🇬🇧 đŸ‡©đŸ‡Ș FP2 open SafetyNet for banking

Das erklĂ€rt es: Klar geht es mir um meine Sicht, die ich wĂŒnschenswert finde. Und versuche zu begrĂŒnden. Das ich große Teile der Problematik schon verstanden habe, ist scheint da wohl nicht deutlich geworden zu sein


Danke, aber da habe ich dann wohl was verpasst


Da bist Du hier nunmal an der falschen Adresse. Wie ich schon schrieb: Schreib das den betreffenden Banken und App-Programmierer und versuche sie zu ĂŒberzeugen. Ich kann Dir hier nur den Grund aus Wahrscheinlichkeiten geben, warum es in Summe eher wenig sinnvoll ist, auch wenn es im Einzelfall natĂŒrlich und kompetente Nutzer vorausgesetzt, sehr nĂŒtzlich wĂ€re, wenn die Banking-App auch auf einem gerooteten Handy funktionieren wĂŒrde.

FĂŒr technischen Fragen zum FP2 ist das hier die falsche Adresse?
(so fing der Thread an)

1 Like

Stimmt allerdings :slight_smile: In Wirklichkeit war diese Diskussion ĂŒber Pro und Con off-topic, wurde aber von Dir nach der Antwort von teezeh initiiert:

Doch. Im wahrscheinlichen Durchschnitt schon.

Je nun, das können wir vergessen. Ich habe es probiert (fĂŒr den etwas anderen Fall, daß es sich um ein FPOOS ohne root handelte) und es kommt nicht mal eine richtige Antwort dabei 'raus.

Ich bin ziemlich entsetzt, weil ich dieses PhÀnomen jetzt bei mehr und mehr Apps bemerke: SecureGo, dann die DAK-App, neuerdings geht die Bahn-App nur noch bei Goo+pple
 Auf diese Weise ist FOSS auf Smartphones vorbei, ohne richtig begonnen zu haben.

“EuropĂ€ische digitale SouverĂ€nitĂ€t” (so etwas steht in EU-Programmen!) sieht ganz anders aus, finde ich.

3 Likes

Echt, geht die DB-Navigator-App (die meinst Du wahrscheinlich mit “Bahn-App”?) auch nur noch mit Google+Apple? Das ist wirklich traurig. Aber auch nur konsequent: Mike Kuketz hatte ja eklatante DSGVO-VerstĂ¶ĂŸe in der DB-App festgestellt und von denen auch nur eine lapidare RĂŒckmeldung (fĂŒr mich klang es nach “kein Interesse”) bekommen.

Es war ja schon vor Jahren schwerer geworden, die DB-App ohne Play-Store zu beziehen und auf freien GerĂ€ten zu installieren, weil sie das Paket-Format geĂ€ndert haben, so dass bei Updates nur noch Deltas heruntergeladen und eingespielt werden mĂŒssen. Das ist bequem und verkleinert den Download, ist dann aber eben kein ganzes APK mehr.

Vor Jahren hatte die Bahn aber eben wegen freier Android-OSe Aufwand betrieben, die App dennoch installierbar anbieten zu können. Haben sie das jetzt aufgegeben?

Dieses Thema ist aber wohl auch eher komplett Off-Topic. Könnte man eher einen eigenen Thread fĂŒr aufmachen, vor allem, wenn es jemand gelöst hat. Schlage vor, auf mein Posting hier nicht weiter einzugehen.

Also ich hab bis vor kurzem auf meinem FP2 mit Lineage noch ganz normal den DB-Navigator benutzt und ĂŒber Aurora geupdatet. Der Navigator nervt zwar immer, dass er google play braucht, aber bis auf die fehlende Karte hat das die Funktion der App nicht eingeschrĂ€nkt.

2 Likes

I tried al lot of different things now.
(Like own custom fingerprint, extract from image for FP2 Android V10 with GoogleApps
[File ‘printlist’ with content ‘FP2_Andr10=Fairphone/FP2/FP2:10/22.02.0-rel.0/gms-f257e06b:user/release-keys__2022-02-05’ ]).
But always BOTH checks failed. And the basic-check should be not so difficult (says my Internet to me).
So I think the OS FP open is “too open” for SafteyNet. The stock-ROM bascis are not prepared for these shit. For other devices/ROMs it look likes many people got it running.
I will try later on an new FP4 with /e/.

Cross-posting from the linked thread for others with FP2 Open SafetyNet issues:

So it does look to be like @Olli_GT said before me:

It’s not microG that doesn’t work with SafetyNet, it’s something to do with either the way ”G is installed on FP Open, or something different with the ROM itself. In my post I suggested reaching out to ”G devs for help, I think that’s the best course of action if one wants to get SafetyNet on FP Open.

1 Like

To get back to the topic at hand, fixing SafetyNet won’t help you here. I have a rooted FP4 that passes SafetyNet and have tried a couple of apps that check for SafetyNet/root/magisk/unlocked bootloader and they all work. All but SecureGo+. I suspect that this app might be checking if Magisk Manager is installed, so - if you already pass SafetyNet - renaming the Manager app might help. I have not tried this myself, because this is a hill I’m willing to die on. Applications refusing to work because you have other applications installed is imo just not acceptable. And if I’m wrong about this assumption I’d have to figure out what else is triggering the SecureGo+ root detection, something for which I don’t have time right now.

Which is why I have decided to use the highly secure, totally not soon to be deprecated SMS Tan alternative, which is definitely not being discontinued by several other banks right now. (It’s not too bad, but you get the point.) I also could have used an old phone that received its last security update 7(!) years ago, that would have been fine. There definitely do not exist any exploits that circumvent sandboxing and much less any root exploits.

Not quite correct, a rooted phone does not change the sandboxing behaviour of Android. In the truest sense Android doesn’t even use proper sandboxes, it only uses SELinux labels to achieve a similar effect. Windows doesn’t even come with any for of (default) sandboxing for your applications and no one bats an eye if you are using your banking website using an administrator account. (There is way more to this topic and there are reasons as to why things are the way they are, some better, some worse)

In this case they should probably ban all devices running out of date security updates. That would hopefully lead to the customers complaining (hopefully to the OEM) to provide security updates :slight_smile: (One can have hopes
)

On an unrooted device with out to date security patches, apps can use security vulnerabilities - some of which are public knowledge - to grant themselves root access without the user ever noticing.

I really wanted to argue against this point, but then I look out of the window

To make things clear, rooting does not make a device insecure by itself, one could even argue the opposite case, having access to more recent security updates provided by custom ROMs also tends to be a good thins (if the ROM is trustworthy). I haven’t looked at the implementation of the access control provided by Magisk, but since it is open source and fairly popular (and the developer was hired by Google to work on Android security) I’m pretty sure it is somewhat decent.
The problem are the end users, but those are the same on every platform.

3 Likes

Hm, I agree for Windows Home. For others not, even when Windows doesn’t use sandboxing.

This was not my point. If you have rooted your device it is possible that another “bad” application may easily break into the root system and use it without you notice it and doesn’t need to care for Androids’ “sandboxing”. This is more difficult when your device is not rooted.

Are you referring to sandboxing in Windows 10 Pro and up? Before writing my post I had a quick look at the documentation and while Windows 10 Pro and up does indeed ship with a sandbox feature, I’d guess that is irrelevant for most users, most of which are probably using Windows 10 Home. And judging from the documentation it does not look like it is practical to use for day to day work (but that is just a guess).

I don’t think breaking into the root system is as easy as you think. I don’t have too much experience regarding this topic, so if anyone has more input, feel free to correct me here.
You have to either find an exploit in the access control provided by Magisk, which is totally possible, but since it is a well maintained app such an exploit will most likely be found and patched fast, or find a way to connect to the Magisk daemon some other way, but if you are able to do that, you probably don’t need Magisk to do you dirty work and you can get a root shell by yourself.

Attacking Magisk in this way just doesn’t seem like that good of an idea to a potential attacker. You have to find a vulnerability within the access control, exploit it and then get people to fall for it. The alternative is to use any of the well documented security issues with old versions of Android, any of which has probably still more users then Magisk combined. You don’t have to worry about anyone patching your exploit either, since devices vulnerable to it will still be vulnerable in 2 month or even a year.

1 Like

I’m not talking about Sandboxing of Windows at all. I’m talking about user separation in Windows which doesn’t exist in Windows Home. Of course Windows enterprise is even better here, but policies are unfortunately ususally not typical home use scenario in Windows.

Since it’s possible to detect if Magisk is running or another rooted environment it is possible to use issues specifically for these environments. The advantage is, you then can use all root-available functions without breaking into Android as such. I don’t know how easy it is at the moment, but it opens again another door.

Anyway, this discussion leads to nothing.

I’m quite sure that rooted devices are more vulnerable than non-rooted devices. I believe this is (at least: certainly was) also the reason for quite some banking app developers not to offer their apps to rooted devices. Maybe some of them now open their app also for rooted devices for one or another reason, but this is no point of discussion here. Talk to the app developers, not to me.

On a locked FP4 with latest /e/OS safetynet check passes.
Same with FP2 and latest /e/OS (v 0.23).

2 Likes

If you access a banking website instead of a banking app, the browser is the sandbox.

The most important difference between using the website and the app is that the app doubles as two-factor authentication. Banks have chosen to make this two-factor authentication app only available on mobile operating systems. The reason for this is probably that phones are less likely to be shared with other people and more likely carried with you.

So whether Windows does sandboxing better or worse than Android, is not really relevant if your bank doesn’t offer a 2FA app for Windows.

1 Like

The 2FA secret should be stored on a different devicve than the application you want to use. By having a mobile app and offering a 2FA for mobile device only choice is left to the user where the 2FA to run on. :wink:

1 Like

Since we are way of topic and I have to hand in a paper tomorrow this will be my last post here. I feel I have shared everything I know regarding the original topic, but if anyone wants to continue the discussion feel free to DM me or tag me in a new topic.

I’m not trying to change the behaviour of banking apps (at least not right now). I’m trying to change the impression that a rooted Android phone is inherently less secure than an unrooted one. In the hands of an ignorant user that might as well be the case, but so is using the internet. Should we therefore ban every banking applications on phones connected to the internet? No one cares if you are using your banking application on a desktop while being the root user yourself.

This is true.

I think you are probably using easy a bit to carefree. If you somehow can connect to the Magisk daemon you can easily use the power of root, but connecting to the daemon using anything but the access control provided by Magisk is not. Magisk has been around for at least 7 years at this point. If it is easy please show me any instance of this happening. I’m only aware of one possible exploit that could have been used and I’m not sure whether Magisk was vulnerable to it and I do not know of any cases of any such exploit being used.

Maybe. While most browsers indeed use sandboxes, you should be perfectly fine accessing your bank’s website on a browser that does not use sandboxing. Guaranteed and trusted sandboxing on the OS layer is not at all comparable to maybe sandboxing by a random application the user can install.

I don’t know which bank you are using, but I am yet to encounter a bank that combines both inside one app. All banks that I am aware of use two different apps. If we are concerned about security it doesn’t matter whether a device is rooted or not, one should not use the device used for banking to also generate the 2fa for the same bank.

2 Likes

The fact that you’re in a browser means that there is a limited set of APIs that can be accessed, i.e. just opening random files on the user’s computer or messing with another application (outside the browser) is not straightforward, but relies on browser exploits.

I have only seen banks so far that use one app for banking and verification, and a separate one that is only for NFC payments on your phone. But when it comes to banking, every country has its own traditions. I mostly have experience with banks from the Netherlands, I have not used any banking app from France.

Apparently my last post was not my last one for today :sweat_smile:
Who is giving you those guarantees? (That’s an honest question, I’ve never ever developed a browser for Windows)
If it is not the OS itself those guarantees are basically worthless, and how does the OS know that your application is a browser?

The OS doesn’t know, I am talking about what the web application can do to your computer.

But you are right, you need to think the other way around: what other applications can do to your browser.

All of this is a non-issue though, as long as the banks decide that your 2FA secret is in a phone app.

That would compromise on the convenience that is now offered with everything on one phone, but I do get the point. If all I have to do to access money is to type the PIN of the phone app, then there is no second factor anymore (as the FP2 doesn’t have any biometric 2FA such as a fingerprint reader.)

1 Like