Using Software with V-key Components

[Xanth0k1d]

UPDATE!​

NO MORE COMPLICATED SCRIPTS, JUST USE MAGISK 24.1 WITH DENY LIST!
1. Enable Zygisk, add the apps to the deny list
2. Hide Magisk App
3. Install SafetyNet Fix by kdrag0n (Might still need Magisk Hide Props if your device is a little older)
Working on: Poco X3 Pro + Lineage 18.1 (Android 11)

Aurora Store | F-Droid - Free and Open Source Android App Repository

An unofficial FOSS client to Google Play with an elegant design and privacy

f-droid.org

^Use aurora store to get the older version of Singapass that's likely to work, I'm using build 100.

V-Key Pte Ltd is basically a IT security technology based in Singapore I suppose.
Some softwares in Singapore, i.e. OCBC Banking, SingPass and maybe some other SEA banking softwares have v-key components which detects magisk.

This is a guide on how to use such softwares with Magisk, because I firmly believe that I get to choose what features I wish to have for my phone, and it is not fair for these banking companies to deny their services just because my device is rooted, I mean, if my banking stuff gets compromised because my phone is rooted and exploited, I'm willing to take the risk.

This guide aims to help mostly Singaporean users or anyone using such softwares with v-key components.

To make things work, the following things must be done:

1. Make sure Magisk manager is hidden

2. Make sure device fingerprint is certified by google (Check out the MagiskHide Props Config module) Please contribute fingerprints to this module for the benefit of everyone, checkout the GitHub page for more details.

3. Add the apps to Magisk Hide list.

4. Use package manager (pm) to disable the following v-key components in terminal (Using POSB Banking App as an example:

pm disable com.dbs.sg.posbmbanking/vkey.android.vos.MgService
pm disable com.dbs.sg.posbmbanking/com.vkey.android.support.permission.VGuardPermissionActivity
pm disable com.dbs.sg.posbmbanking/com.vkey.android.vguard.VGDialogActivity
pm disable com.dbs.sg.posbmbanking/com.vkey.android.internal.vguard.cache.ProcessHttpRequestIntentService

*Some apps may not have one or two v-key components listed above (i.e. SingPass), so getting an error on one or two components being not found should not be a big issue. If things works out you should see out puts on new states being disabled

*Attached a script that deals with OCBC, POSB and SingPass, if you have some weird errors make sure the encoding or format (Not sure of the jargon for it) is Unix or sth and not Windows

Credits:
Reddit User u/Inscythe for giving me a vague idea on the existence of v-key components

Muntashir Akon for his App Manager, allowed me to search for v-key components of apps(tried the disabling features of this app but didn't work, hence the script with pm command)

@Didgeridoohan for MagiskHide Props Config

@vurtomatic for giving me the idea of creating a guide on this.

 

[erOzeOz]

Hi @Xanth0k1d , thanks for the guide.

I have a rooted LOS 18.1 (OnePlus 3), with magisk 22.1, magisk hide on and magisk manager hidden. All my bank apps work correctly excepts K-PLUS app, the retail bank app from Kasikorn Bank in Thailand.
I can see in the logs of magisk that some vkey components are linked to the app. I followed you guide and was able to disable 2/4 components you listed (2 didn't exist).
Unfortunately this didn't fix the issue.

Do you know how I can search in my phone if other vkey components exist that I might need to disable?

Thanks

 

[KrishvY]

Hey @Xanth0k1d, does this still work for you? I noticed that VGuard services are visible with App Manager for DBS but not Government apps. I could disable those services via ADB Root without the use of Magisk just fine.

Seems like GovTech has caught up to this trick :/

 

[Xanth0k1d]

Hi @Xanth0k1d , thanks for the guide.

I have a rooted LOS 18.1 (OnePlus 3), with magisk 22.1, magisk hide on and magisk manager hidden. All my bank apps work correctly excepts K-PLUS app, the retail bank app from Kasikorn Bank in Thailand.
I can see in the logs of magisk that some vkey components are linked to the app. I followed you guide and was able to disable 2/4 components you listed (2 didn't exist).
Unfortunately this didn't fix the issue.

Do you know how I can search in my phone if other vkey components exist that I might need to disable?

Thanks

Disabling the existing vkey components should be enough.
Did you spoof the device signature with the magisk hideprops module?

 

[Xanth0k1d]

Hey @Xanth0k1d, does this still work for you? I noticed that VGuard services are visible with App Manager for DBS but not Government apps. I could disable those services via ADB Root without the use of Magisk just fine.

Seems like GovTech has caught up to this trick :/

All my apps are working fine, could you please be clear of your problem? i.e. what's working, what's not etc

 

[KrishvY]

All my apps are working fine, could you please be clear of your problem? i.e. what's working, what's not etc

I'm using a OP6, LineageOS 17.1, latest nightly build. I can't use SingPass and Standard Chartered but I can use DBS just fine. I did not root my phone and I don't have Magisk installed either.

I just can't find V-key components in SingPass with App Manager.

 

[Xanth0k1d]

I'm using a OP6, LineageOS 17.1, latest nightly build. I can't use SingPass and Standard Chartered but I can use DBS just fine. I did not root my phone and I don't have Magisk installed either.

I just can't find V-key components in SingPass with App Manager.

The App Mananger by Muntashir Akon?
I think I need to explain this properly, SIngapass and some apps may not work in the following situations:

• You installed a custom rom without a Google approved device ID
• You rooted your phone
• You have Magisk
• etc​

For your case, Singpass does not work because you installed Lineage - a custom rom, which should not have a Google approved device prop by default. It doesn't matter if you are rooted or you have install Magisk at this point.
My suggestion to you is to install Magisk and follow my guide-hide magisk and spoof you device fingerprint so it looks like you are running a stock rom.

 

[dearestk]

hi @Xanth0k1d. Have been using your method to hide singpass in the past. But the app just recently was able to detect root. As someone mentioned above, the updated app has no v-key components listed in the service. Any idea how to circumvent the situation and what services to disable?

 

[Xanth0k1d]

Holy ****, I just saw the update.
Probably some dude saw this post...
I have yet updated so I can't test, if anyone's finding any solutions to this pls update as well.

 

[inscythe]

V-Key Pte Ltd is basically a IT security technology based in Singapore I suppose.
Some softwares in Singapore, i.e. OCBC Banking, SingPass and maybe some other SEA banking softwares have v-key components which detects magisk.

This is a guide on how to use such softwares with Magisk, because I firmly believe that I get to choose what features I wish to have for my phone, and it is not fair for these banking companies to deny their services just because my device is rooted, I mean, if my banking stuff gets compromised because my phone is rooted and exploited, I'm willing to take the risk.

This guide aims to help mostly Singaporean users or anyone using such softwares with v-key components.

To make things work, the following things must be done:

1. Make sure Magisk manager is hidden

2. Make sure device fingerprint is certified by google (Check out the MagiskHide Props Config module) Please contribute fingerprints to this module for the benefit of everyone, checkout the GitHub page for more details.

3. Add the apps to Magisk Hide list.

4. Use package manager (pm) to disable the following v-key components in terminal (Using POSB Banking App as an example:

pm disable com.dbs.sg.posbmbanking/vkey.android.vos.MgService
pm disable com.dbs.sg.posbmbanking/com.vkey.android.support.permission.VGuardPermissionActivity
pm disable com.dbs.sg.posbmbanking/com.vkey.android.vguard.VGDialogActivity
pm disable com.dbs.sg.posbmbanking/com.vkey.android.internal.vguard.cache.ProcessHttpRequestIntentService

*Some apps may not have one or two v-key components listed above (i.e. SingPass), so getting an error on one or two components being not found should not be a big issue. If things works out you should see out puts on new states being disabled

*Attached a script that deals with OCBC, POSB and SingPass, if you have some weird errors make sure the encoding or format (Not sure of the jargon for it) is Unix or sth and not Windows

Credits:
Reddit User u/Inscythe for giving me a vague idea on the existence of v-key components

Muntashir Akon for his App Manager, allowed me to search for v-key components of apps(tried the disabling features of this app but didn't work, hence the script with pm command)

@Didgeridoohan for MagiskHide Props Config

@vurtomatic for giving me the idea of creating a guide on this.

heya, I'm the reddit user... I had updated the app, but so far has no luck finding where the detection is hiding now... I might just try turning off services one-by-one with servicely, but I'll keep you all updated if I get any success.

 

[inscythe]

@Xanth0k1d since you haven't updated your singpass, can you check what are the available services and listeners currently your version is using? I want to compare the difference with the latest version.

 

[KrishvY]

I managed to get Singapore's GPay app to work by blocking this `com.google.android.gms.gmscompliance.ui.UncertifiedDeviceActivity`. Do your devices pass SafetyNet?

 

[stevenkyk]

The recent Singpass update requires disabling o.InvalidRegistrarException for root detection to be circumvented.

 

[inscythe]

The recent Singpass update requires disabling o.InvalidRegistrarException for root detection to be circumvented.

Thanks! Can confirm that this works!

 

[Lu5ck]

Singpass is a really weird app.

Recently google nuke the api so magisk stopped working, can't pass the safetynet. Magisk released a canary release that fix that.

Yet, singpass continue to stop working so I thought maybe I need do more? Then I coincidently force stop the app to run it again, it magically working again! That is after I reboot twice before that. So now I learn the rebooting and force stop do different things.

I didn't apply anything from this thread, it is really a weird app.

 

[stevenkyk]

Singpass is a really weird app.

Recently google nuke the api so magisk stopped working, can't pass the safetynet. Magisk released a canary release that fix that.

Yet, singpass continue to stop working so I thought maybe I need do more? Then I coincidently force stop the app to run it again, it magically working again! That is after I reboot twice before that. So now I learn the rebooting and force stop do different things.

I didn't apply anything from this thread, it is really a weird app.

The safetynet api did not get nuked, the api changed so code that use the old api won't work, even on the latest stable build safetynet will still pass when using another checker app. While I won't go into the technical details, singpass spawns a new isolated process to check for root, exploiting the fact that isolated processes are treated differently and is difficult for magisk to hide itself. So the solution is to disable the offending process and not let it spawn. There are several other requirements necessary for singpass to run, which are largely beyond the scope of discussion in this thread.

 

[auggie246]

Any idea how to bypass Citibank sg root detection? I am able to use vkey method for posb and ocbc but Citibank doesn't have a vkey service

 

[stevenkyk]

Any idea how to bypass Citibank sg root detection? I am able to use vkey method for posb and ocbc but Citibank doesn't have a vkey service

The trick here is to decompile the APK using apktool and inspect the Androidmanifest.xml manually. Search for "ISOLATED" and in the same line you should be able to find the name of the service to be disabled. Of course this assumes that citibank's app used a similar tactic as the other apps.

Edit: I tried the citibank sg app, magisk hide + rename package is sufficient for me to launch the app, don't have an account so I can't test any further.

 

[inscythe]

The recent Singpass update requires disabling o.InvalidRegistrarException for root detection to be circumvented.

I guess there's another update to Singpass that circumvent this circumvention as well lol

 

[inscythe]

Apparently it's now using a service called o.ImmutableSetMultimap for checking root (confirmed by magiskhide entry) and it works for a few seconds after loading Singpass before failing again with different error message. I think it checks for both whether the service is active and found a root (gives error T0), or whether the service is running at all (gives error T-1). I think we need something else to block this.