Crash when claiming rewards

[brendenhoffman]

Description:

Brave Android crashing when "Claim rewards" is clicked. Rewards says "Something went wrong" and app closes.

Steps to reproduce:

Click rewards button in address bar and claim or open chrome://rewards and claim, both have similar results.

Actual result:

"Something went wrong" and app close.

Expected result:

Claim rewards

Issue reproduces how often:

Any time you try to claim BAT

Version/Channel Information:

Attempted on Brave 1.22.71 and 1.23.71. Unable to try Beta or Nightly due to the time it takes to accrue BAT.

Device details

• Install type (ARM, x86): ARM
• Device type (Phone, Tablet, Phablet): Phone
• Android version: 11 Calyx OS

Additional information

I have found a few other users having the same issue, in the threads listed they give details in their situation. https://redd.it/mqvxzh

[Captain-Barge]

I have a strong suspicion that this crash is related to the absence of Google Play Services on the device.

The OP reported the issue with Calyx OS ('degoogled') and my wife and I are both experiencing the same issue with GrapheneOS ('degoogled'). But more telling: I found a Reddit post where someone reported this issue while on stock Android with disabled Google Play Services. The OP of the Reddit post later gave an update which said that the issue was solved after re-enabling Google Play Services (& then promptly disabling again because all Google products are spyware).

[Captain-Barge]

For whatever it's worth, this Reddit post appears to be yet another incidence of this crash. Unfortunately, the OP there does not indicate whether they are using an alternative OS (or disabled Google Play Services).

[No5251]

I have the same problem with CalyxOS 2.4.0 (Android 11) and microG framework on a Pixel 4a. Also tried this patched version: https://calyxos.org/news/2021/04/16/microg-google-login/

[Captain-Barge]

Interesting that microG didn't resolve the problem. Good to know.

[bsclifton]

@deeppandya do you think this might be related to the SafetyNet changes that happened as part of 1.18? (check only happening on claim). Def shouldn't be crashing. Would be great to see a crash report (cc: @SergeyZhukovsky)

[Captain-Barge]

@bsclifton I'm experiencing this issue and I'd be happy to send a crash report. I'll need instructions how to generate the report though because I couldn't figure it out with a quick internet search.

[bsclifton]

@ArchManBlip we have a fix coming! Stay tuned 😄

[waltercool]

I don't wanna sound unpolite, but "Stay tuned" sounds something between today and 10 more years, like Gnome resolving their bugs.

In case I can provide more information, I did a severe analysis of this issue months ago:

• Disable Google Play Services: Crash
• Enable Google Play Services: Works
• Use microG: Crash

I'm kinda sure this is related to SafelyNet as far the logs mention. Analyzing Android logs, it crashes with microG because there is a missing class, used by "whatever" Brave is doing.

Now, my even more deep question here... why is Brave using Google Play Services when it's supposed to be privacy oriented? Every single Google Play Service have something common, it fetch itself from user information, which is a compromise with user privacy. In case of SafelyNet it's a binary downloaded and uploading your phone data.

That's not okay, in that perspective Mozilla doesn't even try to use anything from Google APIs, including their Play Services API.

This may be a lot to ask, I know and I'm not even aware about Brave Android code and how rot deep is it... but it's possible to REMOVE Play Services API from Brave? That would make Brave completely useable from non-Google devices... or people who disables every Google related bloatware/spyware from their phones.

[dullo-bot]

Hi,

I got the same issue with my Google Pixel 5, GrapheneOS on the latest build an Brave 1.25.71.

[pf4edward]

Hi.

I got the very same issue except the app doesn't crash. However, I did install the SafetyNet via Magisk, and STILL with Google Play disabled - I DO NOT TRUST GOOGLE/PRISM surveillance that's going on - I cannot collect the hard-earned BATs.

This is happening on BOTH OnePlus 6T and OnePlus 7T devices.

[iam-cult]

Has anyone tested this with the new sandboxed google play services on grapheneos?

[dullo-bot]

Has anyone tested this with the new sandboxed google play services on grapheneos?

Yeah i tested it and at least the app isn't crushing anymore. I do not get the rewards when i click claim.

[iam-cult]

Yeah i tested it and at least the app isn't crushing anymore. I do not get the rewards when i click claim.

That's at least a start

[bsclifton]

cc: @deeppandya - I can't remember if we found/fixed this?

[waltercool]

Yeah i tested it and at least the app isn't crushing anymore. I do not get the rewards when i click claim.

That's at least a start

It still crashes for me with Google Play deactivated

[iam-cult]

It still crashes for me with Google Play deactivated

Yes, I'm only inquiring about GrapheneOS's sandboxed GPS. This issue has not been fixed, so the problem will still be present on fully degoogled devices.

[waltercool]

so the problem will still be present on fully degoogled devices.

Never said "degoogled", just Google Play deactivated. People can disable Google Play Services at most devices if they want, at expense of breaking most apps using Google features like Google Maps or Google Play Games due framework.

Yesterday experienced crashes trying to claim my rewards, my solution as always, is activating Google Play Services from Settings/Apps and trying again, works as a charm but not ideal. It shouldn't be any reason to depend of Google Play Services for claiming rewards.

[blumberg]

I'm on Lineageos with no google service and it still crashes. I can't claim anything and can't find a workaround.

[ultr41337h4xor]

cc: @deeppandya - I can't remember if we found/fixed this?

@bsclifton Still not fixed for me in the newest version, same as the posters above. LineageOS on a Fairphone 3+, with no google apps of any kind (including no Google Play Services).

[thezeroalpha]

Another report, I'm using LineageOS 18.1, Samsung Galaxy S10, with gapps installed (MindTheGapps) and running, not rooted. Brave doesn't crash, but clicking "claim" leads to an "oops something went wrong" message. There does not seem to be a workaround, other than trying to get around SafetyNet via Magisk.

[Miyayes]

Is it accurate to say that this crash is just a matter of the user not having Google Play Services enabled when trying to claim their ad earnings?

As for SafetyNet check, we have no plans to allow claiming for phones that fail to pass SafetyNet. App shouldn't crash, though.

[waltercool]

Is it accurate to say that this crash is just a matter of the user not having Google Play Services enabled when trying to claim their ad earnings?

As for SafetyNet check, we have no plans to allow claiming for phones that fail to pass SafetyNet. App shouldn't crash, though.

That sounds OK and reasonable to me, but please stop saying Brave Browser is privacy friendly then.

There is no way Google Play Services is something close to Privacy Friendly as strict dependency.

[blumberg]

As for SafetyNet check, we have no plans to allow claiming for phones that fail to pass SafetyNet. App shouldn't crash, though.

Is there a reason why phones that fail SafetyNet couldn´t claim the rewards?

I don´t know if I pass or fail, as I haven´t test it, but I know I don´t have any google service and it crashes. I hope that users from custom ROMs (LineageOS, GrapheneOS, etc...) with no Google Services would be able to claim rewards.

[erroriel]

Privacy advocates and power users, who are likely a large segment of Brave's user-base, are strongly affected by this. There are many users who choose to use a custom ROM for legitimate reasons (more privacy, stock ROM no longer updated, more features, etc.) which do not have Google Play Services or are unable to pass SafetyNet (due to the ctsProfileMatch check, see #17399) which are alienated by this. Is it not possible to add a CAPTCHA like on the desktop instead of enforcing SafetyNet? I am really saddened to see that SafetyNet was even used in the first place by a project claiming to be open-source and privacy friendly.

[erroriel]

Additional thoughts and clarification: As a security-minded developer myself, I understand the need to keep the app secure, especially when finances are involved and abuses are possible. Remote attestation (e.g. SafetyNet) is powerful for making sure your client application hasn't been modified in an abusive way. What is challenging in this case is that legitimate users have no recourse if their device or software is not approved by Google, even if it is not abusive and is secure (or arguably more secure with something like GrapheneOS). Put in other words, Google has full control over the software and it is no longer an open system. Would love it if some sort of middle ground could be reached here which allows legitimate users to still use Brave without needing to rely on Google and SafetyNet while still protecting rewards & BAT from abuse. Maybe other solutions, like requiring a verified wallet, would be sufficient instead (or when SafetyNet isn't available).

Additionally, talking from a risk/security model standpoint, a lot of the potential abuses with the Brave Android app hypothetically could be easily executed on the desktop app, where automation is easy and less sandboxing and verification is employed. This makes the usage of SafetyNet on Android seem like overkill in context. I'd argue it is hurting more than it is helping.

Finally, while not the solution I'd advocate for as a first choice, if attestation must be used, it is possible to support legitimate custom ROM users. See https://grapheneos.org/articles/attestation-compatibility-guide. If there were apps (such as Brave) using the open Android APIs rather than SafetyNet, I suspect other custom ROMs supporting verified boot, such as CalyxOS, would be willing to add documentation or support. There is still a challenge here when compiling your own ROM, but it would be better than nothing.

[ultr41337h4xor]

Seconding waltercool, blumberg and especially xariel's well thought out and reasonable statements. Really don't understand the relying on Google.

[waltercool]

I suspect other custom ROMs supporting verified boot, such as CalyxOS, would be willing to add documentation or support. There is still a challenge here when compiling your own ROM, but it would be better than nothing.

That's not really something useful at Open Source world, Brave works at Linux, which can be modified in any way possible too. I don't see Brave on Linux requiring an active Google service validating if my Ubuntu Linux or Arch Linux is modified or not.

Whatever they do on desktop, should be done at Android. A reCaptcha may work to avoid abuse.

If we discuss about attestation by signature, it's kinda evil. For GrapheneOS it's easy because they only support Google phones, for LineageOS/AOKP/CalyxOS/other there are several devices not officially supported, most of them use userdebug build type due bugs or problems with SELinux.

• Some applications at Google Play restrict features if Developer Mode is enabled, so you can avoid people debugging the app https://developer.android.com/reference/android/provider/Settings.Global#DEVELOPMENT_SETTINGS_ENABLED. Mostly bank apps.
• Some others validate if the Android build is user https://source.android.com/setup/develop/new-device#build-variants
• You could even validate if the Application Signature is correct, to make sure no one modified the application for own benefit.

But said that, anyone can just modify your Android source code and create a workaround for this, this is OpenSource, anyone can modify anything and build it. Most LineageOS users already fake attestation with Magisk. https://www.xda-developers.com/bypass-safetynet-hardware-attestation-unlocked-bootloader-magisk-module/

In other words, making rewards system only available for Google Play Services users, does not only creates a false guarantee, but adds the requirement of some unnecessary and privacy risk dependency to people who don't want Google on their phones.

As mentioned before, I'm fully OK if Brave wants to follow the "We need Google installed at your phones in order to use Rewards", but they must change their "Google-free" motto and modify their specifications at their website https://brave.com/privacy/browser/

Otherwise, it's lying to users. I'm not really a privacy intolerant person, but let's be clear and honest to users. Right now, depending of SafelyNet haven't been transparent enough to users.

[lxwulf]

Despite the whole situation, which is not good, I have a workaround for the problem that we can't reward the BAT's. The workaround works for android, and I tested it on android 11. The issue is, at least on my device, that SafetyNet doesn't get confirmed or verified. I have my phone (ASUS Zenfone 6) rooted with magisk. And for sure this disturbs the SafetyNet check.

So my workaround works only when you have rooted your stock ROM or custom ROM, keep that in mind.

1. Root your phone with Magisk
2. Go to modules and install that ZIP/Module
3. Reboot and your rewards works again.

Yes, this doesn't solve the situation, but it is a bridge until brave have updated their dependency.

Greets LxWulf 🐧 🐺

[jruizvisp]

@bsclifton any update on this? for rooted phone which has installed module for safetynet. Still can't claim rewards.

[waltercool]

@bsclifton any update on this? for rooted phone which has installed module for safetynet. Still can't claim rewards.

I guess they don't. I had to move into Bromite due privacy concerns with Brave. I don't think being Google Play Services as direct dependency is OK.

Also, this is not yet fixed: https://github.com/brave/brave-browser/issues/18667#issuecomment-1049134475

I have no real problem with using Google Play Services, the problem is crashing because lack of it.