Reports for banking apps compatibility with GrapheneOS

banking-app banking-applications grapheneos

Go to file

akc3n 08ecc34b63 Update README.md Add section from https://discuss.grapheneos.org/d/8330-app-compatibility-with-grapheneos Signed-off-by: akc3n <git@akc3n.page>		2023-10-20 03:36:49 -07:00
.github/ISSUE_TEMPLATE	Update app_report.yml	2023-10-15 18:05:58 -07:00
README.md	Update README.md	2023-10-20 03:36:49 -07:00

README.md

Banking apps compatibility with GrapheneOS

Report and track international banking app compatibility with GrapheneOS, including which workarounds may be required.

Introduction

A crowd-sourced project dataset for GrapheneOS users on supported devices, featuring a maintained compatibility list of tested international banking apps, which is reviewed and published.

PrivSec.dev hosts this 3rd-party community-sourced effort, offering detailed information and which workarounds may be required for banking apps compatibility with GrapheneOS.

It is essential to note that GrapheneOS:

does not make any guarantees regarding the list's validity
users should read the banking apps usage guide
provides a detailed attestation compatibility guide for banking app developers

Usage

View current list of working international banking apps compatibility with GrapheneOS.
See issue tracker for detailed banking app reports. As well as search, track, and/or update report status.
Submit a banking app report by opening a new issue and filling out the form.

Workarounds

0 — Potential use of an unofficial/alternative Google Play Store frontend client may be problematic for misguided apps:

That can check if they were installed from the Play Store and can choose to refuse to work if they were not installed from the Play Store.
Try to hinder reverse engineering using debugging features like ptrace
Some forbid usage on non-stock OS (most OSes are insecure)
May cause your Google Account to be disabled/blocked/blacklisted by Google.
Anonymous account usage may have negative consequences and have a less secure connection to the Play Store servers.

General recommendation: Install Sandboxed Google Play. Optionally use a throwaway account.

1 — By default, native code debugging is enabled. If you disabled it, try enabling it again. Launch app. If unsuccessful, proceed to step 2.

Settings ➔ Security ➔ Enable native code debugging

2 — Enable the per-app exploit protection compatibility mode. Launch app. If unsuccessful, proceed to step 3 for testing only.

Settings ➔ Apps ➔ AppName ➔ Advanced ➔ Exploit protection compatibility mode

3 — Temporarily disable secure app spawning.

Setting ➔ Security ➔ Enable secure app spawning

4 — Restart device. Launch app to see if this GrapheneOS feature caused the compatibility issue. The app may be refusing to run if it detects a different spawning mechanism.

Significant security loss and directly affecting some privacy using Zygote

Disabling exec-based spawning reverts to using the traditional Zygote spawning model AOSP's app processes
Spawned as a clone of the Zygote
Each app process has the same random secrets for ASLR, SSP, memory tagging, pointer authentication, setjmp canaries, and heap randomization
Half of the userspace is made of app processes
Applies across all profiles
App in profile A and profile B have same random values, which they can see

5 — Revert to secure spawning by enabling it again and restart device. See step 3 above.

6 — Search the forum, os-issue-tracker, and/or within the community for keyword(s) specific to the app name. If unsuccessful with finding a solution, only than proceed to step 7.

7 — Attempt to reproduce the issue by capturing a 'Bug report' using the feature in Developer options if you still run into the app aborting at launch.

Enable Developer option by tapping the 'Build number' 7 times Settings ➔ About ➔ Device identifiers ➔ Build number
[Capture](https://developer.android.com/studio/debug/bug-report a bug report) Settings ➔ System ➔ Developer options ➔Bug Report ➔ Interactive report ➔ REPORT

8 — Open a new issue, provide a description and make contact via the appropriate channels with a similar message like "Bug report capture for issue #104". in order to submit the bug report capture zip privately. (Replace the issue # number).

Contacting the project
Reporting issues
Friendly reminder: instructions for getting support via chat and when to avoid using the os-issue-tracker: ask questions + request support

9 — Disable the developer options.

Settings ➔ System ➔ Developer options ➔ Use developer options

We recommend disabling developer options as a whole for a device that's not being used for app or OS development.

10 — It's plausible that this is app-related, rather than a compatibility issue with GrapheneOS - acknowledging this factor must be considered.

11 — Please see the Attestation compatibility guide on using remote attestation in a way that's compatible with GrapheneOS and how you can help.

GrapheneOS users are strongly encouraged to share this documentation with app developers enforcing only being able to use the stock OS. Send an email to the developers and leave a review of the app with a link to this information. Share it with other users and create pressure to support GrapheneOS rather than locking users into the stock OS without a valid security reason. GrapheneOS not only upholds the app security model but substantially reinforces it, so it cannot be justified with reasoning based on security, anti-fraud, etc.

Notes

This repository is for reporting, tracking, and updating the status of banking app compatibility with GrapheneOS only. If you want to suggest edits on the banking apps web page, which are unrelated to the reports, please use PrivSec-dev/privsec.dev's repository issue-tracker.