You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<p>Some banking apps on GrapheneOS will work fine in any configuration of the operating
776
-
system, however due to apps requiring the usage of the Google SafetyNet API, which is only
777
-
present if the sandboxed Google Play Services are installed, they may fail to launch. Apps
778
-
can mandate that they require the "CTS Profile" check to pass, or the weaker,
779
-
"basicIntegrity" check, both of which are provided by the SafetyNet API. The latter
780
-
will pass on GrapheneOS but the former will not. App developers could instead use the standard
781
-
Android hardware attestation API which provides far stronger assurance on GrapheneOS to verify the
782
-
integrity of the operating system by following our guide <ahref="https://grapheneos.org/articles/attestation-compatibility-guide">here</a>. Some banking apps
783
-
will attempt to use ptrace as a crude form of debug prevention which fails when the user
784
-
disables the "Enable Native Debugging" toggle in Settings, in the Security menu. It is
785
-
suggested to try with this toggle enabled and then with the sandboxed Google Play Services
786
-
installed if your app does not work.</p>
775
+
<p>Banking apps are a particularly problematic class of apps for compatibility
776
+
with alternate operating systems. Some of these work fine with any GrapheneOS
777
+
configuration but most of them have extensive dependencies on Play services. For
778
+
many of these apps, it's enough to set up the GrapheneOS sandboxed Play services
779
+
feature in the same profile. Unfortunately, there are further complications not
780
+
generally encountered with non-financial apps.</p>
781
+
782
+
<p>Many of these apps have their own crude anti-tampering mechanisms trying to
783
+
prevent inspecting or modifying the app in a weak attempt to hide their code and
784
+
API from security researchers. GrapheneOS allows users to disable native code
785
+
debugging via a toggle in Settings ➔ Security and this can interfere with apps
786
+
debugging their own code to add a barrier to analyzing the app. You should try
787
+
enabling this again if you've disabled it and are encountering compatibility
788
+
issues with these kinds of apps.</p>
789
+
790
+
<p>Banking apps are increasingly using Google's SafetyNet attestation service to
791
+
check the integrity and certification status of the operating system. GrapheneOS
792
+
passes the <code>basicIntegrity</code> check but isn't certified by Google so it
793
+
fails the <code>ctsProfileMatch</code> check. Most apps currently only enforce
794
+
weak software-based attestation which can be bypassed by spoofing what it checks.
795
+
GrapheneOS doesn't attempt to bypass the checks since it would be very fragile and
796
+
would repeatedly break as the checks are improved. Devices launched with Android 8
797
+
or later have hardware attestation support which cannot be bypassed without leaked
798
+
keys or serious vulnerabilities so the era of being able to bypass these checks by
799
+
spoofing results is coming to an end regardless.</p>
800
+
801
+
<p>The hardware attestation feature is part of the Android Open Source Project and
802
+
is fully supported by GrapheneOS. SafetyNet attestation chooses to use it to
803
+
enforce using Google certified operating systems. However, app developers can use
804
+
it directly and permit other properly signed operating systems upholding the
0 commit comments