1
0
mirror of https://github.com/PrivSec-dev/banking-apps-compat-report synced 2024-12-21 20:31:33 -05:00
Reports for banking apps compatibility with GrapheneOS
Go to file
akc3n 785f4f3551
Update README.md
Fix formatting

Signed-off-by: akc3n <git@akc3n.page>
2023-10-20 03:43:21 -07:00
.github/ISSUE_TEMPLATE Update app_report.yml 2023-10-15 18:05:58 -07:00
README.md Update README.md 2023-10-20 03:43:21 -07:00

Banking apps compatibility with GrapheneOS

Report and track international banking app compatibility with GrapheneOS, including which workarounds may be required.

Tablet of Contents

Introduction

A crowd-sourced project dataset for GrapheneOS users on supported devices, featuring a maintained compatibility list of tested international banking apps, which is reviewed and published.

PrivSec.dev hosts this 3rd-party community-sourced effort, offering detailed information and which workarounds may be required for banking apps compatibility with GrapheneOS.

It is essential to note that GrapheneOS:

Usage


Workarounds

  1. Potential use of an unofficial/alternative Google Play Store frontend client may be problematic for misguided apps:
  • That can check if they were installed from the Play Store and can choose to refuse to work if they were not installed from the Play Store.
  • Try to hinder reverse engineering using debugging features like ptrace
  • Some forbid usage on non-stock OS (most OSes are insecure)
  • May cause your Google Account to be disabled/blocked/blacklisted by Google.
  • Anonymous account usage may have negative consequences and have a less secure connection to the Play Store servers.

General recommendation: Install Sandboxed Google Play. Optionally use a throwaway account.

  1. By default, native code debugging is enabled. If you disabled it, try enabling it again. Launch app. If unsuccessful, proceed to step 2.

SettingsSecurityEnable native code debugging

  1. Enable the per-app exploit protection compatibility mode. Launch app. If unsuccessful, proceed to step 3 for testing only.

SettingsAppsAppNameAdvancedExploit protection compatibility mode

  1. Temporarily disable secure app spawning.

SettingSecurityEnable secure app spawning

  1. Restart device. Launch app to see if this GrapheneOS feature caused the compatibility issue. The app may be refusing to run if it detects a different spawning mechanism.

Significant security loss and directly affecting some privacy using Zygote

  • Disabling exec-based spawning reverts to using the traditional Zygote spawning model AOSP's app processes
  • Spawned as a clone of the Zygote
  • Each app process has the same random secrets for ASLR, SSP, memory tagging, pointer authentication, setjmp canaries, and heap randomization
  • Half of the userspace is made of app processes
  • Applies across all profiles
  • App in profile A and profile B have same random values, which they can see
  1. Revert to secure spawning by enabling it again and restart device. See step 3 above.

  2. Search the forum, os-issue-tracker, and/or within the community for keyword(s) specific to the app name. If unsuccessful with finding a solution, only than proceed to step 7.

  3. Attempt to reproduce the issue by capturing a 'Bug report' using the feature in Developer options if you still run into the app aborting at launch.

  • Enable Developer option by tapping the 'Build number' 7 times

SettingsAboutDevice identifiersBuild number

SettingsSystemDeveloper optionsBug ReportInteractive reportREPORT

  1. Open a new issue, provide a description and make contact via the appropriate channels with a similar message like "Bug report capture for issue #104". in order to submit the bug report capture zip privately. (Replace the issue # number).
  1. Disable the developer options.

SettingsSystemDeveloper optionsUse developer options

We recommend disabling developer options as a whole for a device that's not being used for app or OS development.


  1. It's plausible that this is app-related, rather than a compatibility issue with GrapheneOS - acknowledging this factor must be considered.

  2. Please see the Attestation compatibility guide on using remote attestation in a way that's compatible with GrapheneOS and how you can help.

GrapheneOS users are strongly encouraged to share this documentation with app developers enforcing only being able to use the stock OS. Send an email to the developers and leave a review of the app with a link to this information. Share it with other users and create pressure to support GrapheneOS rather than locking users into the stock OS without a valid security reason. GrapheneOS not only upholds the app security model but substantially reinforces it, so it cannot be justified with reasoning based on security, anti-fraud, etc.


Notes

This repository is for reporting, tracking, and updating the status of banking app compatibility with GrapheneOS only. If you want to suggest edits on the banking apps web page, which are unrelated to the reports, please use PrivSec-dev/privsec.dev's repository issue-tracker.