Hi Guys,
I've installed a bunch of apps to check for root including Safetynet and I'm actually in fact unrooted just bootloader unlocked and using latest version of LightROM.
Unfortunately no matter using magisk core or uninstalling everything, hiding from system and hiding the banking app it still detects Root and that's SUPER aggravating.
Is there a way to know exactly what checks is failing when an app is attempting to detect Root as I said I haven't even rooted yet..
The apps are SBM mobile and Juice byMCB.
Thanks for your help!
Airbag888 said:
Hi Guys,
I've installed a bunch of apps to check for root including Safetynet and I'm actually in fact unrooted just bootloader unlocked and using latest version of LightROM.
Unfortunately no matter using magisk core or uninstalling everything, hiding from system and hiding the banking app it still detects Root and that's SUPER aggravating.
Is there a way to know exactly what checks is failing when an app is attempting to detect Root as I said I haven't even rooted yet..
The apps are SBM mobile and Juice byMCB.
Thanks for your help!
Click to expand...
Click to collapse
It says detecting root but it's actually detecting Knox has been tripped via modification.
It's well known that some banking apps and others will never work on a phone that has or had a custom Rom installed at some point.
cooltt said:
It says detecting root but it's actually detecting Knox has been tripped via modification.
It's well known that some banking apps and others will never work on a phone that has or had a custom Rom installed at some point.
Click to expand...
Click to collapse
Thanks for your answer.. So I checked with a knox checker app and it can't tell knox was triggered saying it's 0x0 (I know the efuse was tripped but magisk apparently can hide it at least from non system apps) and all the root checkers and safetynet checkers I ran could not see anything.
I wish I knew what exactly tripped this app, not sure if an app developer can open it up and see the logic in effect at startup?
What are my options now?
Since I tried removing root/magisk - did not help
1. Flash stock? knox would show up as 0x1
2. throw away the phone as it will from now on never run this banking app? that seems super extreme and when I asked before unlocking BL everyone was adamant banking apps were not a problem anymore.. sigh
Airbag888 said:
Thanks for your answer.. So I checked with a knox checker app and it can't tell knox was triggered saying it's 0x0 (I know the efuse was tripped but magisk apparently can hide it at least from non system apps) and all the root checkers and safetynet checkers I ran could not see anything.
I wish I knew what exactly tripped this app, not sure if an app developer can open it up and see the logic in effect at startup?
What are my options now?
Since I tried removing root/magisk - did not help
1. Flash stock? knox would show up as 0x1
2. throw away the phone as it will from now on never run this banking app? that seems super extreme and when I asked before unlocking BL everyone was adamant banking apps were not a problem anymore.. sigh
Click to expand...
Click to collapse
Yeah those Knox checking apps are a load of rubbish to be honest. You can check if Knox has been tripped by booting into recovery and checking the Knox counter ,top left, bottom text.
When a phone is modified in any way which almost always requires root, an entry is made in the EFS partition which cannot be altered or you will lose IMEI and other critical data. As I mentioned some banking apps don't care about mods since when the app is used the connection is encrypted end to end but obviously some banking apps just won't take the risk and don't run full stop. This is why some people are saying what their saying about resetting/hiding Knox. Also as you know Knox is a physical efuse so how can software reset or hide it.
People just getting confused due to some apps working and some not but it's due to what I've just explained.
In future all banking apps are moving to completely non function if a phone has been modified so if this is important to you on a new phone ,don't ever root it.
cooltt said:
Yeah those Knox checking apps are a load of rubbish to be honest. You can check if Knox has been tripped by booting into recovery and checking the Knox counter ,top left, bottom text.
When a phone is modified in any way which almost always requires root, an entry is made in the EFS partition which cannot be altered or you will lose IMEI and other critical data. As I mentioned some banking apps don't care about mods since when the app is used the connection is encrypted end to end but obviously some banking apps just won't take the risk and don't run full stop. This is why some people are saying what their saying about resetting/hiding Knox. Also as you know Knox is a physical efuse so how can software reset or hide it.
People just getting confused due to some apps working and some not but it's due to what I've just explained.
In future all banking apps are moving to completely non function if a phone has been modified so if this is important to you on a new phone ,don't ever root it.
Click to expand...
Click to collapse
If that's really the direction things are going it's pretty sad. Android turning into crapple.
Anyway I was wondering how an app (Bank) could have access to the real knox status while another not (the app I used detected 0x1 without magisk and 0x0 with magisk)
I don't want a world where I can't bootloader unlock my phone.. Already I regretted not bootloader unlocking it because it's 2019 and android can't backup all my app data yet. So if I factory reset, bam all my redownloaded stuff has no saved data (or most of it) and that annoys the hell out of me. There should be a way to basically nandroid a backup to your computer or sd card and restore that whenever you feel.
I was super bummed a month ago, my stock unrooted s7e was extremely slow and unusable, after rooting, and installing LightROM all went back to being fluid. I was about to spend good money for a new phone now I can't use my banking app at all and I'm *****ing cause I use it on a daily basis.
Airbag888 said:
If that's really the direction things are going it's pretty sad. Android turning into crapple.
Anyway I was wondering how an app (Bank) could have access to the real knox status while another not (the app I used detected 0x1 without magisk and 0x0 with magisk)
I don't want a world where I can't bootloader unlock my phone.. Already I regretted not bootloader unlocking it because it's 2019 and android can't backup all my app data yet. So if I factory reset, bam all my redownloaded stuff has no saved data (or most of it) and that annoys the hell out of me. There should be a way to basically nandroid a backup to your computer or sd card and restore that whenever you feel.
I was super bummed a month ago, my stock unrooted s7e was extremely slow and unusable, after rooting, and installing LightROM all went back to being fluid. I was about to spend good money for a new phone now I can't use my banking app at all and I'm *****ing cause I use it on a daily basis.
Click to expand...
Click to collapse
How can some apps see knox and not others? Read only access to the EFS partition.
Samsung (along with all phone Manufactures) develop their firmware together with all the big app developers who intend to use the platform. The banking sector has been hit hard with all kinds of IT related fraud especially with mobile banking. Banks simply cannot rely on customers to secure mobile devices so the choice is, block their app from functioning on a device that has been compromised in any way shape or form whatsoever or carry on taking the hit for banking fraud. If i was a bank i know which option i would choose, especially as governments are ensuring banks refund customers for their own stupidity.
With regards to open source and Android community mods, while it's been great there is a serious downside to it. More and more companies & developers are protecting their work and intellectual property. Mods will become harder and harder as much tougher security is built into apps and firmware. It's enervatible. Nobody makes money from phones which don't track your usage habits or can't show ads etc. We are all the product!
Lets not even talk about built in obsolescence.
cooltt said:
Yeah those Knox checking apps are a load of rubbish to be honest. You can check if Knox has been tripped by booting into recovery and checking the Knox counter ,top left, bottom text.
When a phone is modified in any way which almost always requires root, an entry is made in the EFS partition which cannot be altered or you will lose IMEI and other critical data. As I mentioned some banking apps don't care about mods since when the app is used the connection is encrypted end to end but obviously some banking apps just won't take the risk and don't run full stop. This is why some people are saying what their saying about resetting/hiding Knox. Also as you know Knox is a physical efuse so how can software reset or hide it.
People just getting confused due to some apps working and some not but it's due to what I've just explained.
In future all banking apps are moving to completely non function if a phone has been modified so if this is important to you on a new phone ,don't ever root it.
Click to expand...
Click to collapse
I must admit I find it sad that no one found a workaround It used to be that the community could outsmart the manufacturers now it seems maybe they all got employed instead
I guess we had a good run
Hi!
I'm considering buying Pixel 6a for its worth at around 300USD worth but after using Android for several years, I'm concerned about security after rooting, like after theft etc.
Afaik, if bootloader is unlocked, the thief can just flash a new image and that's it!
It's different with iOS where icloud lock (even after jailbreak) can render the device practically unusable.
Can someone guide if some kind of google lock is a possibility nówadays with Android or newer versions of Android?
Are you looking at this from a data security standpoint? Or from "make sure its worthless to the thief".
Data security I believe is much more important than causing the phone to self destruct if stolen, and from a data security standpoint, you don't need to worry about root, because the data stored in the userdata partition is ENCRYPTED, and this encryption is tied to lockscreen security. In other words, they need to be able to legitimately get past the lockscreen in order to have unencumbered access to your data, regardless of what they change with respect to boot and system partitions.
If on the other hand, you're more worried about rendering the device worthless if stolen (i.e., thief can't actually use it), then you're actually talking about gooble's factory reset protection, which pretty much locks you to factory images, and locked bootloaders, and the "unlock bootloader" switch set to not-unlockable.
Factory reset protection works by forcing you to validate that you are the owner of the gooble account previously registered as owner of the device. It can be trivially bypassed as long as the "allow oem unlocking" flag is set to true, or the device has a 3rd party OS key installed, such as from grapheneos.
Also, having the device REPORTED as stolen if it is, will make it unable to connect to a cellular network, which pretty effectively makes it worthless.
Thanks for detailed answer. It answers my question.
While data is first priority, rendering device non-usable is also a deterrent.
Gotta find some ROMs which allow encryption tho. Thanks again
tarun0 said:
Thanks for detailed answer. It answers my question.
While data is first priority, rendering device non-usable is also a deterrent.
Gotta find some ROMs which allow encryption tho. Thanks again
Click to expand...
Click to collapse
It isn't a useful deterrent to theft, because they have to steal it first before they can find out if its been rendered useless or not. Its not like they'll return it if they find out that its useless.
tarun0 said:
Hi!
I'm considering buying Pixel 6a for its worth at around 300USD worth but after using Android for several years, I'm concerned about security after rooting, like after theft etc.
Afaik, if bootloader is unlocked, the thief can just flash a new image and that's it!
It's different with iOS where icloud lock (even after jailbreak) can render the device practically unusable.
Can someone guide if some kind of google lock is a possibility nówadays with Android or newer versions of Android?
Click to expand...
Click to collapse
You should be worried more about having unlocked bootloader as opposed to root.
Root can only be obtained via Magisk, which creates a layer making your System think that Magisk is a part of it. No root could be obtained other than through Magisk manager, and even then, you will get a prompt to allow root to an app or adb. You can provide time limited root or one time only for apps. In other words, root gives the user control. Your OS already has root regardless of Magisk. All Magisk does is give you the power to grant or deny root.
Locked vs unlocked bootloader: this is where you should be concerned. If your bootloader is unlocked, it might be possible to boot or flash a modified recovery or TWRP that will have full write access to your system partitions, which are not encrypted. Android, unlike Linux or Windows never encrypted anything but data partition, and a few years ago, Google dropped even that in favor of file encryption. So, your data partition is no longer encrypted, just the files. So, when TWRP has full access to your system, an adversary may succeed in removing your screen lock/password/pattern and force system to boot straight without any lock. Note, the attacker wouldn't have to deal with encryption at all, but rather use natural Android weakness, which is: the first boot after installing a brand new rom is always without password prompt. So, in this case, the attacker will have the full access to your data.
With locked bootloader, this is not possible, as all fastboot actions are disabled.
99.9% of custom roms require unlocked bootloader. Those few, which are available on locked bootloader, do not provide root. There are only 1 or 2 developments that can provide optional root + locked bootloader.
optimumpro said:
You should be worried more about having unlocked bootloader as opposed to root.
Root can only be obtained via Magisk, which creates a layer making your System think that Magisk is a part of it. No root could be obtained other than through Magisk manager, and even then, you will get a prompt to allow root to an app or adb. You can provide time limited root or one time only for apps. In other words, root gives the user control. Your OS already has root regardless of Magisk. All Magisk does is give you the power to grant or deny root.
Locked vs unlocked bootloader: this is where you should be concerned. If your bootloader is unlocked, it might be possible to boot or flash a modified recovery or TWRP that will have full write access to your system partitions, which are not encrypted. Android, unlike Linux or Windows never encrypted anything by data partition, and a few years ago, Google dropped even that in favor of file encryption. So, your data partition is no longer encrypted, just the files. So, when TWRP has full access to your system, an adversary may succeed in removing your screen lock/password/pattern and force system to boot straight without any lock. Note, the attacker wouldn't have to deal with encryption at all, but rather use natural Android weakness, which is: the first boot after installing a brand new rom is always without password prompt. So, in this case, the attacker will full access to your data.
With locked bootloader, this is not possible, as all fastboot actions are disabled.
99.9% of custom roms require unlocked bootloader. Those few, which are available on locked bootloader, do not provide root. There are only 1 or 2 developments that can provide optional root + locked bootloader.
Click to expand...
Click to collapse
Ahhh... So there are options albeit just 1 or 2 which can root with bootlocker locked!!
I thought it's just impossible to root without unlocking bootloader.
Thanks for the nice explanation
tarun0 said:
Ahhh... So there are options albeit just 1 or 2 which can root with bootlocker locked!!
I thought it's just impossible to root without unlocking bootloader.
Thanks for the nice explanation
Click to expand...
Click to collapse
Just my view: if I were you, I wouldn't buy any Pixels phone that has Titan chip in it. It is just one more reliance on such a 'bastion' of privacy as Google. Note Titan is closed source, and not only it deals with certificates, but it can also modify firmware. Here is Zdnet's description:
"The Titan chip manufacturing process generates unique keying material for each chip, and securely stores this material -- along with provenance information -- into a registry database. The contents of this database are cryptographically protected using keys maintained in an offline quorum-based Titan Certification Authority (CA).
"Individual Titan chips can generate Certificate Signing Requests (CSRs) directed at the Titan CA, which -- under the direction of a quorum of Titan identity administrators -- can verify the authenticity of the CSRs using the information in the registry database before issuing identity certificates."
So, each machine's individual key is stored with some 'magic' database maintained by Titan Certification Authority. In other words, an entity funded by three-letter agencies now has an additional database holding individual keys for each phone.
optimumpro said:
Just my view: if I were you, I wouldn't buy any Pixels phone that has Titan chip in it. It is just one more reliance on such a 'bastion' of privacy as Google. Note Titan is closed source, and not only it deals with certificates, but it can also modify firmware. Here is Zdnet's description:
"The Titan chip manufacturing process generates unique keying material for each chip, and securely stores this material -- along with provenance information -- into a registry database. The contents of this database are cryptographically protected using keys maintained in an offline quorum-based Titan Certification Authority (CA).
"Individual Titan chips can generate Certificate Signing Requests (CSRs) directed at the Titan CA, which -- under the direction of a quorum of Titan identity administrators -- can verify the authenticity of the CSRs using the information in the registry database before issuing identity certificates."
So, each machine's individual key is stored with some 'magic' database maintained by Titan Certification Authority. In other words, an entity funded by three-letter agencies now has an additional database holding individual keys for each phone.
Click to expand...
Click to collapse
Thanks for the opinion broski! But what brand are available there?
I don't like Samsung anymore because they destroy screen with update and don't help customers. Rest brand look more on papers but not in real.
tarun0 said:
Thanks for the opinion broski! But what brand are available there?
I don't like Samsung anymore because they destroy screen with update and don't help customers. Rest brand look more on papers but not in real.
Click to expand...
Click to collapse
Onepluses allow relocking bootloader on custom roms.
tarun0 said:
Thanks for the opinion broski! But what brand are available there?
I don't like Samsung anymore because they destroy screen with update and don't help customers. Rest brand look more on papers but not in real.
Click to expand...
Click to collapse
Don't be intimidated by the technical language - it's not as complicated as it seems. All hardware security modules come with a key that is installed at the factory and signed by the manufacturer. This initial key is only used to establish a basic level of trust, and the HSM will then generate a unique key for encrypting your data and performing attestation. This process is the same no matter what brand of device you use, whether it's an OnePlus, a pixel, or any other brand
Newer pixel models have a feature called ATTEST_KEY that allows each device to have its own unique keys. If one of these HSM keys were to be compromised, it wouldn't affect your security. However, rooting your phone can compromise your security and make verified boot ineffective, even if the bootloader is locked. If you value security, it's important not to root your phone
tarun0 said:
Ahhh... So there are options albeit just 1 or 2 which can root with bootlocker locked!!
I thought it's just impossible to root without unlocking bootloader.
Thanks for the nice explanation
Click to expand...
Click to collapse
This statement is incorrect. The Android user interface was not designed to handle permission prompts for root access. When you root your phone, you increase the potential for UI bugs that were previously not able to cause harm to become attack vectors that can be used to gain full access to your phone. Rooting also weakens the security of your phone by adding new permissive domains and making the *_app SELinux domains more permissive
It is heavily recommended to read this article https://madaidans-insecurities.github.io/android.html
tarun0 said:
Thanks for detailed answer. It answers my question.
While data is first priority, rendering device non-usable is also a deterrent.
Gotta find some ROMs which allow encryption tho. Thanks again
Click to expand...
Click to collapse
For the past five years, it has been required that all Android phones have encryption enabled by default. If you purchase a Pixel phone, it will come with encryption already enabled, but you can further enhance the security of the encryption by installing GrapheneOS as they increase the file name padding length to the maximum supported by the kernel make certain attacks harder.
Block-based encryption is generally considered to be less secure than file-based encryption because it uses a single key to encrypt all data, rather than multiple keys for individual files (which is what FBE does). Android 10 introduced metadata encryption, which encrypts the sector 0 on the data partition, making it inaccessible to attackers even when attempting to access the data through recovery mode. One of the main reasons file-based encryption is preferred over block-based encryption is that it is more difficult to verify the security of block-based encryption, and the algorithms used in block-based verification can be complex and challenging to implement correctly. Additionally, block-based encryption only encrypts data and does not provide any integrity checking, so if the data becomes corrupt, there is no way to detect it and the decryption process will continue. This can result in broken files at best and potentially allow attackers to tamper with or exploit the Linux kernel at worst, as noted by Linux kernel maintainers
optimumpro said:
So, when TWRP has full access to your system, an adversary may succeed in removing your screen lock/password/pattern and force system to boot straight without any lock. Note, the attacker wouldn't have to deal with encryption at all, but rather use natural Android weakness, which is: the first boot after installing a brand new rom is always without password prompt. So, in this case, the attacker will have the full access to your data.
Click to expand...
Click to collapse
This quote is mostly (the bad part) FALSE. The decryption on the files cannot be performed until AFTER the device has been unlocked. If an attacker installs something that skips the lockscreen, the files will NOT be decrypted, since that lockscreen password/pin/pattern/etc. is needed to gain access to the key.
No matter what, whether the device bootloader is unlocked or not, or the device has root access or not... if the device is physically outside of the owner's control, it is necessary to assume that security on it has been compromised and should not be trusted. As the owner, you should assume that it has been backdoored, so wipe it fully and reinstall OS.
there is one exception, though. in AFU state, FBE is already decrypted (same as FDE)
https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass
(does not concern powered off devices)
96carboard said:
Are you looking at this from a data security standpoint? Or from "make sure its worthless to the thief".
Data security I believe is much more important than causing the phone to self destruct if stolen, and from a data security standpoint, you don't need to worry about root, because the data stored in the userdata partition is ENCRYPTED, and this encryption is tied to lockscreen security. In other words, they need to be able to legitimately get past the lockscreen in order to have unencumbered access to your data, regardless of what they change with respect to boot and system partitions.
If on the other hand, you're more worried about rendering the device worthless if stolen (i.e., thief can't actually use it), then you're actually talking about gooble's factory reset protection, which pretty much locks you to factory images, and locked bootloaders, and the "unlock bootloader" switch set to not-unlockable.
Factory reset protection works by forcing you to validate that you are the owner of the gooble account previously registered as owner of the device. It can be trivially bypassed as long as the "allow oem unlocking" flag is set to true, or the device has a 3rd party OS key installed, such as from grapheneos.
Also, having the device REPORTED as stolen if it is, will make it unable to connect to a cellular network, which pretty effectively makes it worthless.
Click to expand...
Click to collapse
Not all of this is really right on the head.
tarun0
FRP is VERY easy to bypass. Takes me about 2 minutes on Android 13 Jan 2022 update on 7 Pro, 7, 6a, 6 pro, 6, 5a, 5, 4a 5g and the 4a. The data is wiped though, so it at least can't have data stolen, but the FRP is more like a fence with a gate that you can just reach the other side to unlock with a paper clip lol
As far as getting past lock screen, there's USB plug-in's that if a true back actor wanted to get into the phone, it bypasses usb debugging and can force test thousands of pins and patterns per minute without flagging the maximum attempt trigger. But again, what's the chance of a phone getting stolen by someone with that level of knowledge? 90% of phone thieves take it, run and sell it quick flip.
Also, with a custom Android recovery, adb commands are possible, so if the device is rooted with a custom recovery, there's ways to extract the lock screen file where its stored and use it. I don't think the recoveries based on LineageOS can do this, but TWRP definitely can as I've done it personally. So far there's no twrp for any android 13 device to my knowledge. Even the android 12 variants of twrp are shotty and barely function.
Dirty flashing a rom will also remove any passcode generally on a phone. and make data accessible.
Reporting it stolen only goes so far. You can spoof the IMEI if rooted or straight up change it if you have tools like MiracleBox
Long story short, an unlocked bootloader and a rooted android device make the device very insecure. The only roms out there that let you re-lock the bootloader after flashing the rom are Graphene and CalyxOS. And I really don't recommend calyx. Its a pile of ****. Don't root graphene either, as you'll have to leave the bootloader unlocked
TechX1991 said:
Dirty flashing a rom will also remove any passcode generally on a phone. and make data accessible.
Click to expand...
Click to collapse
we are talking about FBE encryption, not old FDE encryption with default_password. do not claim what you haven't tested yourself. FBE is simply secure in BFU state. also against bruteforce as gatekeeper lives in TEE. after 140 attempts the timeout has increased to 1 day.
kindly read about how FBE works
https://android.stackexchange.com/a/241688