daimo-eth / daimo

Dollars, anywhere in the world
https://daimo.com
GNU General Public License v3.0
374 stars 33 forks source link

passkeys: Passkeys don't work on Graphene OS / ethOS #482

Open nalinbhardwaj opened 11 months ago

nalinbhardwaj commented 11 months ago

the failing pattern is consistent with https://github.com/GrapheneOS/os-issue-tracker/issues/2073 and https://github.com/GrapheneOS/os-issue-tracker/issues/1986.

Since we are calling the Android system native API in-app, it should be possible to patch Graphene to circumvent the integrity check in those APIs? @markusbug is investigating

nalinbhardwaj commented 11 months ago

Pasting error log:

2023-11-12T18:25:22.918Z ERR [LOG] {"type":"ExpoPasskeysCreate","startMs":[1699813517255](tel:1699813517255),"elapsedMs":5661,"error":"androidx.credentials.exceptions.publickeycredential.CreatePublicKeyCredentialDomException: Unable to get sync account.","trace":"Error: androidx.credentials.exceptions.publickeycredential.CreatePublicKeyCredentialDomException: Unable to get sync account.\n at construct (native)\n at apply (native)\n at _construct (address at index.android.bundle:1:103866)\n at Wrapper (address at index.android.bundle:1:103496)\n at construct (native)\n at _createSuperInternal (address at index.android.bundle:1:2468985)\n at call (native)\n at CodedError (address at index.android.bundle:1:2469270)"}
2023-11-12T18:25:22.918Z log [ACTION] 5675ms: idle > error androidx.credentials.exceptions.publickeycredential.CreatePublicKeyCredentialDomException: Unable to get sync account.
markusbug commented 11 months ago

After some investigating it seems like a piece of code in Google play services "PasskeysCreationConsentFragment" fails, but sadly this is closed-source so practically impossible to debug. In this image you can see the actual stacktrace for the exception, but since the gms code is obfuscated its all gibberish. image_2023-12-01_13-36-21 Also looked into the credentials api, and there doesn't seem to be any way to enforce a lighter integrity check. The only near term solution I see atm is to remove the option of creating a passkey for graphene/ethOS users until this is fixed. I will also ask in the Graphene dev chat, if there are any plans to fix this

Drewsapple commented 7 months ago

I tried again now that vanadium in graphene can use passkeys (with proton pass, I'm not sure if Google Password Manager passkeys work). It saved my daimo passkey!

Can this be closed? Are others able to reproduce?