Lineage and Banking apps

[OKSun 103]

It seems I have to give up stock android and move to lineage for security reason.

Before I do this, I wanted to ask the community about banking apps on lineage. Does it work? I understood we have to use magisk, but reading the forum, I see that users also have some difficulties make it work.

Edited April 14, 2022 by OKSun

[EskeRahn 5,350]

There have been written quite a bit on this in various threads, here a search:
https://community.fxtec.com/search/?&q=lineage banking&search_and_or=and&sortby=relevancy

But in generally it much depends on what bank. But many require the device to pass SafetyNet tests.

[VaZso 1,988]

3 hours ago, OKSun said:

It seems I have to give up stock android and move to lineage for security reason.

Before I do this, I wanted to ask the community about banking apps on lineage. Does it work? I understood we have to use magisk, but reading the forum, I understand that users also has some difficulties make it work.

Basically I can use banking apps which need to pass SafetyNet test using Magisk...
However, there were changes around Magisk and I don't know what the current solution is instead of MagiskHide which also needed for these apps to work.

As far as I know, current version of Magisk has that removed but old version still works on LineageOS 18.1 (Android 11), however, I doubt it will work on any later major Android version(s).

[Rob. S. 1,616]

Wow, seems I haven't been up to date with regard to Magisk...

Looks like not only MagiskHide, but also everything related to SafetyNet is removed from current Magisk releases.

(See John Wu's statement in https://topjohnwu.medium.com/state-of-magisk-2021-fe29fdaee458) now that he's working for Google, and also this XDA Developers thread: https://forum.xda-developers.com/t/discussion-magisk-the-age-of-zygisk.4393877/.)

That said, MagiskHide seems to be in the state of being replaced by the Zygisk (Magisk running in the new Zygote mode) "deny list"... And the tools to ensure SafetyNet is passed now seem to be external. 

Also, the Xposed framework (EdXposed/LSposed) needs new versions for the new Magisk, and I haven't looked yet whether that's already happened. Personally I need Xposed plus a specific Xposed module to make my employer's security token app for VPN access run on a non-stock ROM. (Funnily that means I couldn't ever get it to work on LineageOS without root...)

Right now, I'm still running a Magisk version predating those changes, and everything from SafetyNet to banking works for me, except for one banking app (German Fidor bank) which detected a non-stock ROM and complained about it. I don't know whether some trick has been found in the meantime to make it work, too.  

(Lineageos 18.1, here.)

 

 

Edited April 13, 2022 by Rob. S.

[VaZso 1,988]

11 minutes ago, Rob. S. said:

Right now, I'm still running a Magisk version predating those changes, and everything from SafetyNet to banking works for me

Also for me... anyway, Magisk has started to notify an update is available few months ago which lead for disabled notification for Magisk on my phone as I did not want to update to the "dumb" version.

(Also, one of my friends did it and Safetynet has stopped working.)

However, I am curious of the new solution but I will stick to LineageOS 18.1 till I don't see it is working...

 

[daniel.schaaaf 177]

You might want to get acquainted with XPrivacyLUA, which can restrict what information an app gets. E.g. my banking apps are not allowed to execute shell commands. When they ask "which su", XPL intercepts and replies "[empty]". This way the app does not know that it can't execute shell commands because it gets a valid reply from XPL, but the app won't see su either.

The "only" problem is that you need ... Magisk with Riru and EdExposed or LSPosed. Down the rabbit hole, never to see the light of day again. Magisk reached its EOL, Riru is a mess, and Android (including LOS!) is getting more and more restricted by Google.

[OKSun 103]

17 hours ago, daniel.schaaaf said:

You might want to get acquainted with XPrivacyLUA, which can restrict what information an app gets. E.g. my banking apps are not allowed to execute shell commands. When they ask "which su", XPL intercepts and replies "[empty]". This way the app does not know that it can't execute shell commands because it gets a valid reply from XPL, but the app won't see su either.

The "only" problem is that you need ... Magisk with Riru and EdExposed or LSPosed. Down the rabbit hole, never to see the light of day again. Magisk reached its EOL, Riru is a mess, and Android (including LOS!) is getting more and more restricted by Google.

Thanks. Definitely beyond the skills of an average user like me. I do not want to spend time learning and experimenting in this area.

[Kaali 76]

The new magisk is not any dumber that the old one. I am using magisk v24.3. Everyhting works the same that in the older versions, what is different is that the hide list is deny list and you need zygisk mode on and configuring the list is in the app settings, but the functionality is the same and if you have to use external modules like MagiskHidePropsConfig you need to download them manually but they work the same. So i have all the same banking apps still working that i had since magisk v20 ->.
Edit: And there is no more the builtin safetynetcheck but there are various apps for that in play store.

Edited April 27, 2022 by Kaali
Edit

[EskeRahn 5,350]

I wonder if 18.1 -> 19.1 has any positive or negative effect in this matter? Anyone tried?

[Kaali 76]

Magisk 24.3 supports android 12 so i guess it should work all the same. One person in the discord alrready upgraded to OS19 with magisk.

[VaZso 1,988]

On 4/27/2022 at 4:15 PM, Kaali said:

Magisk 24.3 supports android 12 so i guess it should work all the same. One person in the discord alrready upgraded to OS19 with magisk.

Thanks.

I will wait a bit further till I have more time so I hope every potential problems reveal. 🙂

Anyway, how about further restrictions of SDCard access under Androdi 12?

[oliviersenn6 46]

On 4/27/2022 at 10:24 AM, EskeRahn said:

I wonder if 18.1 -> 19.1 has any positive or negative effect in this matter? Anyone tried?

i have not tried 18.1, but i installed 19.1 this weekend.

i'm using:

lineage 19.1 with mindtheGapps

Magisk 25.0, apk 25.1, zygisk enabled (important)

Magisk modules, using fox magisk modules manager:

magiskHide props config, set to fxtec pro1

Universal SafetyNet Fix, no additional config

then reboot

i am passing all safetynet checks, and i am able to add cards to gpay (my bank is still not supported but instead of "this device has been modified" it now says "your bank is incompatible"). My insurers app doesn't like rooted phones either and i am now able to launch it no problems.

i suspect the new sepolicy thingy introduced in magisk 25.0 is much more powerful than whatever was possible before, and zygisk is just the cherry on top...

figuring out how to install everything was a bit of a pain, i think in the end the solution was to flash magisk 25.0 apk (renamed to .zip) in recovery.

there a several apps on the play store to check safetynet.

[Kaali 76]

17 hours ago, oliviersenn6 said:

Universal SafetyNet Fix, no additional config

You actually don't need UniversalSafetyNetFix with pro1 if you use MagiskHidePropsConfig. I have understood that USNF is more needed on devices with hardware attestation and pro1 uses basic attestation so only changing of the fingerprint with MHPC and putting google gms on denylist is needed to pass safetynet, and that always worked for me too. Then you might need to set some other props with MHPC for some programs to work that check more than just Safetynet pass.

Anyways there is a new way to pass SafetyNet on Lineage without magisk at all called ih8sn. I personally switched completely to that and uninstalled magisk. LoS has builtin adb root option that is enough for this to work. I can share the .conf file with working props from stock rom if someone is interested. It basically is just script that changes the fingerprint like MHPC but without magisk. With this i can get more banking apps to work that i can't get to work with magisk because they use some advanced way to detect magisk on the system. (S-pankki for finnish folks)

[oliviersenn6 46]

I use magisk because it's easier for most things, honestly (also my banks don't use those methods). for example having an su manager for in-app su requests is very useful, for example for installing Vanced rooted. but obviously if that's not your use case then by all means ih8sn is leagues easier to use than trying to get magisk to install, not to mention the wiping risk if you fuck up your flash.

[Kaali 76]

I too used magisk to the point vanced was killed by google. I realised i don't need root anymore. Yes old installs of vanced still work but for how long that we cannot know.

[Doktor Oswaldo 901]

1 hour ago, Kaali said:

I too used magisk to the point vanced was killed by google. I realised i don't need root anymore. Yes old installs of vanced still work but for how long that we cannot know.

offtopic here but *hust* newpipe *hust*  have a look at f-droid for it

[Kaali 76]

There are so little instructions on the ih8sn in the internet so i thought i could share how to get it to work on pro1 if anyone is interested in that. Fresh install is not needed and you don't need magisk or any SU package to pass safetynet after this. Not sure if this works for other OSes than Lineage but someone can have a shot and tell if it does.

Requirements:
-ADB on your computer
-Debugging and rooted debugging enabled on your phone from developer options.
-Latest ih8sn aarch64 release downloadable here, extract the zip, you don't need the .conf file as it is for different phone.
-ih8sn.conf file with all the props from last pro1 stock rom i attach to this post.

Steps to install:
-Connect your phone to your computer and open a terminal (linux) or a powershell (windows) on the folder your ih8sn files are.
-type in command

adb root

it should say restarting adb as root otherwise make sure your device is connected and rooted debugging enabled.
-type in command

adb remount

do not restart the phone at this point
-there are scripts included in the zip so all you need to do is execute the script

.\push.ps1

If you are a windows user. You might need to allow powershell to execute foreign scripts, there are instructions for that easily available on the internet so i wont fill it in here.
Or if you're on linux.

./push.sh

It should push 4 files onto your device. Note i did this on windows so i can't guarantee how the linux script works. You can always manually execute the push commands that are in the scripts, instead of using these scripts.
-then type in command

adb enable-verity

Otherwise the phone will bootloop at next OTA
-Now restart your phone and check that safetynet passes using f.ex. YASNAC or some other safetynet checker app.

ih8sn.conf

[raymo 161]

Thank you very much. I planned to reflash LOS19.1 in a few days, so I will certainly give it a try, I've no more banking app since last bank app update in LOS18.1.
I usually use magisk as I need root in termux and TotalCommander, I guess it's compatible ?

[Kaali 76]

I guess ih8sn should work with magisk too but i have not tried so it's not proven. You could just use magiskhidepropsconfig and denylist with magisk though. But if you give ih8sn with magisk a try please report your findings here on the thread.

[dreamflasher 120]

Just updated to magisk 25.2 and I can't find the Safetynet check anymore, is it still there? Furthermore, update possibilities to modules seems to be gone? Ah, I should have read further up… so yeah safetynet indeed gone 😕

Edited September 4, 2022 by dreamflasher