[Discussion] Magisk - The Age of Zygisk.

[zgfg]

Hi,

Don't know if this is the right place ... anyways ...

Safetynet : Pass, yet Banking apps detect root and fail · Issue #6063 · topjohnwu/Magisk

Hi, Safetynet : Pass, yet Banking apps detect root and fail Is this how its going to be our is there something I can do and have these banking apps up and working ?

github.com

Firstly I don't have a clue why my github issue got closed by a bot.

If I remember correctly, you have to fill a template when reporting. And you have to confirm there that you use the latest Debug version.
Without all those formalities, the bot will immediately close your issue

But even if you pass the bot, your 'issue' will be sooner or later closed by developers because it's not their business if some banking app detects 'root'

Who knows how does it detect. Maybe by looking for Magisk Application (configuration of DenyList has nothing to do with that)

Maybe the app guesses about 'root' by finding TWRP folder. Maybe the app recognizes that Bootloader is unlocked (like Momo app can find on some phones) and it guesses why would somebody unlock BL if not for rooting or installing a custom ROM

It's not about detecting the 'root' but detecting that you are not running the 'safe' (read the CERTIFIED) stock firmware

And TJW has clearly departed himself and his Magisk v24+ from those detections of 'root'. New DenyList is something totally different than previous MagiskHide. Even if somebody does not understand the differences in techniques, he should see a significant difference in their NAMES

I only don't understand why TJW still keeps Hide (repackage) Magisk App option. If he really wanted to be straight about differentiating from hiding the 'root', he should have removed that option - that option (putting aside that it can be circumvented by smarter 'banking' apps) has no other purpose than to hide Magisk app from the 'banking' apps who try to look for the Magisk ('service', 'mask', whatever you call) by looking instead for (an easier task) the Magisk app. Hence TJW still stands here on the 'wrong' side, but apparently his employer does not care much (meanwhile trying to impose that apps soon will no more be able to search for the installed apps, hence hiding the Magisk app would become irrelevant)

Ie, detecting and hiding root is a game. And AFAIK, Magisk GitHub does not accept reporting any 'issues' about

Edit:
Just checked, the template/instructions when reporting an Issue (Magisk GitHub) clearly say (among others):

• **DO NOT** open issues regarding root detection.

• Without following the rules above, your issue will be closed without explanation.

 

[Lossani]

I use magisk delta, work with bank apps

I noticed it was because of Zygisk that even on Magisk Delta it was detecting root. So I now installed Magisk Delta without Zygisk enabled and Hide list On and it works. Is there any significant difference for Zygisk and no Zygisk?

I fail SafetyNet now

 

[rodken]

But even if you pass the bot, your 'issue' will be sooner or later closed by developers because it's not their business if some banking app detects 'root'

detecting and hiding root is a game

+1

 

[pndwal]

maybe he's lysdexic and meant reserved?

There are gedrees of lysdexia; everyone's affected to some gedree...

... He wrote about Shamiko; closed source, developed by LSP team, 'can't' submit bug reports etc... Md

 

[zgfg]

I noticed it was because of Zygisk that even on Magisk Delta it was detecting root. So I now installed Magisk Delta without Zygisk enabled and Hide list On and it works. Is there any significant difference for Zygisk and no Zygisk?

I fail SafetyNet now

Of course there is a BIG difference. Not easy to describe in few words (specially to a newbie regarding to Zygisk).But take your time and search/read in this and Magisk general thread, you can find a lot about Zygisk, how and why it was introduced, about its still not mature status, about its name (process starting from Android Zygote!), etc

If you don't use Zygisk, and if you needed USNF (with Zygisk to pass SN), then now you need to go back to the lower version of USNF - new USNF is made for Zygisk.
Please read and find info in the USNF thread - for Delta without Zygisk, you should look for the USNF version as for the old, pre v24 Magisk

Or ask in the Delta thread - this thread here is for the official/new Magisk v24+ while Delta, with Zygisk disabled acts l(in some aspects) like Magisk v23-.
Actually, it's ba specific mix of the old and new and should not be messed with the official Magisk v24/25

 

[rodken]

There are gedrees of lysdexia; everyone's affected to some gedree...

... He wrote about Shamiko; closed source, developed by LSP team, 'can't' submit bug reports etc... Md

 

[pndwal]

so far i enabled app hiding feature in magisk, installed denylistunmount (and disabled "enforce denylist") and safetynetfix modules and put banking apps in denylist. Two banking apps seem to work, at least they don't complain. Not yet tried logging and everything... but gpay is showing a blank screen and seems to hang only. G-play says "device is not certified".

If YASNAC gives CTS profile match pass you should get Play Protect Device is certified if you clear Google Play Store and (sometimes) Google Play Services data... PW

 

[pndwal]

I noticed it was because of Zygisk that even on Magisk Delta it was detecting root. So I now installed Magisk Delta without Zygisk enabled and Hide list On and it works. Is there any significant difference for Zygisk and no Zygisk?

Zygisk is the new Riru, ie. XHook to inject into zygote in order to allow modules to run their codes in apps or the system server... One difference is that it's integrated in Magisk...

I fail SafetyNet now

You need Riru (framework module) and Universal Safety net Fix v2.1.3 (Riru) (module). PW

 

[pndwal]

I only don't understand why TJW still keeps Hide (repackage) Magisk App option. If he really wanted to be straight about differentiating from hiding the 'root', he should have removed that option - that option (putting aside that it can be circumvented by smarter 'banking' apps) has no other purpose than to hide Magisk app from the 'banking' apps who try to look for the Magisk ('service', 'mask', whatever you call) by looking instead for (an easier task) the Magisk app.

John may not be interested in the board-game (if you will) of Cat and Mouse any longer, but he has stated that he doesn't intend to stop others playing.

This means he's not resetting the board at this point... In fact he's even encouraged Devs 'still passionate about' the 'hiding' game to get more involved and 'start doing their job'...

The issue for him has clearly been the requirement (now that he's working with the big, if apparently lazy, cat) to take back moves where he's 'played dirty'...

This Take Back specifically means

Yes, MagiskHide will have to see its end of life... Magisk will not spoof/alter/manipulate any non-Magisk related signals or traces to circumvent any device state detection.

https://topjohnwu.medium.com/state-of-magisk-2021-fe29fdaee458

In other words, 'dirty' = a deliberate attempt to 'subvert Google's security model'.

However

It's worth noting that neither Google nor John seem to regard hiding (obfuscating) Magisk App as akin to attempts to "spoof/alter/manipulate any non-Magisk related signals or traces to circumvent any device state detection", now precluded in Magisk... Seems this is legitimate subterfuge as apps should not be employing such means of detection in any case... (Ie. Google has rules preventing both modder abuse, and proprietary app abuses)...

Hence TJW still stands here on the 'wrong' side,

Matter of perspective...

Yes, he may be hiding code the fat cats don't like, but the cat-who-counts hasn't given them clearance to enter and search!.... So who's playing dirty here?...

but apparently his employer does not care much (meanwhile trying to impose that apps soon will no more be able to search for the installed apps, hence hiding the Magisk app would become irrelevant)

Exactly... Google have rules for Banks and for users... Banks have been breaking the rules re obtaining applists and Google are (s l o w l y) addressing this abuse...

Some very interesting news re. apps that use the QUERY_ALL_PACKAGES permission (S PushTAN & many others) FINALLY being pulled into line by Google (from former XDA Editor in chief):

Mishaal Rahman, Apr 6
...
Apps that declare the QUERY_ALL_PACKAGES permission but haven't filled out the relevant permission declaration may be removed from Google Play starting June 1, 2022.

www.twitter.com/MishaalRahman/status/1511452117214679053

Reasons / excuses for the delay:
https://www.xda-developers.com/google-play-store-query-all-packages-rule/

What it means in practice:
My guess is that it will depend a lot on Google... Here's hoping... PW

So Google clearly view deliberate subversion of API changes that prevent apps from obtaining applists as foul ('dirty') play, not efforts to hide apps from from other apps...

Ie, detecting and hiding root is a game.

And the game continues... And boundaries (rules) are being defined more clearly... Thanks to John... And Google... PW

 

[itt533]

If YASNAC gives CTS profile match pass you should get Play Protect Device is certified if you clear Google Play Store and (sometimes) Google Play Services data... PW

YASNAC and CTS, mean?

 

[zgfg]

YASNAC and CTS, mean?

Both are really household terms in this thread (for anybody who here and there reads some posts). Please read OP posts on the first page

Screenshot from YASNAC app (Google Play) attached

 

[aiamuzz]

Use Shamiko or DenyList Unmount, disable Enforce DenyList

I did try Shamiko, but those banking apps still are failing ...

 

[m0han]

YASNAC and CTS, mean?

to add to @zgfg's reply:
CTS - Compatibility Test Suite
some more reading here: https://www.xda-developers.com/how-to-pass-safetynet-android/

 

[Ace_Cole]

But I see now that you started by asking about App Cloner

I don't see App Cloner in the MIUI Security. If that App Cloner is a third party app, then adding Security to DenyList would have no effect/not help

Then I don't know why somebody recommended you to add MIUI Security to DenyList - my previous post was exclusively about adding Security to DenyList (since I remember that with some MIUI version and/or some Magisk version, Security was not showing in DenyList or in MagiskHide and I needed to be added through CLI in Terminal)

Can there be a solution for this "App cloner" detecting root?

 

[zgfg]

Can there be a solution for this "App cloner" detecting root?

I don't use and don't know

 

[Ace_Cole]

I don't use and don't know

Okay... Anyway to check what the app use to detect root? Sound dumb thou but I still will like to ask

 

[pndwal]

Okay... Anyway to check what the app use to detect root? Sound dumb thou but I still will like to ask

Just tried... What should I do after this?:

PW

 

[Ace_Cole]

Just tried... What should I do after this?:
View attachment 5653693
PW

Just tried... What should I do after this?:
View attachment 5653693
PW

Is your device rooted? If yes
Do you see a splash screen
With warning message "Root detected"? If No
Please I'd like to know how you got it to work without detecting root. Thanks

 

[pndwal]

Is your device rooted?

Since new!

If yes
Do you see a splash screen
With warning message "Root detected"?

Nope...

If No
Please I'd like to know how you got it to work without detecting root. Thanks

App cloner 2.14.7 (1 July 2022)
Xiaomi Redmi Note 8T, stock MIUI, Android 10.
Magisk 25101, Zygisk, USNF, Shamiko.
App in denylist

CTS profile match (SafetyNet) pass.
Play Protect Device is certified.

This one was easy...
PW

 

[Ace_Cole]

Since new!

Nope...

App cloner 2.14.7 (1 July 2022)
Xiaomi Redmi Note 8T, stock MIUI, Android 10.
Magisk 25101, Zygisk, USNF, Shamiko.
App in denylist

View attachment 5653699
CTS profile match (SafetyNet) pass.
Play Protect Device is certified.

This one was easy...
PW

Nice thanks
I have Xiaomi Redmi 9 (Android 10)
Magisk delta 25.1 (magisk hide enabled)
Zygisk disable, USFN riru, CTS profile match (pass)
App added to deny list
Seems I'm doing something wrong. .. I'll check with zygisk enabled and shamiko
Thanks