[zamadatix]

Even just unlocking an Android device causes most to stop working. I can't even log into PayPal app, which I assume is mostly just a WebView, because my phone is unlocked. At the same time it is apparently fineI do the same thing from the browser on my phone?

[yosito]

I used an Android phone with CalyxOS and microG for a year and never had this problem. There were a few apps I had a hard time getting APKs for without the Play Store, but even those I found I could side load from other devices that had the Play Store.

[jacooper]

Or just use Aurora store!

You dont have this problem because CalyxOS has a workaround for SafetyNet, i hear its pretty hacky, but it works.

[GekkePrutser]

The workaround is from microG. You can get it on lineage-microg too.

It has a bad name but really all that they do is replace Google's signing certificate with their own and change the OS to accept it. It's not that "hacky" IMO, you're just trusting a different party. It's just like when you install Ubuntu, you trust Canonical to sign your packages, not debian. They use the same thing to replace play services. And if you trusted Google you wouldn't be using microG anyways, you'd just use play services.

The reason it gets a bad rap is because of the risk MicroG's signing key gets stolen. This is obviously higher than the risk of this happening for Google which is definitely in some highly protected HSM vault somewhere. True. Personally if I were a MicroG developer I'd keep it on a smartcard somewhere like a yubikey so it couldn't be easily copied. I don't know if they do this.

On the other hand, there is more you need to do to exploit it, even if you have the signing key. You need to get the user to use some malicious software and get it on F-Droid or something undetected. Just having the private key will not net you anything.

In my point of view you're trading a definitely possible but difficult possibility of a hack, for a total certainty that Google will track you every hour of every day. Personally I don't trust my smartphone with that much information anyway, but Google manages to collect so much because of their extended network. So they're able to extract much more info from my smartphone than I put into it by association. So it's an ok tradeoff for me. Everyone needs to make their own judgement on that.

For that reason I don't use banking apps on my mobile anyway and I don't have a need for SafetyNet as a result.But it's nice to know that there is a possibility to use SafetyNet protected apps in some cases if I want (some detect the workaround I believe).

[jacooper]

No, that's not the work around I meant.

I meant the workaround CTSPROFILEMATCH in safety net, its what makes most Payment providers work on CalyxOS.

As for MicroG, the GrapheneOS way of running unrootful GSM seems interesting, but they won't apply the Safetynet workaround, because its "hacky" and won't last when hardware attention is enforced.

This flows with most of GrapheneOS stances, they dont care about convenience much.

Personally I'm already close to my limit due to how many inconveniences I have for using a work profile and a custom ROM, and I dont want more.

[yosito]

There are some APKs that aren't available on Aurora.

[zamadatix]

Custom ROMs/patches can be made hide that the phone is unlocked and fake that it passes SafetyNet, even if you use official Play Services it's just ridiculous it's something that needs to be done in the first place.

[mschuster91]

If you rooted it via Magisk, the DenyList feature and the module "Universal SafetyNet Fix" should help you out [0]. If you're running a custom firmware, you might need to resort to patching the device properties [1].

Still, it's utterly absurd how many apps go to extremely long lengths just to tell me they don't like me having root access to my own f..ing phone, including Samsung's Watch interface app. The only situation where I can at least understand the reasons are DRM and cheaters in f2p games.

[0] https://github.com/kdrag0n/safetynet-fix

[1] https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf

[izacus]

> At the same time it is apparently fineI do the same thing from the browser on my phone?

It's "fine" only because the banks security cargo cult couldn't find a way to own your device without losing money. Now they found it and they're not giving up their checklists to make your life better.