DKB-TAN2go app on rooted device

Search This thread

seltenheit

Member
Apr 10, 2019
14
7
Aachen
Thank you, alecxs.

You are lucky they didn't kick off your bank account immediately, because you are stupid enough to use TAN2Go on a rooted device and more stupid you told them! Sure they won't accept any recourse claims in case of fraudulent account activity...

I wouldn't accept / and never will use TAN2Go as long as Magisk is able to hide. a chipTAN generator is safe, if lost you can get a new everywhere for 15 bucks, and works with (or without) any (stolen/lost) cell phone.

Besides the pro/contra discussion of TAN2Go it is your decision to use it, but it's the bank's liability not to support rooted devices! and i believe there are more than x-Thousands customers they would lose, if they decide to violate the android security rules.

However, according to this thread the reason why it works for some people while don't for others, may related to Xposed:

Hi Alecxs,

I agree, on one hand, it might have been "stupid" to give many clients the chance to stay with their open devices by the DKB-Bank.
I agree, that they might exclude warranty items, it there should accure a fraude problem - I did not think about that before...
I assumed, that they perhaps did not realize what problems their policy made to their customers, and wanted to spread a workaround, just to solve the problem, as easily as possible.

As I see NOW / LEARNED NOW by your Message, there have to exist good reasons for their safety rules within their app...:
I am not a programmer, nor a code specialist; just a user that wanted to help.

I do not want to STAY "stupid".
So, please tell / explain to us all now.
1. Why is ROOT a problem on Android-Phones, while with LINUX I am - of course! - ROOT on my PC and this is absolutely normal and necessary, also for banking programs / websites?
2. Would it be enough to remove Magisk to unroot my device and keep the necessary safety-standards?
3. Would I also kill the open boot-loader to be safe?
4. Why is an open bootloader also a danger?
5. Do I have to re-migrate to the hated MIUI 10 - System on my Redmi Note 6 Pro, or is there a working safe solution with Android, too?

Thank you,
Regards,

Achim
 

aIecxs

Senior Member
Feb 17, 2016
1,904
551
gitlab.com
I assumed, that they perhaps did not realize what problems their policy made to their customers, and wanted to spread a workaround, just to solve the problem, as easily as possible.
nothing to say against. but this is what whe should do here, help others and share knowledge

i am no developer too, just a stupid (paranoid) consumer trying to find solution for technical problems like everyone else, but let me try to answer the questions anyway (as you explicitly prompted me)

1. the following is just simplyfied and i willful excluded permissions from android manifest, NSA selinux stuff and sql database protection: the security concept of android differs from linux. the user/roll which for PC is usually one root account for maintenance, and one (or more) user account(s) assigned to the person who use it, is "misused" in android for the app permissions. each app gets assigned to its own user id (each app is a "user") and has basically it's own "safe place" where the files are stored. while in linux programs installed from normal user all files can be accessed free, basically every app developer is against manipulating their stuff (saved in a "secret" folder on "/data" partition where nobody is allowed to read). A good example is WhatsApp the encrytion key is stored in /data - with this key "everyone" can decrypt your WhatsApp Backup files (regularly stored on sdcard). Of course, it is technically possible to change the whole concept and its more for traditionally reason, but developers have to follow google rules. Besides i really don't know anything about banking websites but assume the whole security is handled server side, while banking apps will generate/provide TANs on the device itself (sure they have additional encryption, but nothing is bullet proof). For me, its more safe to do this on a "closed" device (TAN generator) with no internet connection where i have to put in my cash card, like on terminal. I bet todays Windows PCs banking are less secure than android, at least we should not align safety requirements at the WORST

2. The risk of fraudulents on rooted devices are basically low, but higher than stock device. Magisk fulfil the security needs in any case, they have pin protection for root requests, selinux enforceing, isolated namespace separation, screen overlay protection - all this stuff technically works fine. The security risk is just the user itself, because he has the freedom to install any module, any app, permit every request from every app. If the malicious app is designed clever enough, i may allow something i expected, but the app is silently doing different things in background... this is only possible on rooted devices. But to answer the question, it would be enough to hide Magisk to make the app work

3. Many devices shipped with open bootloader at stock, i assume this is not neccessary but i can understand the risk of an open bootloader:

4. Regardless encryption, with open bootloader it is more easy to get a dump of /data. For example on many devices it is possible even for noobs like us, to boot a custom recovery twrp which comes with encryption support. if the /data partition is force encrypted from stock rom, you don't even need to bruteforce a pin because TWRP is able to silently decrypt it with default_password passphrase. on the other hand, a locked bootloader is (or should be) a guarantee that you are not allowed to dump /data (even if it is not encrypted at all), because unlocking will erase all user data for security reasons. Of course, this is simplyfied again and i am aware of most older MediaTek devices not following the rules.

5. Afaik Xiaomi devices (like many other chinese brands) have AnalyticsCore.apk or com.adups.fota which is a backdoor for gathering data, but EVERY device have google play services (who know's what is google collecting) so i would not recommend any special ROM (except a non-rooted LineageOS maybe, this seems a good solution) because every android ROM is basically the same. for Samsung devices its best to stay at Knox just for warranty reasons, but with limited flexibility of course

be aware this is just opinion based

However, my original attempt was to explain to the OP @scarline (and others) the reason why it does not work is he installed Xposed framework
 
Last edited:

seltenheit

Member
Apr 10, 2019
14
7
Aachen
thanks for your great efforts of explanation.

Hi Alecxs,
I promise to read it several times and I am sure, that many users are glad for the explicit explanations.

Thank You ,
Achim
---------------
Would you recommend me:
a) to re-migrate to MIUI 10.3 and delete - if possible - the two backdoors-apk-s ? And will my bootloader then automatically be re-locked again?
b) to stay at my rooted Redmit Note 6 Pro with CrDroid, similar to Lineage OS?
c) to delete Magisk and hopefully un-root it that way? (I tried already; the TAN2Go didnt work...)
d) to stay at CrDroid and delete Magisk and lock my bootloader (although I don't know, how to do.)
?

Regards, Achim
 
Last edited:

aIecxs

Senior Member
Feb 17, 2016
1,904
551
gitlab.com
sorry i didn't see the edit...

re-locking the bootloader will brick your device
to clarify: chinese backdoors i mentioned are NOT related to banking crimes! sorry for this confusion. they just collect calls and messages to identify junk texts and junk calls and check it against your contacts and location. basically the same thing google does on every phone (i guess). besides this you can't disable it because it is part of the firmware updater (you won't receive updates any longer). from this point of view it seems better to use custom rom.
read more
https://www.xda-developers.com/report-android-phones-transmit-data-to-adups-a-chinese-firm
here is a non-exhaustive list of some chinese brands (i have com.adups.fota.sysoper on my CUBOT phone, however CUBOT is not listed)
https://www.digitaltrends.com/mobile/kryptowire-adups-news
i recommend you b) because you shared a solution that works! besides this you are not a noob which is accidentially granting root permissions to unknown apps... "never touch a running system" ;)
 
Last edited:

Kalimohan

Senior Member
Mar 10, 2017
81
8
I upgraded to LineageOS 9.0 Pie these days and tried again to start DKB Tan2Go. Unfortunately to no avail. I was going to hide Magisk (the most recent one, of course) and some apps. Now I wasted enough time for DKB. I have 3 other banking apps + 1 broker app. They have different systems for TAN generating, but every other banking app works fine.
 

exaveal

Senior Member
Aug 10, 2015
108
22
Samsung Galaxy S10e
I upgraded to LineageOS 9.0 Pie these days and tried again to start DKB Tan2Go. Unfortunately to no avail. I was going to hide Magisk (the most recent one, of course) and some apps. Now I wasted enough time for DKB. I have 3 other banking apps + 1 broker app. They have different systems for TAN generating, but every other banking app works fine.

LineageOS 9.0? You're talking about LineageOS 16.0 with Android Version 9.0.
After a lot of testing I can answer with 100% assurance: Magisk does not work fine with Android 9.0. Some things work, but the most Apps do not if we're talking about recognizing root-access. In most communities/boards they tell Magisk would work with Android 9.0 but it's not true. Magisk does not crash and is possible to install - that's right - but it does not work correctly.

I downgraded everything again :D If I set up a smartphone, first thing I do: Install Magisk and try out if DKB Tan2Go app is recognizing root access. Another very good app for testing: VR-secureGo :)
 

Kalimohan

Senior Member
Mar 10, 2017
81
8
With Magisk to the roots

Yes, of course I am talking about LineageOS 16.0 with Android Version 9.0.

For me Magisk works - I need root access and Magisk provides it. I tried the LineageOS Root Package too, but Magisk has more features. There is a security advice for my cellphone using Magisk: "Don't flash ROMs or Magisk modules which set SELinux to permissive or you welcome malware on your device!"
However, I do not use Magisk modules.

DKB Tan2go does not work with any root package and on most smartphones Tan2go refuses to open with unrooted stock firmware. Just to know I was also going back to unrooted stock on my cellphone, but to no avail.

I was thinking to downgrade to Oreo due to other reasons, but remained on LineageOS 16.0 with Android Version 9.0 (Pie) because of security issues. I want the recent and stable firmware and updates. I don't want to spend much time in a few months to test the next upgrade, probably downgrade again and so on.

Actually, I have 4 banking and TAN apps from other banks on my smartphone. I guess all European banks are required by law to change the TAN system to two-factor-authentication. Everything works fine. I renounce DKB, because the TAN Generator (which is the ONLY alternative to Tan2go) is uncomfortable. There are alternatives to DKB.


LineageOS 9.0? You're talking about LineageOS 16.0 with Android Version 9.0.
After a lot of testing I can answer with 100% assurance: Magisk does not work fine with Android 9.0. Some things work, but the most Apps do not if we're talking about recognizing root-access. In most communities/boards they tell Magisk would work with Android 9.0 but it's not true. Magisk does not crash and is possible to install - that's right - but it does not work correctly.

I downgraded everything again :D If I set up a smartphone, first thing I do: Install Magisk and try out if DKB Tan2Go app is recognizing root access. Another very good app for testing: VR-secureGo :)


---------- Post added at 01:00 PM ---------- Previous post was at 12:46 PM ----------

Do you mean DKB Visa?
Because only DKB Visa requires the DKB banking app or DKB Tan2go.
With all other credit cards (MasterCard, Visa) of other banks I do not have issues.


Have anyone found a solution to activate "Verified by VISA" with Magisk?? ? Banking app is working but "Verified by VISA" still detects root.
 
Apr 2, 2014
21
2
I have a rooted Honor View 10 with AICP 14 (based on LineageOS, Android Pie) and no gapps installed. None of the suggestions work. Doea anyone Haß an idea?
 

Kalimohan

Senior Member
Mar 10, 2017
81
8
The problem lies with the DKB only. Unfortunately there is no workaround. They have so many customers that they simply do not care if some customers leave the DKB. :rolleyes:

The only advantage of the DKB was always the DKB Visa Card. However, the Santander Consumer Bank offers a better alternative for account and credit card. In fact Santander Bank is the only bank in Europe to reimburse ATM foreign fees. :cool:

I have a rooted Honor View 10 with AICP 14 (based on LineageOS, Android Pie) and no gapps installed. None of the suggestions work. Doea anyone Haß an idea?
 

edan13

Member
Apr 17, 2013
35
4
hi

i did all the steps mentioned in the most recent posts

- hide magisk under diff name
- hide google play services (<- not enough?)
- hide tan2go app
- hide com.android.traceur

however it still doesnt work :(
could somebody please run me through ALL the necessary steps to get this working ? I am somewhat desperate bc. the "old" TAN authentication won't work anymore come september

cheers
 

Kalimohan

Senior Member
Mar 10, 2017
81
8
I assume you did not read before writing a comment.

There is no workaround and DKB Tan2go is broken until DKB will provide a bugfree working version. But, they won't do that.

hi

i did all the steps mentioned in the most recent posts

- hide magisk under diff name
- hide google play services (<- not enough?)
- hide tan2go app
- hide com.android.traceur

however it still doesnt work :(
could somebody please run me through ALL the necessary steps to get this working ? I am somewhat desperate bc. the "old" TAN authentication won't work anymore come september

cheers
 

Dr.Nop

Member
Nov 14, 2014
15
11
Google Pixel 6
On my phone the app works.
Did you disable the developer options? I can't tell for sure if this is also a criterion for the app to not start, but at least here it did the trick.
What is the status of SafetyNet and the PlayProtect certification?
 

pragmatick

Member
Aug 18, 2011
18
3
I followed alll the usual steps and it didn't work. Then I even uninstalled Magisk and manager and deleted all files I could find related to them. Safety net check passes, root check fails. The app still doesn't open on an (now unrooted) OnePlus 5t running crDroid.

Update: Even after uninstalling Magisk (passing safety check and failing root check) the app doesn't start. It seems to detect something else that prevents it from starting but it doesn't tell me what :(
 
Last edited:

Walhalla

Senior Member
Jul 5, 2008
147
137
do custom roms even pass SafetyNet?

post can be deleted. Sorry, missed that part.
 
Last edited:
  • Like
Reactions: htc2019

exaveal

Senior Member
Aug 10, 2015
108
22
Samsung Galaxy S10e
Hello together,

I confirm again, that DKB TAN2Go App works on my Samsung S7 Edge with:
- LineageOS 14.1-20190108-NIGHTLY-hero2lte
- Magisk v19.3
- DKB TAN2Go App v2.4.0 (Build 30019)

But I don't get it to work with LineageOS 16.0 with exact the same installation method (as described in my first post).
Any idea? Currently it seems that LineageOS 16.0 doesn't work with that setting. I haven't tried yet LineageOS 15.1,
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 9
    Here is a recipe that worked for me to get TAN2Go App running and receiving TANs + activating Visa secure on a Huawei P8 Lite with LineageOS 14.1. with using Island.

    It will only work, if you mobile number is already registered in DKB, because you have to receive an SMS.

    At some point you need to open an http link from the SMS via TAN2Go app on island. Since the SMS app did not work on island for me, I used a workaround using the contacts app.

    Some steps in the beginning, especially the factory reset might not be necessary, but this is what I did.

    0. Lineageos Factory reset (TWRP wipe)
    1. Install latest Magisk / Magisk Manager
    2. In Magisk Manager Settings, enable Magisk Hide, repackage the Magisk Manager Application
    3. Install DKB Banking App / Tan2Go / Island using Google Play Store
    4. Open repackaged Magisk Manager, hide DKB Banking App / Tan2Go / Island / Google Play Store
    5. Restart the Phone
    6. Open and configure Island
    7. Install / Clone Tan2Go app and DKB banking app from mainland to island
    8. Install / Clone the contacts app from mainland to island. You may now open it in island to check if it works and that you can create a contact.
    9. Deinstall the Tan2Go and DKB banking app app from your phone (the "mainland" versions!)
    10. Open Tan2Go "island" version, set new Password for the App.

    If this step does not work, using Island to bypass the protection may not work on your phone.
    You could try the Magisk Canary build, wait for a new Magisk version, or try a factory reset like I did.

    11. Tap on "Tan2Go erneut verknüpfen" (NOT the QR code, which worked for me only once), proceed to online banking. This will open DKB Banking App.

    The next steps are time-critical, because your session may expire. So read the steps first.

    12. Login with your banking credentials
    13. In the FAQ section open drop-down menu "Sie können derzeit keine TANs mit der DKB-TAN2go-App generieren?" and click the Link inside the text: "TAN2Go-Verwaltung"
    14. In the connected devices section, choose the device that you are currently holding in your hands and click "Password vergessen"

    The next steps are especially time-critical, but unfortunately may take some time to execute ;)
    Once you request the SMS, you got a time window that the SMS code is valid.

    15. On the next page click button "Neu verknüpfen per SMS" and then "SMS anfordern", receive the SMS, copy the link (or the full text if not possible)
    16. Open contacts inside Island, add a new contact, chose contact name, paste the link from SMS to "Website" section of the contact, save contact
    17. On the generated contact, click the website link, chose open with Tan2Go app
    18. (I had to re-set the Tan2Go password here for some reason)
    19. Copy the code "Freischaltcode"
    20. Go back to the DKB Banking App in mainland and enter the code. If you were to slow, repeat from step 10.
    21. You may now enable Visa secure in DKB Banking App.
    6
    I'm Not able to hide canary Manager. Always failed to hide it.
    Any Idea?

    Edit: Stop Play Protect in Google Playstore fixed it ;)

    Thanks, that helped.

    So for me the steps were:
    - uninstall old magisk
    - install latest canary (raw.githubusercontent.com/topjohnwu/magisk_files/canary/app-debug.apk)
    - disable play protect
    - hide magisk by repackage the name to Manager2
    - enable MagiskHide in the settings
    - hide tan2go in MagiskHide
    - re enable Play Protect

    I did not need to use "MagiskHide Props Config" to have fingerprint working.
    6
    >>> SUCCESS <<<

    Magisk Stable v23.0 + Riru v.25.4.4.r426 + LSPosed v1.3.5 + XPrivacyLua v1.30 + TAN2go v2.7.2 works!

    1. Install/activate each component.
    2. Apply MagiskHide to TAN2go.
    3. Tick TAN2go in the app level list of XPrivacyLua.
    4. Then tick the restrictions "Get applications", "Use analytics" and "Use tracking" in the permissions level list of XPrivacyLua.
    5. And TAN2go v2.7.2 works as expected!
    So far so good, only that damned Digitales Amt app still can not be made to work on my POCO X3 NFC with ArrowOS 11 + microG even with that kind of trickery (+ Riru-MomoHider with all 4 configs activated + flawless check with Magisk Detector). :unsure:
    6
    I can confirm that Magisk Canary works, both with the DKB Banking App as well as Tan2Go (latest, 2.6.0) including fingerprint support (and of course no Island/Shelter). The steps are described in this previous thread:

    Current link is: raw.githubusercontent.com/topjohnwu/magisk_files/canary/app-debug.apk
    (You can find this via github.com/topjohnwu/Magisk#downloads and select magisk manager Canary.)

    Steps I followed:
    1. Install Magisk Manager Canary
    2. Make sure Magisk Manager Update Channel is set to Canary
    3. Hide Magisk Manager
    4. Make sure Magisk Manager version is still canary (for me it reverted to normal version after hiding the first time, possibly because update channel was not set to canary)
    5. Install tan2go and DKB app
    6. Use Magisk Hide on tan2go and DKB app
    7. restart device
    8. Should work now

    Just a few caveats:
    1. I uninstalled Magisk and Magisk Manager (Stable) from my device, then reinstalled Canary
    2. I didn't know whether you also need to update Magisk itself (not the Manager). As I uninstalled it in the previous step I had to, but an update might be fine as well
    3. I am not sure whether you need those two steps, but might help if it doesn't work for you
    4. Be sure to enable MagiskHide in the settings
    5. You have to repackage Magisk under a different name, otherwise Tan2Go will detect it. I chose "Manager2", but seems like anything will be fine here
    6. Hide both DKB Banking as well as Tan2Go inside the MagiskHide settings (There is a small bar with 4 icons on the bottom, the second one should be a shield)
    7. Lastly go to the Modules section (puzzle icon, last on the bar), and install MagiskHide Props Config. I needed that one to enable fingerprint support
    8. Launch Tan2Go and be happy. For now at least, we'll see how long it lasts :)
    6
    SOLVED: DKB Tan2Go 2.4.0 works with Open Bootloader & Root

    DKB TAN2go works with Magisk:
    1. Install the TAN2go app (but don't open it)
    2. Add the TAN2go app in Magsik Manager in the menu "Magisk Hide"
    3. Reboot the phone (I don't know if this is necessary)
    4. Open TAN2go, works fine.

    **** DKB and this stupid security features which bring absoltuely no security.

    SOLVED: (on my Redmi Note 6 Pro with CrDroid Pie, GApps installed:)
    You are (nearly) right; the solution is described in the German Forum Android-hilfe.de for a similar Tan2Go-App from VR.... Original Text:
    - VR SecureGO deinstallieren
    - Magiskmanager deinstallieren
    - Magisk mit dem Magisk Uninstaller über TWRP deinstallieren -> reboot
    - Magisk 19 installieren TWRP
    - MagiskManager installieren ( auch die aktuellste beta, keine module aktivieren etc, alles lassen wies ist)
    - MagiskManager verstecken (repacking blablub), restart
    - VR SecureGo installieren aber nicht öffnen
    - Magisk Hide für VR SecureGo aktivieren, reboot
    leider crashte die App hier immer noch beim Start - also alles nochmal von vorn (#33)
    ... und dann #59
    im Magisk Hide-Bereich Apps (mit ALLEN Unterpunkten von VR SecureGo und Google Play-Dienste) neu ab/angewählt

    How-to;
    (Please, reboot sometimes while doing it:)

    - Remove your (DKB)Tan2Go-App.
    - Install NEWEST 19.1 Magisk via TWRP.
    - Install NEWEST Magisk Manager-App (via apk or Store.)
    - Reboot & Open Magisk Manager-App-Menu in the left corner above (The Hamburger)
    - Choose "Magisk Hide": >> Hide ALL the Google-Play-Services
    - Return to the Magisk-Hamburger-Menu: Settings/ Einstellungen >> Hide Magisk Manager (it changes to a similar name automatically)
    - Reboot & Install NOW your (DKB - Tan2Go-App 2.4.0, but DO NOT OPEN IT !!
    - Open Magisk Manager again >> Magisk Hide >> Hide the new downloaded DKB- TAN2GO-App. 2.4.0
    - (Reboot ?? &) Now you can open it; it should work now.


    Summary:
    So, the Trick is to hide via Magisk Manager All Google Services + your DKB-Tan2Go-App + the Magisk Manager himself.
    Yes, the Hiding-Program must be hided, too. :)

    Enjoy & have Fun!