Going the last mile - we are almost there! Root Detection and SafetyNet

Dear all,

I’m using now /e/ for a couple of months and I am very satisfied with it - thank you for your great work! I am a computer scientist my self, but I am not really looking for tweaking around with my phone. I guess I am very much in the target group of /e/ - a person who wants to get rid of Google services, someone who wants to have privacy and is also willing to pay for it, someone who wants an European service which is open and built upon free software and someone who doesn’t want to root/tweak their Android - it should just work. /e/ is exactly what I am looking for and it is almost perfect. There are still some things missing, such as a app store where developers can publish and sell their software, but as far as I already read, this is already planned - great.

The only reason why I do not recommend to other non-geeky friends to install /e/ is that almost non of the “high” security apps are working. I still use my old iPhone to use my banking apps, since they are simply not working on /e/. Here’s a short list of apps which are not working:

• https://play.google.com/store/apps/details?id=at.rsg.pfp
• https://play.google.com/store/apps/details?id=at.gv.oe.app
• https://play.google.com/store/apps/details?id=at.oberbank.mbanking
• https://play.google.com/store/apps/details?id=com.cic_prod.bad
• Many other which are concerned with banking, health, security, state matters, etc…

I also still have some trust issues of where the APKs from Apps or Aurora Store are coming from, but this is another story. What I would actually like to discuss is, that many of these “high” security apps do not work because they check for root and/or SaftyNet (and maybe other things?). MicroG supports SaftyNet, but seems not to work correctly and I’d like to know why? There are 2 application - RootBeer Sample and SaftyNet Test - and both of them fail:

I have a FP3+ with /e/ 0.15 running, my device is not rooted and I do not want to root it - it should just work. The boot-loader is locked. I installed /e/ with the Easy Installer.

My question now is if /e/ will ever be able to be recognized as being “not rooted” and if SaftyNet will ever go through? I am starting this threat to put a focus on this topic since for me this is one of the last big issues /e/ needs to solve to be ready for the big masses.

Cheers,
Paul

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online services

I think every App relying on microG to work can not be taken for granted, as Google can (and sometimes really do) change things on their side at any moment, which could break Apps working via microG, with microG then having to catch up to the changes again to make the respective Apps work again, if at all possible.
In my view everything which works via microG is nice to have while it works, not more.

I know it’s not popular, but this problem can always be approached from the other side by questioning the use case. Can the use case be tackled differently, without the App in question? This doesn’t work for every use case for sure, but it’s worth to think about this once in a while, it potentially reduces annoying dependencies.

I get the same result with RootBeer Sample on a Fairphone 3 running 0.15-q-20210316105636-dev-FP3.
Root Verifier says “NOT ROOTED”, but the App seems way more simple then RootBeer Sample.
Avoiding root detection might be worth looking into, I guess.

You are right about /e/'s own Apps installer, that’s a well-known issue.

Aurora Store meanwhile is a Google Play Store client which is available via F-Droid, meaning it got built there from the sources and interested people can inspect those sources … of course there’s no guarantee anybody actually does in depth (or is there?), but I think there’s at least a very high probability with a mega-popular App like Aurora Store that somebody would notice if the APKs wouldn’t come from the Play Store.
https://f-droid.org/de/packages/com.aurora.store/ (see the “It is built and signed by F-Droid, and guaranteed to correspond to this source tarball.” part)

You’re right, but we also live in a world where each Android application is developed for Google’s Android ecosystem. This is why microG exists and why we need it. We will need broad support of all possible applications to grow and become so important that developers will also start to officially support /e/ during their development. Until then we don’t really have a choice.

Very much true as well and I try to do this already. But all the applications I listed in my first posts are not replaceable with anything else.

Great that Root Verifier works but I guess we need to “support” all software libraries which check for root. Do you think I should create a ticket for this in their GitLab?