Mobile banking apps failing security checks

Speaking only for myself:

• /e/ version: 1.21-t-20240323388918-stable-FP3
• Device model(s): Fairphone 3
• Developer mode: initially, then disabled
• Device rooted: no (and re-enabling Verified Boot has no effect either)

Summary

Multiple mobile banking apps have just started to reject phones running /e/OS as having 'failed security checks'.

So far this affects:

• Starling Bank (UK) - com.starlingbank.android - 3.47.0.97816
• AXA Bank (FR)

The problem

Steps to reproduce

1. Update banking app to latest version
2. Open app

What is the current behavior?

A warning is displayed saying that the device has failed some security checks. At least in the case of Starling, the app remains functional for 14 days at which point the user is locked out. The warning tells the user to factory reset their phone.

What is the expected correct behavior?

Not that.

Other Information

From talking to Starling support:

…please can I double check what operating system you are using at the moment as some people have been having an issue using GrapheneOS and we have raised it to our tech team to look into.

Followed by:

You're seeing this screen in your app because your device hasn't passed our security checks. When using an android device our app is only compatible with the Original Equipment Manufacturer (OEM) and is incompatible with any custom operating systems.

This is also evidently an issue that recurs fairly regularly:

• #6492 (closed)
• #5659 (closed)
• #2291 (closed)
• #5060 (closed)
• https://community.e.foundation/t/uk-banking-apps-starling-bank-not-working/48740

Solutions

Workaround

1. Clear app storage
2. Uninstall app
3. Install previous version of the app

[No longer works, see here)

Per GrapheneOS:

If you receive a warning from your banking app indicating that your device may be insecure, jailbroken, or rooted, this is usually due to the SafetyNet/Play Integrity API. Specifically, your device fails to pass MEETS_DEVICE_INTEGRITY or MEETS_STRONG_INTEGRITY. As of now, there are no direct solutions available to users. However, you can help by contacting your bank. Inform them of this issue and suggest they refer to the GrapheneOS Attestation Compatibility Guide for their developers, available here: Attestation Compatibility Guide.

Starling works again as of v3.55 (see here).

Possible fixes

1. App Lounge should stop offering the latest versions of these apps
2. As the issue is affecting multiple apps as well as GrapheneOS users, I would guess that there was a change to an upstream (Google?) library that all of these apps are using and that's what's caused the issues. So perhaps this is a MicroG issue? Are /e/OS verified boot keys available anywhere (per the GrapheneOS attestation compatibility guide)? [see here]