Skip to content

Commit

Permalink
expand banking app information
Browse files Browse the repository at this point in the history
  • Loading branch information
@thestinger
thestinger committed Sep 11, 2021
1 parent a5df5d5 commit 9a93d0c
Showing 1 changed file with 34 additions and 12 deletions.
46 changes: 34 additions & 12 deletions static/usage.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -772,18 +772,40 @@ <h3><a href="#sandboxed-play-services-limitations">Limitations</a></h3>
<section id="banking-apps">
<h2><a href="#banking-apps">Banking apps</a></h2>

<p>Some banking apps on GrapheneOS will work fine in any configuration of the operating
system, however due to apps requiring the usage of the Google SafetyNet API, which is only
present if the sandboxed Google Play Services are installed, they may fail to launch. Apps
can mandate that they require the "CTS Profile" check to pass, or the weaker,
"basicIntegrity" check, both of which are provided by the SafetyNet API. The latter
will pass on GrapheneOS but the former will not. App developers could instead use the standard
Android hardware attestation API which provides far stronger assurance on GrapheneOS to verify the
integrity of the operating system by following our guide <a href="https://grapheneos.org/articles/attestation-compatibility-guide">here</a>. Some banking apps
will attempt to use ptrace as a crude form of debug prevention which fails when the user
disables the "Enable Native Debugging" toggle in Settings, in the Security menu. It is
suggested to try with this toggle enabled and then with the sandboxed Google Play Services
installed if your app does not work.</p>
<p>Banking apps are a particularly problematic class of apps for compatibility
with alternate operating systems. Some of these work fine with any GrapheneOS
configuration but most of them have extensive dependencies on Play services. For
many of these apps, it's enough to set up the GrapheneOS sandboxed Play services
feature in the same profile. Unfortunately, there are further complications not
generally encountered with non-financial apps.</p>

<p>Many of these apps have their own crude anti-tampering mechanisms trying to
prevent inspecting or modifying the app in a weak attempt to hide their code and
API from security researchers. GrapheneOS allows users to disable native code
debugging via a toggle in Settings ➔ Security and this can interfere with apps
debugging their own code to add a barrier to analyzing the app. You should try
enabling this again if you've disabled it and are encountering compatibility
issues with these kinds of apps.</p>

<p>Banking apps are increasingly using Google's SafetyNet attestation service to
check the integrity and certification status of the operating system. GrapheneOS
passes the <code>basicIntegrity</code> check but isn't certified by Google so it
fails the <code>ctsProfileMatch</code> check. Most apps currently only enforce
weak software-based attestation which can be bypassed by spoofing what it checks.
GrapheneOS doesn't attempt to bypass the checks since it would be very fragile and
would repeatedly break as the checks are improved. Devices launched with Android 8
or later have hardware attestation support which cannot be bypassed without leaked
keys or serious vulnerabilities so the era of being able to bypass these checks by
spoofing results is coming to an end regardless.</p>

<p>The hardware attestation feature is part of the Android Open Source Project and
is fully supported by GrapheneOS. SafetyNet attestation chooses to use it to
enforce using Google certified operating systems. However, app developers can use
it directly and permit other properly signed operating systems upholding the
security model. GrapheneOS has a
<a href="https://grapheneos.org/articles/attestation-compatibility-guide">a
detailed guide</a> for app developers on how to support GrapheneOS with the
hardware attestation API.</p>
</section>
</main>
<footer>
Expand Down

0 comments on commit 9a93d0c

Please sign in to comment.