GrapheneOS, 11 days ago

@dajb They've chosen to start using the Play Integrity API to ban using an OS that's not approved by Google. It's a fake security feature since approval by Google has no real connection to security. It means they permit an OS without security patches for several years but not GrapheneOS which provides much better security. Please contact them via email or a support ticket and make sure to send them https://grapheneos.org/articles/attestation-compatibility-guide explaining how to use hardware attestation to verify it's GrapheneOS.

shortwavesurfer2009, 11 days ago

@dajb @GrapheneOS Time to use the bank website.

dajb, 11 days ago

@shortwavesurfer2009 @GrapheneOS You can't, you have to login using the app

GrapheneOS, 11 days ago

@dajb @shortwavesurfer2009 It would also defeat the purpose of what they're trying to do if they provided the same features via online banking. They likely have features specific to the app such as depositing cheques. They wrongly believe that they're improving security by enforcing having a Google certified OS via the Play Integrity API. They need to be convinced to implement https://grapheneos.org/articles/attestation-compatibility-guide which allows them to keep doing the checks they're doing while permitting GrapheneOS too.

GrapheneOS, 11 days ago

@dajb @shortwavesurfer2009 It would be better if apps stopped doing meaningless client-side security checks like these unless they actually have a reason to do it and are doing it properly via the hardware attestation API which offers the ability to support an alternate OS via permitting the yellow verified boot state with a whitelist of their keys. Play Integrity API only supports an OS/device approved by Google with no way to support hardware or operating systems they haven't approved.

johnmclear, 11 days ago

@dajb @GrapheneOS Starling have been in freefall for a while now, I'm hearing quite a few complaints ;\

Edent, 11 days ago

@johnmclear @dajb @GrapheneOS
I've found a fix.
Uninstall. Reinstall the previous version. Set it to not update.

Version number (and discussion) at https://github.com/PrivSec-dev/banking-apps-compat-report/issues/39#issuecomment-2094912415

Some indication that it is a temporary mistake.

GrapheneOS, 11 days ago

@johnmclear They've chosen to start using Play Integrity API to ban using an OS that's not approved by Google. It's a fake security feature since approval by Google has no real connection to security. It means they permit an OS without security patches for several years but not GrapheneOS which provides much better security. Please contact them via email or a support ticket and make sure to send them https://grapheneos.org/articles/attestation-compatibility-guide explaining how to use hardware attestation to verify it's GrapheneOS.

tom, 11 days ago

@dajb @GrapheneOS Have you relocked the bootloader?

Whilst not exactly like your situation, I was running /e/ and some banking apps didn't work because bootloader was still unlocked. When I switched to CalyxOS, I locked bootloader again after flashing and those same bank apps worked.

GrapheneOS, 11 days ago

@tom @dajb Locking is a standard part of installing GrapheneOS. It's not a completed installation otherwise. Unlike CalyxOS and /e/OS, GrapheneOS preserves the full standard security model and also expands verified boot into a complete implementation. That isn't the issue. This app is using the Play Integrity API to forbid using an OS not approved by Google. Unlike CalyxOS, GrapheneOS supports that API due to sandboxed Google Play but it's not Google certified the app can detect.

GrapheneOS, 11 days ago

@tom @dajb GrapheneOS and those operating systems are very different. GrapheneOS is a hardened OS with substantial privacy/security improvements:

https://grapheneos.org/features

Those aren't hardened and both greatly reduce security vs. AOSP via added attack surface, rolled back security and slow patches. /e/OS rolls back security much more but CalyxOS is still rolling back rather than improving security.

Nearly all alternate operating systems roll back security, which is why companies do this.

GrapheneOS, 11 days ago

@tom @dajb Compatibility with Android apps is much different since GrapheneOS provides our sandboxed Google Play compatibility layer:

https://grapheneos.org/usage#sandboxed-google-play

Can run the vast majority of Play Store apps on GrapheneOS, but not CalyxOS with the much more limited microG approach. This doesn't change that an app requiring a Google certified OS via Play Integrity won't work though, which this app is in the process of adopting.

They need to be convinced to follow https://grapheneos.org/articles/attestation-compatibility-guide.

GrapheneOS, 11 days ago

@tom @dajb https://eylenburg.github.io/android_comparison.htm is a third party comparison between different alternate mobile operating systems. It could include many more privacy/security features but it's a good starting point.

https://privsec.dev/posts/android/choosing-your-android-based-operating-system/ is an article with more long form comparisons between OSes.

tom, 11 days ago

@GrapheneOS @dajb Feel like I got OS shamed a bit there!

GrapheneOS, 11 days ago

@tom @dajb It's not about that but rather what we're doing is almost entirely different from other alternate operating systems presented as being private and/or secure. In many cases, we're doing the opposite of what they're doing. The goal isn't at all shaming you but rather we don't want to be grouped in with operating systems rolling back security especially since we need to convince apps that are checking for alternate operating systems and forbidding them to support https://grapheneos.org/articles/attestation-compatibility-guide.