out-of-the-box ?

https://grapheneos.org/usage#sandboxed-google-play

Banking on Android Open Source Project (AOSP)

Banking apps detect unsecure environments, and here I document how to bypass them in custom ROM's

https://forum.xda-developers.com/t/info-play-integrity-api-replacement-for-safetynet.4479337/

TLDR

also install updated firmware.

install some custom rom with pixel like experience

my choice is pixelOS

strong integrety doesn't pass, momo shows init.rc, custom rom and bootloader unlocked

but payzapp and everything works. netflix has L1.

server

strong integrety

1. pixelOS
2. KernelSU
3. zygiskonKernelSU
4. USFM by displax

Setup

0. unlocked bootloader & orangefox recovery
1. Install LineageOS
2. Spoof device signature with MagiskHide Props Config
3. hide custom rom props with this module, reset them with this
4. install shamiko
5. safetynet fix
6. (optional) edit additional build.prop entries that may have rom name with this
7. mindthegapps / microg sateynetAPI
8. Add Google play Services, Google play store, google services framework and google play protect to denylist
9. hide magisk, freeze the app (android 13 inbuilt), or use appmanager
10. can use work profile using shelter

Specific hiding

• InitRcHider
• unregular partition mounting
• bootloader / hardware attestation TODO

Effective Root Strategy for Secure Environment

• https://github.com/tiann/KernelSU
• https://github.com/android-hacker/VirtualXposed
• nikgapps

Android Modding

Can remove checks through RE though not advised.

Microg & Playstore

https://github.com/microg/GmsCore/wiki/Implementation-Status

https://gitlab.com/Nanolx/NanoDroid

Magisk Forks

Magisk Delta

Debugging

WADB

Widewine

liboemcryptodisabler module

GrapheneOS

https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/

https://grapheneos.org/articles/attestation-compatibility-guide

Tests

• Play integrety api checker
• yasnac
• Ruru (Applist detector)
• Momo
• Android Key Attestation Sample App

Debug & logging

logcat reader

Toast source

Developer assitant

Apps hiding

1. Lsposed
2. android faker
3. hidemyapp list
4. xprivacylua

Current Target App

Payzapp | hdfc privsec report

Payzap runs once can't verify number/(loading) then this toast.

Your device bootloader is unlocked or verified boot state is unverified. You cannot use this application.

Nothing in logs

ruru -> sees xprivacylua somehow

yasnac -> basic integrety pass

play integrety api checker -> everything is red

Momo

Tricks

1. Installing and activating the app on rom with gapps
2. Backing up app+data using neobackup
3. Wiping the phone, flashing clean rom
4. Restoring the app from the backup there

News / Changelog

Hardware Attestation 2023-06-07 UTC

https://developer.android.com/training/articles/security-key-attestation

References

• https://forum.xda-developers.com/t/hide-root-magisk-lsposed-and-pass-safetynet-on-any-rom-on-redmi-k20-pro.4552467/
• https://github.com/freeload101/Java-Android-Magisk-Burp-Objection-Root-Emulator-Easy

Other Articles

• https://akc3n.page/posts/banking-app-issues/