Banking app (Starling) detecting Magisk

[pndwal]

As it happens I think I've found a way around the root check - whether it's permanent or not, only time can tell...

1. Open Magisk (Canary 26.1.02)
2. Configure the Denylist
3. Install/enable the (Displax) USNF and (HuskyDG) MagiskHide modules
4. Disable Zygisk and the Denylist (and reboot)
5. Open Starling - this should start without failing
(I had cleared the Starling data, so needed this)
7. Go through the device registration process
(I also needed Google Wallet to work, so)
8. Enable Zygisk but NOT the Denylist (and reboot)
(Both Starling and Wallet now work)

MagiskHide (proper root hiding) will be better than Denylist anyway, but Shamiko is usually better still... You'll need MagiskHide for step 5 of course...

I'm still confused by step 6 though.

What ROM and Device?
I thought everyone who turned zygisk on would see starling root message unless you kept magisk hide and leave zygisk off but then loose wallet

... Might be in 1 or 2 week grace period after detection?... PW

 

[makeyourself]

As it happens I think I've found a way around the root check - whether it's permanent or not, only time can tell...

1. Open Magisk (Canary 26.1.02)
2. Configure the Denylist
3. Install/enable the (Displax) USNF and (HuskyDG) MagiskHide modules
4. Disable Zygisk and the Denylist (and reboot)
5. Open Starling - this should start without failing
(I had cleared the Starling data, so needed this)
7. Go through the device registration process
(I also needed Google Wallet to work, so)
8. Enable Zygisk but NOT the Denylist (and reboot)
(Both Starling and Wallet now work)

Don't think you need USNF for Starling to work, the Starling app doesn't care about SafetyNet. Though it's needed for Google Pay obviously. As for DenyList, don't think that matters for Starling either once you've logged in and turned on Zygisk. Unless you have indeed found a way around it

MagiskHide (proper root hiding) will be better than Denylist anyway, but Shamiko is usually better still...

Shamiko doesn't seem to help for Starling right now unfortunately. And the fact it's closed source makes it quite difficult to tell exactly why it's not working.

I'm still confused by step 6 though.

InstructionHide possibly ??

... Might be in 1 or 2 week grace period after detection?... PW

I suspect so. Once I'm logged in the 14 day countdown only shows up for me if I keep tapping back when the Starling app is on screen. Either way the countdown starts as soon as I turn on Zygisk, even if I don't see the countdown notice straight away.

 

[Nekromantik]

yeah I think @giociampa will see root message soon as they turned zygsik back on
ideally we need way to hide root without zygisk and saftynet fix for wallet both at same time so not using zygisk breaks wallet.

 

[Lord Sithek]

yeah I think @giociampa will see root message soon as they turned zygsik back on
ideally we need way to hide root without zygisk and saftynet fix for wallet both at same time so not using zygisk breaks wallet.

Does HuskyDG's USNF fork for Riru help with passing Play Integrity currently?

Releases · HuskyDG/safetynet-fix

Google SafetyNet attestation workarounds for Magisk - HuskyDG/safetynet-fix

github.com

 

[Nekromantik]

Does HuskyDG's USNF fork for Riru help with passing Play Integrity currently?

Releases · HuskyDG/safetynet-fix

Google SafetyNet attestation workarounds for Magisk - HuskyDG/safetynet-fix

github.com

no idea dont have time at the moment so just got zygisk disabled for now

 

[pndwal]

Don't think you need USNF for Starling to work, the Starling app doesn't care about SafetyNet. Though it's needed for Google Pay obviously. As for DenyList, don't think that matters for Starling either once you've logged in and turned on Zygisk. Unless you have indeed found a way around it

Shamiko doesn't seem to help for Starling right now unfortunately. And the fact it's closed source makes it quite difficult to tell exactly why it's not working.

Quite... I just left Shamiko and USNF installed but both are simply disabled when Zygisk is disengaged and deviceIntegrity is failing of course, but MagiskHide can be enabled instead of DenyList/Shamiko in Alpha Magisk to allow Starling to open without detection of root...

Once logged in, disabling MagiskHide and enabling Zygisk restores both Shamiko (which may be needed for other bank apps) and USNF (for other banks and G Pay/Wallet)... Of course Shamiko can't help for Starling while Zygisk is detected.

InstructionHide possibly ??

I suspect so. Once I'm logged in the 14 day countdown only shows up for me if I keep tapping back when the Starling app is on screen. Either way the countdown starts as soon as I turn on Zygisk, even if I don't see the countdown notice straight away.

PW

 

[pndwal]

Does HuskyDG's USNF fork for Riru help with passing Play Integrity currently?

I believe It would (possibly in combination with his sensitive props fix module) and manually adding gms attestation/droidguard + gms main processes in hidelist as I mentioned here:
https://forum.xda-developers.com/t/banking-app-starling-detecting-magisk.4576421/post-88577473

The problem is:

Despite allowing deviceIntegrity pass, this may well cause Starling Bank to fail as it can detect native bridge loaded Zygisk injection into zygote... It may well be be able to detect Riru (also NB loaded) injection/hooking too.

Someone could test to see if Riru hooking is detected also, but I suspect NB Zygisk hooking/injection hiding will be fixed soon in any case and it is expected to roll out with 27.0 official Magisk... The LSP devs are aware or native bridge hiding issues in latest Alpha anyhow.

PW

 

[makeyourself]

Someone could test to see if Riru hooking is detected also

Unfortunately yes the Starling app does detect Riru, I just tried it.

 

[Will197]

Open link

I got the same error so I assume you are "browsing" to the site directly. instead you must click on the link.

also make sure starling is able to "open link by default

Did you wipe app data first? I can send a video if it if you need help

Thanks Bro. It worked by enabling link app by default as you both mentioned

 

[giociampa]

yeah I think @giociampa will see root message soon as they turned zygsik back on
ideally we need way to hide root without zygisk and saftynet fix for wallet both at same time so not using zygisk breaks wallet.

Nothing yet - maybe I've got something else in the denylist that is relevant (the following list is probably overkill admittedly, but you never know)

Android Services Library
Device Policy
Google Carrier Services
Google Connectivity Services
Google Play Games
Google Play Services for ARCore
Google Play Store
Google Support Services
Google Wallet

(Plus of course Starling and a number of other apps that complain about root)

Note that I've ticked every checkbox for all of these, not just those that the app ticks by default.

 

[Nekromantik]

Nothing yet - maybe I've got something else in the denylist that is relevant (the following list is probably overkill admittedly, but you never know)

Android Services Library
Device Policy
Google Carrier Services
Google Connectivity Services
Google Play Games
Google Play Services for ARCore
Google Play Store
Google Support Services
Google Wallet

(Plus of course Starling and a number of other apps that complain about root)

Note that I've ticked every checkbox for all of these, not just those that the app ticks by default.

View attachment 5922529View attachment 5922531

Interesting. However your using zygisk so the Magisk hide module doesn't do anything as it requires Magisk off I think

 

[giociampa]

Interesting. However your using zygisk so the Magisk hide module doesn't do anything as it requires Magisk off I think

I'm confused now - just tried turning Zygisk off again, and Starling/Wallet still works...

 

[Nekromantik]

I'm confused now - just tried turning Zygisk off again, and Starling/Wallet still works...

Look like yours is only phone that works with zygisk lol
With zygisk on your using the standard denylist in Magisk without zygisk u can use Magisk hide module. Both do same thing hide root.

 

[makeyourself]

@giociampa could you please try the following:
* Force stop the Starling app
* Launch the Starling app and authenticate/login
* Keep pressing the "back" button until the app exits

Do you now see the warning about your device not passing security checks?

 

[giociampa]

@giociampa could you please try the following:
* Force stop the Starling app
* Launch the Starling app and authenticate/login
* Keep pressing the "back" button until the app exits

Do you now see the warning about your device not passing security checks?

I do see the message now, yes.

That seems like an odd way to show it, on the way out rather than on the way in - I assume that it has been present the whole time and I just didn't know it was there?

What happens after the 14 days? Do I have to wipe the app, then reinitialise it (with Zygisk turned off, given that I can update the Denylist from the command line)?

 

[makeyourself]

I do see the message now, yes.

That seems like an odd way to show it, on the way out rather than on the way in - I assume that it has been present the whole time and I just didn't know it was there?

What happens after the 14 days? Do I have to wipe the app, then reinitialise it (with Zygisk turned off, given that I can update the Denylist from the command line)?

It is a bit odd the way it shows up like that yes. If you clear the app's data and turn off Zygisk then the warning will go away. Until you turn on Zygisk again, upon which the 14 day countdown will begin again. If you've already been using it for a few days with Zygisk turned on then presumably you have less than 14 days left at the moment.

 

[michalrobeck]

Has anyone managed to get it working with KernelSU?
I got a fresh version of Evo X on a K20 Pro and it's still detected

 

[makeyourself]

Has anyone managed to get it working with KernelSU?
I got a fresh version of Evo X on a K20 Pro and it's still detected

I did try it with KernelSU a few days ago on LineageOS (with a custom kernel) and Starling was working fine, root not detected IIRC. But still, SafetyNet does not pass with KernelSU, it needs Zygisk and USNF. Which means it's no better solution than Magisk. If KernelSU doesn't work for you just try Magisk + HuskyDG MagiskHide.

 

[Azzlan]

What happens after the 14 days? Do I have to wipe the app, then reinitialise it (with Zygisk turned off, given that I can update the Denylist from the command line)?

Or you can just use my method and click the link I posted to allow initial log in. No wipe or turning zygisk off required!

 

[michalrobeck]

Or you can just use my method and click the link I posted to allow initial log in. No wipe or turning zygisk off required!

Just wanted to say that can confirm that this definitely works.
I had to leave the app open on the "takes 30 minutes to approve" on my second try. First try I closed it and looks like the app got closed by Android.

However got the 14 day countdown now. When I open the app and continue going back it shows it. I guess I'll try magisk delta (which is magisk by huskydg)

Do wonder how long it'll take them to patch out the browser workaround