akc3n
commented
1 year ago Thank you @frnprt
Closed frnprt closed 1 year ago
akc3n
commented
1 year ago Thank you @frnprt
axel-1267
commented
1 year ago Description of the app's functionality
Works perfectly after giving location and camera permissions.
Are there any extra notes you think users should know about?
Give the required permissions before trying to activate the session.
Hi, thanks for the report.
frnprt
commented
1 year ago Description of the app's functionality
Works perfectly after giving location and camera permissions.
Are there any extra notes you think users should know about?
Give the required permissions before trying to activate the session.
Hi, thanks for the report.
- Does two factor authentication for login work?
- Does mention something about weak security under Settings & Privacy -> Smartphone management -> Security Level ?
Hi!
1) AFAIK, it does. 2) Nope, device is fully verified. No low security alert.
RizzoV
commented
8 months ago Is it just me or version 3.14.2 of the app now refuses to open?
Sono stati rilevati problemi di sicurezza (DX004): reinstalla l'APP da store ufficiali ed aggiornati. Per ulteriori informazioni contatta il servizio clienti.
Translated:
Security issues were detected (DX004): reinstall the APP from official and updated stores. Contact customer service for more information.
I tired disabling USB debugging, enabling exploit protection compatibility mode, granting the app every permission it requests even before opening it for the first time, installing sandboxed Google Play Services in the same profile: no success.
I am installing the app using Aurora Store but I don't see how this would be relevant as long as it is updated.
frnprt
commented
8 months ago Everything works fine for me. Installing the app from the Play Store is the only viable solution, AFAIK. And yes, it is relevant indeed: https://developer.android.com/google/play/integrity
RizzoV
commented
8 months ago Didn't know about the installation method check, funnily enough the app always worked fine when installing it through the Aurora Store on other, much more insecure, setups of mine like Lineageos w/ MicroG, root, modified build.prop, no Play Store at all. But I'm new to Graphene so I'm learning how to handle these situations as I go.
Thanks @frnprt
EDIT: I've taken a deeper look at the problem and the installation method verification in particular, as I was very curious since I didn't see how it could work given that all apps involved are unprivileged.
Turns out: the installation medium isn't actually (strictly) verified.
You can work around the verification without even logging in a Google account in the same user profile you want to use the Intesa SanPaolo app.
Here's what I did:
The verification process will now succeed even in the initial profile (again, no Google login performed there) and the app will work fine.
Either way, I think that reporting this app as straight up "working" with no mentions to the Play Store login requirement is definitely incomplete. Users may decide to use GrapheneOS because of privacy reasons and may reasonably be wanting not to login any Google service on their device. My workaround limits the privacy impact required to make the app work, but it still requires logging in Google services using Google's proprietary APKs which may harvest device information and link it to the person behind the account. I think these privacy renounces should be clearly highlighted in compatibility reports like this one.
CiroPen
commented
8 months ago I'm having a different issue, the app launches fine and goes to the activation portion, where I try to activate it through my other phone that's logged into it. The "Dynamic logo" comes up and I go to scan it with my GOS phone but nothing happens... it just keeps staring at it and stays on the camera page forever.
I installed the app through the play store, and gave it all permissions except for calendar, contacts, microphone and photos. It's running in exploit protection compatibility mode.
Did you guys activate the app this way? Did it just recognize the dynamic logo without issue like it would a QR code? I already tried reinstalling twice but the same issue occurs every time.
frnprt
commented
8 months ago I'm having a different issue, the app launches fine and goes to the activation portion, where I try to activate it through my other phone that's logged into it. The "Dynamic logo" comes up and I go to scan it with my GOS phone but nothing happens... it just keeps staring at it and stays on the camera page forever.
I installed the app through the play store, and gave it all permissions except for calendar, contacts, microphone and photos. It's running in exploit protection compatibility mode.
Did you guys activate the app this way? Did it just recognize the dynamic logo without issue like it would a QR code? I already tried reinstalling twice but the same issue occurs every time.
Hi! Yes, I recall something of the sort to happen to me too. I tried multiple times and at some point it just worked out of the blue. Also, it may sound weird, but try to keep the location service on. IIRC that did the trick (maybe there is some kind of location identification process going on in the background during that phase).
As far as compatibility mode is concerned, I don't think I needed to enable it to make the app work.
vivident4004
commented
7 months ago Hi, I just want to report something like this. I had many troubles "verifying" the app, as they say it, that's necessary when you install it on a new devices. I couldn't make it work, despite me trying many times, and going even to the ATM. I gave every possible permission, but it still didn't work. What worked though is when I clicked on "Activate through you local banking branch", the camera would pop up immediately. So just don't bother and go straight to your bank branch and activate it with a human operator. It takes 30 seconds, and the only permission you have to give are: nearby devices, camera and position (but you don't have to have the GPS activated, just the permission). Also, after activating it I noted that I had previously deactivated ALL permissions for google's play services, services framework and play store: not even notifications where on anymore. Clearly, we can infer that this app is made by retarded people and despite requiring google's proprietary spyware it does not use it. So the human activation is the most straight-forward, the fastest and the less intrusive (despite feeling like an oxymoron).
ElDavoo
commented
3 months ago The "Dynamic logo" comes up and I go to scan it with my GOS phone but nothing happens... it just keeps staring at it and stays on the camera page forever.
I had the same problem, I remembered that MIUI inverts color to enable dark themes on apps that do not support it. This inverted the dynamic code as well, and the camera wasn't able to detect it. So, just disable dark mode.
alemarostica
commented
1 month ago Security issues were detected (DX004): reinstall the APP from official and updated stores. Contact customer service for more information.
I have found another solution to this problem. I took a look at the source code of the decompiled application and it turns out this error is thrown when the application is installed from an "Unofficial source", the likes of Aurora store, through the split apk or by sideloading with adb. You can check this property by going into the application details and scrolling down to the bottom where a section called "App details" appears. Turns out the banking app only checks for this property, so me must find a way to change this property.
Here's what I did.
I found an app called Shizuku (https://shizuku.rikka.app/) and installed it. I then activated the app through adb as it is clearly explained in the app itself. I then opened Aurora Store, went into the settings and selected Shizuku Installer under Installation > Installation method. I then normally installed the app through Aurora Store.
The apps will now show that it was installed through Google Play Store or microG companion depending on whether you have Play Services or microG only on your phone. In my case the app works with microG only as well, it appears.
There exists another app called Install With Options (https://github.com/zacharee/InstallWithOptions) which relies on Shizuku and lets you customize the installation of a local apk. This would require you to have the apk of the bank app, so you would have to do the following.
Go into Aurora Store and disable apk deletion in Settings > Downloads. Now Download the app. Go into the Downloads screen, long press the app and press the "save package" option (or whatever, can't remember it precisely). Now you will have the .zip package (because it is a split apk). Now open the install with options and proceed with the installation after customizing the source (com.android.vending for Google Play Store).
I don't fully understand how this Shizuku app works, but somehow, thanks to adb, it allows some apps to access otherwise privileged system APIs and it allows for some powerful customization and other stuff.
Is there an existing issue for this?
App name
Intesa Sanpaolo Mobile
Link to app
https://play.google.com/store/apps/details?id=com.latuabancaperandroid
App version
v3.7.0
Country of the app
Italy
Build Number
TQ1A.221205.011.2022122000
Device list
Pixel 7 Pro
Profile app tested in
Secondary profile(s)
Google Play installed
Installed
Google Play services Network permission revoked?
SafetyNet Enforcement
Native code debugging
Exploit protection compatibility mode
Stock OS compatibility
Description of the app's functionality
Works perfectly after giving location and camera permissions.
Are there any extra notes you think users should know about?
Give the required permissions before trying to activate the session.
ADB logcat of the app if necessary
No response