Thank you. But I found no explanation of why disabled app can avoid detection.
Still, you said
but hiding Magisk app with a random package name appears not enough for some banking apps. For some reasons, they can still identify Magisk app unless it's disabled (or hidden by other methods like HMA) - well, I never understand this part.
... the need for further hiding is explained; I went to some trouble to distil the info from that GitHub issue re. pattern matching etc...
There are some apps that can show a lot of information of installed apps (enabled or not), e.g.
https://play.google.com/store/apps/details?id=com.majeur.applicationsinfo
Good share, thanks...
,without requesting any permissions.
This was possible in A10 but was supposed to be fixed in A11 in May 2021.
App Devs discovered an easy bypass however, using the QUERY_ALL_PACKAGES permission, and have since exploited this loophole (and others).
Google has been slow to patch /enforce their rules... Enforcement for compliance was pushed back to Nov ('for Covid-related reasons'), and it seems still not enforced till recently, but a new ultimatum gave June 1 2022 as the date apps would begin to be pulled for non-essential use of this permission or failure to issue a proper statement re. why use is 'essential'...
This is all in the link(s)...
But why some banking apps only check enabled apps?
I think they do whatever they can... Fraud / scams / hacking / device security are becoming critical issues... With IOS ahead of the game and Google's SafetyNet API an abysmal failure*, banks are becoming as inventive as possible and Google compliance rules are also viewed as fair game / expendable...
* Read 'Totally unreliable', at least while fallback from Hardware to Basic evaluation for attestation to TEE is possible; this effectively bypasses / makes a joke of (A)ndroid (V)erified (B)oot and it's 'Chain of Trust' ...
Sorry if I missed some key points in your links.
You did, but hopefully the summary will clarify a few things for all... PW