1
0
mirror of https://github.com/PrivSec-dev/banking-apps-compat-report synced 2024-11-21 14:01:34 -05:00

Update README.md

Add section from https://discuss.grapheneos.org/d/8330-app-compatibility-with-grapheneos

Signed-off-by: akc3n <git@akc3n.page>
This commit is contained in:
akc3n 2023-10-20 03:36:49 -07:00 committed by GitHub
parent 19c4cf48b8
commit 08ecc34b63
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,41 +1,101 @@
# Banking apps compatibility with GrapheneOS # Banking apps compatibility with GrapheneOS
Report and track international banking app compatibility with GrapheneOS, including which workarounds may be required. Report and track international banking app compatibility with GrapheneOS, including which workarounds may be required.
## Tablet of Contents ## Tablet of Contents
- [Introduction](#introduction) - [Introduction](#introduction)
- [Usage](#usage) - [Usage](#usage)
- [Workarounds](#workarounds) - [Workarounds](#workarounds)
- [Notes](#notes) - [Notes](#notes)
# Introduction # Introduction
A crowd-sourced project dataset for [GrapheneOS](https://grapheneos.org/) users on [supported devices](https://grapheneos.org/faq#supported-devices), featuring a maintained compatibility [list of tested international banking apps](https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/#international-banking-apps), which is [reviewed](https://github.com/PrivSec-dev/banking-apps-compat-report/issues?q=is%3Aissue+is%3Aclosed) and [published](https://privsec.dev/banking). A crowd-sourced project dataset for [GrapheneOS](https://grapheneos.org/) users on [supported devices](https://grapheneos.org/faq#supported-devices), featuring a maintained compatibility [list of tested international banking apps](https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/#international-banking-apps), which is [reviewed](https://github.com/PrivSec-dev/banking-apps-compat-report/issues?q=is%3Aissue+is%3Aclosed) and [published](https://privsec.dev/banking).
[PrivSec.dev](https://privsec.dev) hosts this 3rd-party community-sourced effort, offering detailed information and which[ workarounds](https://akc3n.page/posts/banking-app-issues/) may be required for banking apps compatibility with GrapheneOS. [PrivSec.dev](https://privsec.dev) hosts this 3rd-party community-sourced effort, offering detailed information and which[ workarounds](https://akc3n.page/posts/banking-app-issues/) may be required for banking apps compatibility with GrapheneOS.
## It is essential to note that GrapheneOS: ## It is essential to note that GrapheneOS:
- **[does not](https://grapheneos.org/usage#banking-apps:~:text=grapheneos%20does%20not%20make%20any%20guarantees%20regarding%20the%20list's%20validity.) make any guarantees regarding the list's validity** - **[does not](https://grapheneos.org/usage#banking-apps:~:text=grapheneos%20does%20not%20make%20any%20guarantees%20regarding%20the%20list's%20validity.) make any guarantees regarding the list's validity**
- users should read the [banking apps usage guide](https://grapheneos.org/usage#banking-apps) - users should read the [banking apps usage guide](https://grapheneos.org/usage#banking-apps)
- provides a detailed [attestation compatibility guide](https://grapheneos.org/articles/attestation-compatibility-guide) for banking app developers - provides a detailed [attestation compatibility guide](https://grapheneos.org/articles/attestation-compatibility-guide) for banking app developers
# Usage # Usage
- View [current list ](https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/#international-banking-apps)of working international banking apps compatibility with GrapheneOS. - View [current list ](https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/#international-banking-apps)of working international banking apps compatibility with GrapheneOS.
- See [issue tracker](https://github.com/PrivSec-dev/banking-apps-compat-report/issues) for detailed banking app reports. As well as search, track, and/or update report status. - See [issue tracker](https://github.com/PrivSec-dev/banking-apps-compat-report/issues) for detailed banking app reports. As well as search, track, and/or update report status.
- Submit a banking app report by [opening a new issue and filling out the form](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/new?assignees=&labels=app+report&projects=&template=app_report.yml&title=%5BReplace+this+with+the+name+of+your+banking+app%5D). - Submit a banking app report by [opening a new issue and filling out the form](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/new?assignees=&labels=app+report&projects=&template=app_report.yml&title=%5BReplace+this+with+the+name+of+your+banking+app%5D).
# Workarounds
## Native code debugging ---
[Have you disabled native debugging](https://grapheneos.org/usage#banking-apps:~:text=grapheneos%20allows%20users%20to%20disable%20native%20code%20debugging)? Turn it back on and see if that may help.
Enable native code debugging ## Workarounds
`Owner profile``Settings``Security``Enable native code debugging`
## Exploit protection compatibility mode **0 —** Potential use of an unofficial/alternative Google Play Store frontend client may be [problematic](https://akc3n.page/posts/banking-app-issues/#auroraoss-is-problematic) for misguided apps:
[Have you tried enabling exploit protection compatibility mode for the app](https://grapheneos.org/usage#bugs-uncovered-by-security-features)? It could have memory corruption bugs may requiring this.
- That can check if they were installed from the Play Store and can choose to refuse to work if they were not installed from the Play Store.
- Try to hinder reverse engineering using debugging features like ptrace
- Some forbid usage on non-stock OS (most OSes are insecure)
- May cause your Google Account to be disabled/blocked/blacklisted by Google.
- [Anonymous account](https://twitter.com/GrapheneOS/status/1661989816584511489) usage may have negative consequences and have a less secure connection to the Play Store servers.
General recommendation: [Install Sandboxed Google Play](https://grapheneos.org/usage#sandboxed-google-play). Optionally use a [throwaway](https://twitter.com/search?q=throwaway%20(from%3Agrapheneos)&src=typed_query) account.
**1 —** By default, [native code debugging](https://grapheneos.org/usage#banking-apps) is enabled. If you disabled it, try enabling it again. Launch app. *If unsuccessful, proceed to step 2.*
`Settings``Security``Enable native code debugging`
**2 —** Enable the per-app [exploit protection compatibility mode](https://grapheneos.org/usage#bugs-uncovered-by-security-features). Launch app. *If unsuccessful, proceed to step 3 for **testing only**.*
`Settings``Apps``AppName``Advanced``Exploit protection compatibility mode`
**3 —** Temporarily disable [secure app spawning](https://grapheneos.org/usage#exec-spawning).
`Setting``Security``Enable secure app spawning`
**4 —** Restart device. Launch app to see if this GrapheneOS feature caused the compatibility issue. The app may be refusing to run if it detects a different spawning mechanism.
**[Significant security loss and directly affecting some privacy using Zygote](https://old.reddit.com/r/GrapheneOS/comments/tq0k7q/comment/i2ex547/)**
- Disabling exec-based spawning reverts to using the traditional Zygote spawning model AOSP's app processes
- Spawned as a clone of the Zygote
- Each app process has the same random secrets for ASLR, SSP, memory tagging, pointer authentication, setjmp canaries, and heap randomization
- Half of the userspace is made of app processes
- Applies across all profiles
- App in profile A and profile B have same random values, which they can see
**5 —** **Revert to secure spawning by enabling it again and restart device.** _See step 3 above_.
**6 —** Search the [forum](https://discuss.grapheneos.org/), [os-issue-tracker](https://github.com/GrapheneOS/os-issue-tracker/issues), and/or within the [community](https://grapheneos.org/contact#community) for keyword(s) specific to the app name. *If unsuccessful with finding a solution, only than proceed to step 7.*
**7 —** Attempt to reproduce the issue by capturing a 'Bug report' using the feature in Developer options if you still run into the [app aborting](https://grapheneos.org/usage#banking-apps:~:text=if%20you%20run%20into%20an%20application%20aborting) at launch.
- Enable Developer option by tapping the 'Build number' `7` times
`Settings``About``Device identifiers``Build number`
- [Capture](https://developer.android.com/studio/debug/bug-report a bug report)
`Settings``System``Developer options` ➔`Bug Report` ➔ `Interactive report``REPORT`
**8 —** Open a [new issue](https://github.com/GrapheneOS/os-issue-tracker/issues/new), provide a description and make contact via the appropriate channels with a similar message like "[Bug report capture for issue #104](https://grapheneos.org/usage#banking-apps:~:text=bug%20report%20capture%20for%20issue%20%23104)". in order to submit the bug report capture zip privately. *(Replace the issue `#` number)*.
- [Contacting the project](https://grapheneos.org/contact#contacting-the-project)
- [Reporting issues](https://grapheneos.org/contact#reporting-issues)
- *Friendly reminder: [instructions for getting support](https://github.com/GrapheneOS/.github/blob/main/SUPPORT.md) via [chat](https://grapheneos.org/contact#community) and* ***when to avoid using the os-issue-tracker***: *ask questions* + *request support*
**9 —** Disable the developer options.
`Settings``System``Developer options``Use developer options`
We recommend disabling developer options as a whole for a device that's not being used for app or OS development.
---
**10 —** It's plausible that this is app-related, rather than a compatibility issue with GrapheneOS - acknowledging this factor must be considered.
**11 —** Please see the [Attestation compatibility guide](https://grapheneos.org/articles/attestation-compatibility-guide) on using remote attestation in a way that's compatible with GrapheneOS and **how** ***you*** **can help**.
> *GrapheneOS users are strongly encouraged to share this documentation with app developers enforcing only being able to use the stock OS. Send an email to the developers and leave a review of the app with a link to this information. Share it with other users and create pressure to support GrapheneOS rather than locking users into the stock OS without a valid security reason. GrapheneOS not only upholds the app security model but substantially reinforces it, so it cannot be justified with reasoning based on security, anti-fraud, etc.*
---
Enable exploit protection compatibility mode
`Settings``Apps``<App-name>``Advanced``Enable exploit protection compatibility`
## AuroraOSS is problematic
Have you installed it from the [Sandboxed Play Store](https://grapheneos.org/usage#sandboxed-google-play) or another app?
See [detailed info](https://akc3n.page/posts/banking-app-issues/#auroraoss-is-problematic) on problems using [another app](https://twitter.com/GrapheneOS/status/1712962862832865456#m) for downloading banking apps.
# Notes # Notes
This repository is for reporting, tracking, and updating the status of banking app compatibility with GrapheneOS only. If you want to suggest [edits](https://github.com/PrivSec-dev/privsec.dev/blob/main/content/posts/android/Banking%20Applications%20compatibility%20with%20GrapheneOS.md) on the [banking apps web page](https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/), which are unrelated to the reports, please use [`PrivSec-dev/privsec.dev`](https://github.com/PrivSec-dev/privsec.dev/)'s repository [issue-tracker](https://github.com/PrivSec-dev/privsec.dev/issues). This repository is for reporting, tracking, and updating the status of banking app compatibility with GrapheneOS only. If you want to suggest [edits](https://github.com/PrivSec-dev/privsec.dev/blob/main/content/posts/android/Banking%20Applications%20compatibility%20with%20GrapheneOS.md) on the [banking apps web page](https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/), which are unrelated to the reports, please use [`PrivSec-dev/privsec.dev`](https://github.com/PrivSec-dev/privsec.dev/)'s repository [issue-tracker](https://github.com/PrivSec-dev/privsec.dev/issues).