have been modified, not that something else in the system has been modified. That seems like a good compromise for all involved. Without that, and as aggressive as apps are getting about detecting system changes, AOSP and LOS could be hit hard by this. Make the calls to the apis that detect system changes be certified and only allow banking/money related apps to be certified. Let apps like snapchat and Netflix check to see if their apps have been modified, but not check if the system has been modified. Quote Link to post Share on other sites
david 929 Posted March 13, 2020 Share Posted March 13, 2020 14 minutes ago, Rob. S. said: My plan is to use LineageOS 17 with SafetyNet cared for by Magisk (if I ever find out how this is done) as long as it is supported ^^^This. And stock android Q + Magisk. Some of us will just have to hope we reach our expiration date before the rooted Pro1s we are holding in our crippled, old hands do. 1 Quote Link to post Share on other sites
elvissteinjr 359 Posted March 13, 2020 Share Posted March 13, 2020 Regarding SafetyNet I'm not entirely sure but I get the feeling that keeping an older Android version doesn't mean you'll be fine. I only have very surface level understanding, but while the key attestation is not fully enforced yet across the board, served sided checks and Play Services updates should bring it to older devices all the same. The server side check will prevent any modded Play Services to get around this. And since the data is signed by the hardware that you have no control over at all... yeah, good night. 1 Quote Link to post Share on other sites
david 929 Posted March 14, 2020 Share Posted March 14, 2020 4 hours ago, elvissteinjr said: Regarding SafetyNet I'm not entirely sure but I get the feeling that keeping an older Android version doesn't mean you'll be fine. I only have very surface level understanding, but while the key attestation is not fully enforced yet across the board, served sided checks and Play Services updates should bring it to older devices all the same. The server side check will prevent any modded Play Services to get around this. And since the data is signed by the hardware that you have no control over at all... yeah, good night. Booo!!!! (not you, the issue) Quote Link to post Share on other sites
anonim001 105 Posted March 16, 2020 Share Posted March 16, 2020 (edited) Another dumb question: can't we re-lock the BL after flashing LOS? Wouldn't it solve the problem? Edited March 16, 2020 by anonim001 Quote Link to post Share on other sites
Zamasu 258 Posted March 16, 2020 Share Posted March 16, 2020 1 hour ago, anonim001 said: Another dumb question: can't we re-lock the BL after flashing LOS? Wouldn't it solve the problem? I'm not 100% sure how this all works, but I think that the bootloader check is just 1 of the safetynet checks. LOS wouldn't be verified by Google, which is also one of the checks. 1 Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.