search

PrivSec-dev / banking-apps-compat-report

Report and track banking app compatibility with GrapheneOS, including which workarounds may be required.
https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/
71 stars 4 forks source link

Swissquote #471

Closed lmgarret closed 3 weeks ago

lmgarret commented 3 weeks ago

Is there an existing issue for this?

App name

Swissquote

Link to app

https://play.google.com/store/apps/details?id=com.swissquote.android

App version

7.23..1

Country of the app

Switzerland

Build Number

2024062700

Device list

Pixel 8

Profile app tested in

Owner profile

Google Play installed?

Installed

Where did you install this app from?

Google Play Store

Google Play services Network permission revoked?

Native code debugging

Exploit protection compatibility mode

Memory tagging extension (MTE)

Stock OS compatibility

NFC payments

Description of the app's functionality

TLDR; Cannot login.

Downloaded the app from the PlayStore. First launch, went to Login and entered my credentials. After a short spinning wheel, I got the following error message (translated from screenshot):

Error

Make sure you have installed the app from the official store provided by your phone (Play Store, App Gallery, etc.) 
and not having downloaded an APK online.

We encountered a Firebase error: -99

Screenshot_20240703-093411~2

The app was downloaded from the PlayStore so the error message is incorrect. The logs point to using PlayIntegrity instead

Are there any extra notes you think users should know about?

Tried with and without exploit compatibility mode, no success.

I have contacted Swissquote's support giving a link to the dev guide for hardware attestation and I have yet to hear back from them.

ADB logcat of the app if necessary

07-03 07:46:11.678 16499 16499 W System.err: com.google.firebase.FirebaseException: Error returned from API. code: 403 body: App attestation failed.
07-03 07:46:11.679 16499 16499 W System.err:    at com.google.firebase.appcheck.internal.NetworkClient.makeNetworkRequest(NetworkClient.java:193)
07-03 07:46:11.679 16499 16499 W System.err:    at com.google.firebase.appcheck.internal.NetworkClient.exchangeAttestationForAppCheckToken(NetworkClient.java:125)
07-03 07:46:11.679 16499 16499 W System.err:    at com.google.firebase.appcheck.playintegrity.internal.PlayIntegrityAppCheckProvider.lambda$getToken$0$com-google-firebase-appcheck-playintegrity-internal-PlayIntegrityAppCheckProvider(PlayIntegrityAppCheckProvider.java:87)
07-03 07:46:11.679 16499 16499 W System.err:    at com.google.firebase.appcheck.playintegrity.internal.PlayIntegrityAppCheckProvider$$ExternalSyntheticLambda0.call(D8$$SyntheticClass:0)
07-03 07:46:11.679 16499 16499 W System.err:    at com.google.android.gms.tasks.zzz.run(com.google.android.gms:play-services-tasks@@18.1.0:1)
07-03 07:46:11.679 16499 16499 W System.err:    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
07-03 07:46:11.679 16499 16499 W System.err:    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
07-03 07:46:11.679 16499 16499 W System.err:    at com.google.firebase.concurrent.CustomThreadFactory.lambda$newThread$0$com-google-firebase-concurrent-CustomThreadFactory(CustomThreadFactory.java:47)
07-03 07:46:11.679 16499 16499 W System.err:    at com.google.firebase.concurrent.CustomThreadFactory$$ExternalSyntheticLambda0.run(D8$$SyntheticClass:0)
07-03 07:46:11.679 16499 16499 W System.err:    at java.lang.Thread.run(Thread.java:1012)
spring-onion commented 3 weeks ago

Thanks. Linking them the attestation compatibility guide is indeed the way to go so everyone, make sure you've done that!

rabume commented 2 weeks ago

@lmgarret Did you get any feedback from swissquote yet?

lmgarret commented 2 weeks ago

@lmgarret Did you get any feedback from swissquote yet?

Nothing yet, not even an acknowledgement