Banking app (Starling) detecting Magisk

[makeyourself]

A banking app I've been using for years has always worked after putting it on the Deny List. I updated it recently and it now won't work with Magisk installed regardless of what I do.

As soon as I patch the boot image with Magisk it complains that the device is rooted and locks me out. That's without even installing the Magisk app, also without Zygisk etc.

I can pass SafetyNet and Play Protect certification with Universal Safety Net Fix and Magisk Hide Props Config modules. However that doesn't make the banking app work.

So far I've also tried:
* Magisk Delta, Zygisk off, with sulist on whitelist mode (also tried Delta's Magisk Hide)
* Shamiko
* Hide My Applist (various configs)
* Disabling root from Magisk app
* Renaming the Magisk app
* Downgrading the banking app (it no longer detects root but locks me out until I upgrade)
* Cloning the banking app to Work Profile with Shelter (this is the only thing that gets rid of the message about being rooted. But then it bizarrely claims it can't connect to the server to login!?)

I'm now at a loss as to what else to try. Any ideas please?

 

[surajpai524]

What's the banking app name?

 

[surajpai524]

Also install Ruru and see what might be the problem. Make the same steps you use to hide your banking apps. Also clear data of Ruru before each test.

Releases · byxiaorun/Ruru

An android sample app of detecting suspicious apps like magisk manager - byxiaorun/Ruru

github.com

 

[spida_singh]

A banking app I've been using for years has always worked after putting it on the Deny List. I updated it recently and it now won't work with Magisk installed regardless of what I do.

As soon as I patch the boot image with Magisk it complains that the device is rooted and locks me out. That's without even installing the Magisk app, also without Zygisk etc.

I can pass SafetyNet and Play Protect certification with Universal Safety Net Fix and Magisk Hide Props Config modules. However that doesn't make the banking app work.

So far I've also tried:
* Magisk Delta, Zygisk off, with sulist on whitelist mode (also tried Delta's Magisk Hide)
* Shamiko
* Hide My Applist (various configs)
* Disabling root from Magisk app
* Renaming the Magisk app
* Downgrading the banking app (it no longer detects root but locks me out until I upgrade)
* Cloning the banking app to Work Profile with Shelter (this is the only thing that gets rid of the message about being rooted. But then it bizarrely claims it can't connect to the server to login!?)

I'm now at a loss as to what else to try. Any ideas please?

I have found some banking apps are calling an external site and somehow they are detecting reporting back root. I had an issue with Halifax and Starling before.

Starling for me tripped over the last few days, and I used pcap droid to trace what hosts it was calling during app start up.

I found that when i blocked the following address:-

firebaseremoteconfig.googleapis.com

it all worked OK.

Try it if you use Adaway or a DNS provider and add this to your blacklist

 

[giociampa]

I have found some banking apps are calling an external site and somehow they are detecting reportign back root. I had an issue with Haliafx and Starling before.

Starlign for me tripped over the last few days, and i used pcap droid to trace what hosts it was calling during app start up.

I found that when i blocked the following address:-

firebaseremoteconfig.googleapis.com

it all worked OK.

Try it if you use Adaway or a DNS provider and add this to your blacklist

I was wondering why Starling suddenly started failing - thanks!

 

[tiennhu89]

Try hide root with some google apps on deny list. (u can search "html", "webview", "feedback" then enable hide them all apps which include these words.

 

[fkofilee]

I was wondering why Starling suddenly started failing - thanks!

Ta

For ref - Process for Noobies is here;

MAGISK MODULE ❯ Universal SafetyNet Fix 2.4.0

Universal SafetyNet Fix Magisk module Magisk module to work around Google's SafetyNet attestation. This module works around hardware attestation and recent updates to SafetyNet CTS profile checks. You must already be able to pass basic CTS...

forum.xda-developers.com

Files and all

 

[Prof. Yaffle]

I have found some banking apps are calling an external site and somehow they are detecting reportign back root. I had an issue with Haliafx and Starling before.

Starlign for me tripped over the last few days, and i used pcap droid to trace what hosts it was calling during app start up.

I found that when i blocked the following address:-

firebaseremoteconfig.googleapis.com

it all worked OK.

Try it if you use Adaway or a DNS provider and add this to your blacklist

Thanks. Worked for me on my 6t using LOS20 and Starling

 

[makeyourself]

What's the banking app name?

Starling

Also install Ruru and see what might be the problem. Make the same steps you use to hide your banking apps. Also clear data of Ruru before each test.

Releases · byxiaorun/Ruru

An android sample app of detecting suspicious apps like magisk manager - byxiaorun/Ruru

github.com

If I rename/repackage the Magisk app and use Deny List then the only things Ruru detects is the Magisk app itself (even though it's renamed) and TWRP. TWRP doesn't seem to be the problem because the banking app doesn't seem to care if I've got that installed so long as Magisk isn't installed to ramdisk. And the banking app is clearly detecting something other than just the Magisk app because it trips after flashing Magisk from recovery, even if the Magisk app isn't installed.

I think @spida_singh may have a solution though!

 

[makeyourself]

I have found some banking apps are calling an external site and somehow they are detecting reporting back root. I had an issue with Halifax and Starling before.

Starling for me tripped over the last few days, and I used pcap droid to trace what hosts it was calling during app start up.

I found that when i blocked the following address:-

firebaseremoteconfig.googleapis.com

it all worked OK.

Try it if you use Adaway or a DNS provider and add this to your blacklist

Thanks very much, yes it's Starling I'm having the problem with! Have not tried your solution yet but will do when I have time. Edit: Just tried and it works !!

I did have a look at the DNS requests from the Starling app and I think I may have even noticed the domain name you mention. But wouldn't have guessed it was that causing it! I'd be interested to know how that works... Are Google apps (I have minimal amount installed) spying on my applist and reporting it to my bank!? Kind of creepy! Also quite weird seeing as Google Pay/Wallet doesn't complain!

 

[spida_singh]

Thanks very much, yes it's Starling I'm having the problem with! Have not tried your solution yet but will do when I have time.

I did have a look at the DNS requests from the Starling app and I think I may have even noticed the domain name you mention. But wouldn't have guessed it was that causing it! I'd be interested to know how that works... Are Google apps (I have minimal amount installed) spying on my applist and reporting it to my bank!? Kind of creepy! Also quite weird seeing as Google Pay/Wallet doesn't complain!

Starling will manage the API in how it works for their app, only they will know, i honesltly have no idea, i know Halifax have done this in the past, and now Starling, and simply blocking it allows the app to work, but, as you, im intrigued to know what the app is 'reading' and sending back to report the device is rooted.

PCAP droid can check the payload and dump it to see what was happening with that request, and whats being sent back.

 

[fkofilee]

Starling will manage the API in how it works for their app, only they will know, i honesltly have no idea, i know Halifax have done this in the past, and now Starling, and simply blocking it allows the app to work, but, as you, im intrigued to know what the app is 'reading' and sending back to report the device is rooted.

PCAP droid can check the payload and dump it to see what was happening with that request, and whats being sent back.

Id like to know too - But use my file from post #7 and it should work

 

[Prof. Yaffle]

I think I spoke to soon. It's still showing up for me when I quit the Starling app.

 

[surajpai524]

I tried Starling app and at first it detected root but once I added to Deny list in Magisk. It didn't detect and went to login page.


My root detection bypass configs:-
Magisk (Not hidden/ Name unchanged / Not Frozen)
Magisk Deny List
Shamiko 0.7
Hide My AppList (LSPosed Module)
Universal SafetyNet Fix mod by Displex


I don't know other behaviour like after login and stuff, since I don't have an account.

Ruru screenshot: even with xposed modules and Magisk app not hidden

 

[makeyourself]

I think I spoke to soon. It's still showing up for me when I quit the Starling app.

Do you have the the domain mentioned above blacklisted in Adaway and the app on Magisk Deny List with Deny List enforcing? All working fine here now.

I also have USNF (kdrag0n) and Magisk Hide Props Config installed. Magisk 26.1

Also you have to clear the app's data before that message will go away.

 

[Prof. Yaffle]

Yes, I've tried it added manually and also with the file. Same result both ways. I have the Magisk app hidden, Starling in the Deny list but Enforce disabled as I'm using Shamiko.

Edit

I've just cleared the Starling app data and it seems okay at the moment

 

[fkofilee]

FYI - Latest May update for Pixel and Starling latest update now break the method in this thread - Searching for workaround

 

[spida_singh]

FYI - Latest May update for Pixel and Starling latest update now break the method in this thread - Searching for workaround

I'm running the latest starling absolutely fine on my Pixel 6. Same set-up (latest linesgeos nightly)

Magisk Delta
USNF by displax
PCAP block list still contains this host

What is your setup?

 

[fkofilee]

Official Magisk, UNSF from Displax, Fingerprint Props.
Adaway still contains the host file I made.

 

[Prof. Yaffle]

My OnePlus 6t on the latest Lineageos 20 nightly seems fine with Shamiko, USNF Mod and the blocked host in Adaway