Jump to content

Lineage and SafetyNet


Recommended Posts

I've been using my Pro1 and it's great. I decided to install Lineage and then Magisk and HideRoot and then managed to spoof the signature of a Pxel phone to pass the basic SafetyNet check.

This was all good and I thought all my apps were working, banking, games etc.

I then discovered that somehow Patient Access (https://play.google.com/store/apps/details?id=uk.co.patient.patientaccess&hl=en) is detecting root even though I have it hiding root and pass SafetyNet

So I have a couple of questions based on the above:

  1. I don't really NEED root. Can I adjust my lineage install to be rootless and pass SafteyNet and work?
  2. Can I reinstall Lineage without root and pass SafteyNetand run my apps?
  3. Is Ubuntu Touch at a usable stage and would it have similar problems with root and SafetyNet using AnBox?
  4. Failing all the above is it possible to revert to stock?
  • Like 1
Link to post
Share on other sites
43 minutes ago, EskeRahn said:

And could you elaborate on how it should be done?

For what? There's nothing that can be done.

Ubuntu touch is usable and ready to use. I've tried it myself and it works OK. The marketing material has no lies on it.

AnBox has similar or even worse issues with SafetyNet. I tried it when I tried Ubuntu touch and I use it from time to time on my PC. SafetyNet always fails on my PC. Even the basic one. Even with Magisk (although Magisk does run very poorly on anbox on non-android-tailored-linux)

Edited by brunoais
Punctuation. Ease of reading
Link to post
Share on other sites

Individual apps can be more perceptive to detecting root, sometimes even exploiting privacy invading bugs in the system. I'm by no means an expert on hiding root (I just don't use apps that complain about that), but have you done everything listed here? https://www.didgeridoohan.com/magisk/MagiskHide For example I didn't know some apps detect other apps that require root. 

Otherwise it might be a new detection method and you're only hope is for Magisk to be updated. But considering how the maintainer of the github doesn't want issues opened for MagiskHide problems, I'm assuming it's almost always possible to hide root if it's within the scope of MagiskHide.

  • Like 1
  • Thanks 1
Link to post
Share on other sites

Apps may use different ways to detect if the phone has been modified afterwards. Some apps check root and others SafetyNet/bootloader status etc. I have also seen apps that refuse to work if developer settings are activated.

Most of Finnish banking apps work just fine on custom ROMs (even rooted) but there is a bank called OsuusPankki (OP) which causes trouble. It has two popular apps called OP Mobiili and Pivo. Here is how they work on different phones/ROMs.

Redmi Note 4: AOSP ROM (Android 11), GAPPS flashed separately

  • Bootloader unlocked
  • No root
  • SafetyNet does NOT pass (CTS profile match fail)
  • OP Mobiili and Pivo both work

Xperia XZ1 Compact: Havoc OS v3.8 including Magisk Hide Props Config and GAPPS pre-built (Android 10)

  • Bootloader unlocked
  • No root
  • SafetyNet does pass
  • OP Mobiili and Pivo both work

Xperia XZ1 Compact: LOS 17.1 (Android 10), GAPPS flashed separately

  • Bootloader unlocked
  • No root
  • SafetyNet does NOT pass (CTS profile match fail)
  • OP Mobiili and Pivo does not work. OP Mobiili says that device is rooted (even so it is not) and Pivo thinks that developer settings are enabled (dev settings are not enabled).

Xperia XZ1 Compact: LOS 17.1 (Android 10), GAPPS flashed separately

  • Bootloader unlocked
  • Rooted via Magisk
  • SafetyNet does work (after patching Magisk Hide Props Config manually with root)
  • OP Mobiili works with Magisk Hide
  • Pivo still not work. However I can get it working using Shelter trick.

I don't what causes this kind of behaviour. Funny thing is that I can get OP Mobiili and Pivo to work on LOS 17.1 (XZ1 Compact) only with root.

  • Like 1
  • Thanks 2
Link to post
Share on other sites
25 minutes ago, FlyingAntero said:

Apps may use different ways to detect if the phone has been modified afterwards. Some apps check root and others SafetyNet/bootloader status etc. I have also seen apps that refuse to work if developer settings are activated.

Most of Finnish banking apps work just fine on custom ROMs (even rooted) but there is a bank called OsuusPankki (OP) which causes trouble. It has two popular apps called OP Mobiili and Pivo. Here is how they work on different phones/ROMs.

Redmi Note 4: AOSP ROM (Android 11), GAPPS flashed separately

  • Bootloader unlocked
  • No root
  • SafetyNet does NOT pass (CTS profile match fail)
  • OP Mobiili and Pivo both work

Xperia XZ1 Compact: Havoc OS v3.8 including Magisk Hide Props Config and GAPPS pre-built (Android 10)

  • Bootloader unlocked
  • No root
  • SafetyNet does pass
  • OP Mobiili and Pivo both work

Xperia XZ1 Compact: LOS 17.1 (Android 10), GAPPS flashed separately

  • Bootloader unlocked
  • No root
  • SafetyNet does NOT pass (CTS profile match fail)
  • OP Mobiili and Pivo does not work. OP Mobiili says that device is rooted (even so it is not) and Pivo thinks that developer settings are enabled (dev settings are not enabled).

Xperia XZ1 Compact: LOS 17.1 (Android 10), GAPPS flashed separately

  • Bootloader unlocked
  • Rooted via Magisk
  • SafetyNet does work (after patching Magisk Hide Props Config manually with root)
  • OP Mobiili works with Magisk Hide
  • Pivo still not work. However I can get it working using Shelter trick.

I don't what causes this kind of behaviour. Funny thing is that I can get OP Mobiili and Pivo to work on LOS 17.1 (XZ1 Compact) only with root.

FlyingAntero always impresses me with his/her knowledge.  Normal customers like me are already overwhelmed by the distinction between rooted and unrooted lineage.... I thought lineage was always rooted?

I would like to know whether bank / payment apps will work with lineage... and this in the long term (Did nt tdm say he cannot guarantee this...)??

Link to post
Share on other sites
2 hours ago, OKSun said:

I would like to know whether bank / payment apps will work with lineage... and this in the long term (Did nt tdm say he cannot guarantee this...)??

I think that was one of the take-aways of @FlyingAntero's post.  Some will.  Some may not.  Not sure it can be predicted, or at least not guarateed. 

My bank app (Bank of America) works fine on Lineage with unlocked bootloader and rooted.  It used to alert me with a warning about some aspect of that but worked anyway.  Now it no longer even alerts me.  But another bank app might refuse to work if it detects on of those situations. 

Lol.  I did notice on fxTecs Indegogo page for the Pro1x that someone who is some muckamuck in UX for Bank of America has a Pro1, so maybe that's why my bank app works.  😄

  • Thanks 3
Link to post
Share on other sites
2 hours ago, OKSun said:

I would like to know whether bank / payment apps will work with lineage... and this in the long term

Well we can not in anyway guess what requirements bank may come up with, so  guess that will be impossible to answer...

Link to post
Share on other sites
Just now, OKSun said:

The problem  is that this lack of guarantee is a big obstacle to the investment in a pro1 - X (which is not the cheapest phone on the market). Imho, fxtec needs to develop a better answer there...

No, it's simply an obstacle to using Lineage.  The phone with unrooted stock Android will work fine with any bank app, guaranteed.

  • Thanks 2
Link to post
Share on other sites
3 minutes ago, OKSun said:

The problem  is that this lack of guarantee is a big obstacle to the investment in a pro1 - X (which is not the cheapest phone on the market). Imho, fxtec needs to develop a better answer there...

Well, that's sadly part of the deal for not shipping with certified Android like the original Pro1. You don't have a guarantee that things like that work, that you can even use them is more an exception since it's accomplished by slightly shady stuff. I do think that if you do everything right, the chances of being to use your bank app is pretty high. But anybody saying they can guarantee it is lying I think. If that's a dealbreaker, than a device that ships with LineageOS isn't for you I think. 

  • Like 1
  • Thanks 1
Link to post
Share on other sites

So, a few things here:

 

1. There is a difference between certification and rooting.  SafetyNet is supposed to determine if the device is certified.  This means not just rooted, but running stock software that has been certified through Google.

 

2. There is no single way to detect a rooted device.  Each app is coded differently because there is no API for this in Android.  Some apps may just look for the presence of /system/xbin/su.  Others have more extensive checks.

 

3. Apps are not limited to just detecting root.  Some apps are known to look for things that may indicate the device has been tampered, similar to SafetyNet.  For example, I have heard of apps that look for system properties that are not present on stock but are specific to third party ROMs.

 

4. I do not use magisk and I do not support anyone who does.  It can cause strange issues that take a long time to track down, only to find that it was misconfigured or has a bug.  Feel free to use it if you like, but if you have any strange issues that others do not, the first thing you should do is a clean install without it.

 

5. I vote with my downloads.  I will not use an app that does any of the above.  That is not difficult for me, as my banking app does not do these checks and I don't have any desired to watch Netflix on a small screen.  Unfortunately, I know others are not in the same situation.

 

  • Like 1
  • Thanks 5
Link to post
Share on other sites
25 minutes ago, OKSun said:

What does our forum moderator think?

Like the idea. Though one could say that it would be more suited in a LineagOS forum, as it is not limited to the Pro1 / Pro1x.


And perhaps it already exists there? And a new thread here with a post linking to the general forum would be a better option, benefiting more users.

  • Like 2
Link to post
Share on other sites

Well. Google Pay is going to be a thing for me again, now that my bank has finally issued me an NFC-fitted debit card the contactless payment feature of which still requires entering the PIN for transactions above €50 – and also for "random" trasactions below €50 the randomness of which so far amount to "nearly all". The stupid thing is completely useless – if I want contactless payment, and that's what I want since the outbreak of COVID-19 and all the more now that new-infection figures are exploding here in Germany, I need a phone with Google Pay.

Thinking about it again, I might rather get myself a hand pointer to type in things into public terminals...

Edited by Rob. S.
  • Haha 2
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

Terms