• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Comdirect photoTAN app detecting root

Search This thread

ChillDuder

Member
Nov 23, 2015
37
10
to my surprise:
comdirect phototan works on with latest canary magisk on a android 12 (in my case: pixel experience 12 beta on an old pixel 2). zygisk activated with forced denylist (phototan ofc activated there). no modules stuff installed.
i even enrolled the app to my account. it works.
now i dont know if that is only canary magisk or also android 12. or it works also on android 11.
 

Sorath_84

Member
Jul 24, 2019
5
0
to my surprise:
comdirect phototan works on with latest canary magisk on a android 12 (in my case: pixel experience 12 beta on an old pixel 2). zygisk activated with forced denylist (phototan ofc activated there). no modules stuff installed.
i even enrolled the app to my account. it works.
now i dont know if that is only canary magisk or also android 12. or it works also on android 11.
Unfortunately not working for my Galaxy S8 with Android 10, Magisk Canary and Zygisk activated.

Any other ideas, what to try?
 

tko

Senior Member
Oct 23, 2005
102
15
well... now the app doest not work anymore... it wants you to update....

does anyone has a new "working" solution yet?
 
  • Like
Reactions: RtGh43

Lars789852

New member
Dec 13, 2021
1
1
does anyone has a new "working" solution yet?

Hi,

Using the app in airplane mode is still possible, but the push messages won't work of course. And it wouldn't work with comdirect App, I guess...

I could get the photoTAN 8.4.2 to work and managed to scan the photoTAN-graphics. Might be a workaround for the time being.

1. Clear data and cache of the photoTAN-App
2. Switch on airplane mode
3. Open the photoTAN-App, it won't check for updates, since it can't
4. Go through the setup process until the setup process asks for access number and PIN
5. Disable airplane mode
6. Enter access number and PIN, scan the activation image
7. The setup will now ask, whether to enable push messages. Before denying them, enable Airplane Mode
8. Deny the push messages

The app should then be usable to scan photoTAN-graphics, when the phone is offline.

After using the app, I'd force stop the app in the app settings, before disabling airplane mode.

Once the app is opened, while the phone has an internet connection, the app will store the information, that an update is available, in its storage. Thus once the app knows about the update, it won't work on airplane mode either and the setup has to be repeated.
 
  • Like
Reactions: pixel-smee

AndDiSa

Senior Member
Dec 2, 2009
3,606
4,816
Heidelberg
Are they really forcing you to install an update of the application while you are doing (trying to do) a transaction?
I could understand if you get an information that you should do an update. Probably also that you get a certain time in future until you have to do the update ... but what if (for whatever reason, e.g. out of memory, limited internet connection, ...) you are not able to update?
Stupid and not really customer friendly workflow 🤔
 

RtGh43

Member
Jan 26, 2014
30
4
Greets,

They force an update; after the update it detects root again.
Any workarounds so far?
 

pixel-smee

Member
Dec 14, 2021
5
9
I was still using 8.2.0 and I faced the message that the app requires an update (yes, in the middle of a transaction) few minutes ago 🤮

I hope the airplane hack with the photoTAN-graphics will work (3 posts above by Lars789852) for a little while.

For me it was possible to get the app back starting by this hack:

1. Force stop the app
2. Open a root shell (I use Termux)
3. Edit the text file /data/data/com.comdirect.phototan/files/setup-phototan.json (I use vi)
and modify the value for "minAndroidAppVersion":"8.5.0"
I set this back to 8.2.0
4. Turn on Airplane mode and start the app

I also tried to block Internet access in TrackerControl but this seems not to be sufficient.
Only with no data switched on, the app informed me about missing connection ...

Wondering, how the app will behave if this file is set to "read-only" ... might try this out when there is more time ...
 
Last edited:

AndDiSa

Senior Member
Dec 2, 2009
3,606
4,816
Heidelberg
I set it to read-only but unfortunately the app tried to force me to update to the newer version ... :-(
So I killed the app and switched on airplane mode and startet the app again. This time I was told "no internet connection" but I was able to switch to phototan mode which then worked flawlessly.
 

CR4NKK

Member
Apr 27, 2021
9
1
I was still using 8.2.0 and I faced the message that the app requires an update (yes, in the middle of a transaction) few minutes ago 🤮

I hope the airplane hack with the photoTAN-graphics will work (3 posts above by Lars789852) for a little while.

For me it was possible to get the app back starting by this hack:

1. Force stop the app
2. Open a root shell (I use Termux)
3. Edit the text file /data/data/com.comdirect.phototan/files/setup-phototan.json (I use vi)
and modify the value for "minAndroidAppVersion":"8.5.0"
I set this back to 8.2.0
4. Turn on Airplane mode and start the app

I also tried to block Internet access in TrackerControl but this seems not to be sufficient.
Only with no data switched on, the app informed me about missing connection ...

Wondering, how the app will behave if this file is set to "read-only" ... might try this out when there is more time ...
can you help me on how to edit the file with vi?
I have the package installed in Termux, but no idea how to edit the file.
 

pixel-smee

Member
Dec 14, 2021
5
9
For those not familiar with vi, I recommend sed:

1. cd /data/data/com.comdirect.phototan/files/
2a. sed -i 's/8.5.0/8.2.0/' setup-phototan.json

or (this does the same)

2b. sed -i 's:8.5.0:8.2.0:' setup-phototan.json
 
  • Like
Reactions: CR4NKK and tko

tko

Senior Member
Oct 23, 2005
102
15
For those not familiar with vi, I recommend sed:

1. cd /data/data/com.comdirect.phototan/files/
2a. sed -i 's/8.5.0/8.2.0/' setup-phototan.json

or (this does the same)

2b. sed -i 's:8.5.0:8.2.0:' setup-phototan.json
thx, that worked for me.

i did the same, airplane mode on ... app starts again.
i guess for now we can only start the app in airplane mode...

is there a way to create a "shortcut" with the sed cmd?
 
Last edited:
to my surprise:
comdirect phototan works on with latest canary magisk on a android 12 (in my case: pixel experience 12 beta on an old pixel 2). zygisk activated with forced denylist (phototan ofc activated there). no modules stuff installed.
i even enrolled the app to my account. it works.
now i dont know if that is only canary magisk or also android 12. or it works also on android 11.
I can confirm that on Pixel 6 with latest Canary 23016 Android 12.
No other Modules loaded, just Zygisk enabled, force denylist, thats all.
I deleted the cache and storage of the App and Setup freshly, its working fine so far
 
  • Like
Reactions: AndDiSa

CR4NKK

Member
Apr 27, 2021
9
1
For those not familiar with vi, I recommend sed:

1. cd /data/data/com.comdirect.phototan/files/
2a. sed -i 's/8.5.0/8.2.0/' setup-phototan.json

or (this does the same)

2b. sed -i 's:8.5.0:8.2.0:' setup-phototan.json
unfortunately I have no permission with Termux accessing this folder. Is there something I am missing?
 

Top Liked Posts

  • 1
    May this manual helps with magisk 24 on A10
    https://telegra.ph/How-to-Hide-Root-In-Magisk-Canary-01-07
    For me in A12 no problem with 24.1 zygisk
    1
    May this manual helps with magisk 24 on A10
    https://telegra.ph/How-to-Hide-Root-In-Magisk-Canary-01-07
    For me in A12 no problem with 24.1 zygisk
    Works! Thank you :)
  • 8
    1. deinstall old magisk-app
    2. install canary.apk
    https://raw.githubusercontent.com/topjohnwu/magisk-files/canary/app-debug.apk
    2.1 install safenet-fix modul
    https://github.com/kdrag0n/safetynet-fix/releases/download/v2.2.1/safetynet-fix-v2.2.1.zip
    (will not be active until you finished step 3.)
    3. repatch boot.rom with "install" & "direct" (installieren & direkte installation)
    4. after that reboot, etc... it should look sth like this
    1.jpg

    5. go to settings (red arrow)
    6. hide app (2.), enable zygisk (if not allready running) 3, enable deny-list (4), config deny-list (5)
    2.jpg

    7. enable all 3 processes
    3.jpg

    8. add other apps you may need in deny-list... like google pay & google play services

    during the hole process you may have to reboot your phone
    2
    Another solution is using Version 6 or 7 of the photoTAN app. They do not use this PushTAN stuff and do not even need internet. (I use 6.0.6 but I read that 7 should also work)

    If you cannot access your comdirect account anymore (because a TAN is needed) go to "TAN-Verfahren wiederherstellen" (TAN recovery) and then select, that you have a "Lesegerät" instead of a "Smartphone".

    Now scan with your old version of the app scan the image on the Aktivierungsbrief (activation letter) and then the code on the website.

    The old app gives you a TAN. Enter the TAN on the website and you are in.

    Guess this will work until comdirct decides to get rid of these dedicated photoTAN devices which hopefully will not happen soon.

    Only disadvantage is that "Push PhotoTAN" does not work anymore, you must always scan the photoTAN codes now.

    -----------

    When this workaround does not work anymore I will consider changing my Bank.

    I also an account with ING Diba and they do not appear to do any serious root detection at all.

    Even without MagiskHide the ING Banking app does not complain about root.
    2
    Somebody checked out this app for all?
    finanzblick Online-Banking
    I'm using Finanzblick to manage several accounts and services, however they are just accessing each banks data endpoints to request for account statement or bank transfer, which will prompt your banks method of tan authentication... So in case for Comdirect it will also send a pushtan which you would have to enable in your regular tan app ... So it's not an replacement for us here...
    1
    Usually it is not an issue to uninstall und reinstall the manager app. Very likely you need the Canary version then
    1
    May this manual helps with magisk 24 on A10
    https://telegra.ph/How-to-Hide-Root-In-Magisk-Canary-01-07
    For me in A12 no problem with 24.1 zygisk
  • 13
    Since version 8.3.0 additional measures to detect root have been added, do not update as MagiskHide won't be able to prevent detection. Until a solution is found I would recommend staying on the previous version for as long as possible.

    Finding out what exactly is causing the root detection is beyond my technical abilities but I would provide as much information needed to those willing to help.

    ---

    Update: December 14th 2021 - Method no longer sufficient

    ---

    The solution found by @pxrave appears to be working:


    Hey fellas I got it working and others apps detect magisk before.

    Update to latest v23
    Install modules riru and riru unshare
    Remove data from tan app
    Go to magisk hide and tick all process to hide included the isolated
    Start the tan app and do the activation again.

    Problem you need wait 2 days to activate because comdirect use new activation process for photo tan app.

    Working fine all version 8.3


    Link to the Riru Unshare module:
    9
    Hey fellas I got it working and others apps detect magisk before.

    Update to latest v23
    Install modules riru and riru unshare
    Remove data from tan app
    Go to magisk hide and tick all process to hide included the isolated
    Start the tan app and do the activation again.

    Problem you need wait 2 days to activate because comdirect use new activation process for photo tan app.

    Working fine all version 8.3
    8
    1. deinstall old magisk-app
    2. install canary.apk
    https://raw.githubusercontent.com/topjohnwu/magisk-files/canary/app-debug.apk
    2.1 install safenet-fix modul
    https://github.com/kdrag0n/safetynet-fix/releases/download/v2.2.1/safetynet-fix-v2.2.1.zip
    (will not be active until you finished step 3.)
    3. repatch boot.rom with "install" & "direct" (installieren & direkte installation)
    4. after that reboot, etc... it should look sth like this
    1.jpg

    5. go to settings (red arrow)
    6. hide app (2.), enable zygisk (if not allready running) 3, enable deny-list (4), config deny-list (5)
    2.jpg

    7. enable all 3 processes
    3.jpg

    8. add other apps you may need in deny-list... like google pay & google play services

    during the hole process you may have to reboot your phone
    6
    To get rid of the Airplane mode (or toggling data off/on) I figured how to block the connection to the upgrade service right on the phone. The requests go to 'api.comdirect.de'.

    Use blacklist in TrackerControl
    -> Settings / Advanced options / Import hosts file (append)

    Create a file on the phone with this content:
    0.0.0.0 api.comdirect.de

    This way I can leave the connection to the internet on when starting/using the app.
    No version check can be performed, so the app should work forever ...

    One cannot use the TAN push service anymore but only the „photoTAN Grafik“.
    6
    So guys
    My favorite solution:
    Magisk canary
    Riru
    Riru unshare
    Riru lsposed
    Xprivacilua 1.30

    Safety net is ok
    Phototan working