New Natwest app (June 2018) Refuses to work when Xposed Running - Xposed General

Just as the title says, the new natwest app update (2018 June) refuses to work when Xposed Framework is enabled, but runs find when the framework is disabled. I am interested to know how it detects when the framework is operational, and how can I fool the app into running while Xposed framework is running.
Here is my system:
Samsung Galaxy S5
running Lineage OS 14.1, rooted
Xposed framework version 89
I have tried a number of methods to hide the running framework with no success
Tried DotMod to hide xposed --> not working
Tried XprivacyLua, denying all sorts of permissions such as view activity and running apps --> not working
Only works when i disable the framework and restart the phone. But that is ofcourse tiresome, cos no one wants to restart their entire phone just to check their bank app.
Current solution is to revert to previous versions of natwest bank app, but again that is trivial, as sooner or later they will refuse to work on outdated apps and force update.
Talking to the dev team, the only clue they mention is their new app checks the memory for running malicious apps, and if it detects anything it refuses to run. So it is not safetynet (infact safetynet fails, but the app runs)
Fair enough, but ive tried denying it literally all permissions, both from Privacy guard of lineage os 14.1 and XprivacyLua, and nothing works. Either the app is using some clever method to bypass these, or they dont do their work properly.
I miss old xprivacy, where you had a billion more options within permissions, with info of when and what did each app accessed.
I need xposed in order to disable my proximity sensor which is broken, and constantly thinks the value is zero, hence blacking out my screen during calls
Any help or advice will be much appreciated.

I believe it was with the 2016 November security update that Google changed something that forced an update to Xposed that made it practically impossible to hide. Xposed is easily detectable in the running zygote (something you can't hide), and the only solution is the one you've already found; disable and reboot.

i keep reading many times now "the only solution is reboot" - that is not a solution, we need to find a way to better hide xposed. Perhaps I need to research a bit more on zygote and find out and how it works exactly, and see if there is a way to mask it. Honestly all these android updates are pissing me off, its getting harder and harder to mod your phone, and I dont get why they struggle so hard to make it difficult for us modders.
I will attempt to flash back to kitkat and try, I would not be suprised if it ends up working.
In the windows enviroment you can always do wtv ur heart desires, and if that means destroying your PC so be it. But in android enviroment is so damn hard, and no devs want to share how they implement things in fear of someone hacking them or wtv. But all this is doing is hurting modders, making us hate some apps with harsh rules and moving away, doesnt do any good for anyone!!

It's perfectly possible to hide Xposed if you downgrade to a security patch prior to November -16. You're likely gonna have to dig around a bit for the proper files and versions though.
And believe me, there have been some pretty brilliant minds that have tried to find a way to hide Xposed and found it not to be possible. Of course, "nothing's impossible" and maybe someone with a brilliant idea finds a miraculous way. You never know...

Related

Xposed for Xposed. Hacking Xposed. [new module request]

Thanks to @rovo89, we got an amazing framework. Although intended for security, the need for restart to activate a new module can be pretty inconvenient at times. It'll be nice if somebody can make a xposed module to tweak this, so that we could activate the module with the single tap of a button (an option to add an activate/deactivate button near the module will be nice). Since the framework is open source, I believe it would be easy for you guys to figure out a way to do it.
If such a module already exist, please share the link. If there is no such module, maybe this will motivate you to create one. If it's impossible (duh... nothing's impossible for you guys)
Thanks.
It's impossible. The reboots are not simply done for security reasons. Xposed makes changes to core system files when you install (and sometimes configure) modules, and those files (and all the files dependent on them; basically the entire system) must be reloaded (using a reboot) before those changes become effective.
Trust me, just about every developer knows that the reboots are obnoxious, and do everything they can to make their modules work without a reboot. If they can avoid a reboot they will, but a lot of the time they can't.

SU binary cloaking?

In doing my taxes, I noticed that the H&R Block app tries to execute su (which I promptly deny) and then nags about my device being compromised (app still works anyways.) It's obviously not, but it got me thinking: Since we're operating in the kernel now, I figure that we should be able to prevent apps from seeing the su binary at all unless we as the device owners explicitly want the app to be able to see it. Maybe even do something like allow creation of an app whitelist and/or blacklist.
If it's tricky to pull off, make it a pro feature (I paid for pro.)
I imagine this would fix Android pay as well (though I don't use it so I don't care) but it might be a motivating reason for others to want such a feature.
Other benefits to this include enhanced security against questionable apps that might, for example, try to take advantage of possible zero day in SuperSU itself.
I could be wrong, but isn't systemless SuperSU installed to ramdisk?
Also since the mount points are still on top of /system (without actually modifying system), doesn't that mean it would be visible anyway?
Sent from my Nexus 6 using Tapatalk
Not if you only exposed the mount point to specific users, and only set the $PATH variable to specific users (which is another possible way to detect root.)
There are a lot of things that can be done, that can be done in theory, that can be done if somebody puts the work in, etc.
Outside of just a time investment, these things are very complicated to do and have them work on a large number of devices.
That's not even considering the legal repercussions.
There are a lot of apps that check for just the existence of 'su' and then you're done. Or if an installed app has a name like 'supersu'.
One that's been a constant thorn in my side has been 'Good for Enterprise'. Only way I've seen where a rooted phone worked past root detection was when it was a Cyanogenmod type that had a custom root (non supersu) built into the development settings and you installed/ran the app with those root settings off.
So agreed with Chainfire that all apps check for root differently.
Use "rootcloak" or simply disable supersu if you are system-less. The only caveat with using rootcloak is that it requires xposed and it is dreadful at hiding xposed meaning any security app looking for xposed will more than likely find it

Does not function on phones with Toybox - BLU STUDIO XL 2

Thank you for all you hard work, I have been a user for many releases prior and love that your software has always been "there and working well". So why only speak up when I have a problem, so for that I apologize.
I have managed to obtain a version of Xposed (Systemless) ported for Magisk installed on my phone (SDK 23) and while Magisk lists Xposed in its installed module list with a check box saying it is active, the Xposed menu shows the green notification area that says it is working, when I install XprivacyLua, and while after the installation of XprivacyLUa, in the Modules section of Xposed there is a check box showing that XprivacyLua is installed and active, the problem is that the Xprivacy app thinks it is not loaded. I sent trace logs captured via adb to the Xprivacy developer and he says that Xposed believes the XprivacyLua app is not installed (even though all indications are that it is active).
Someone who knows more about this than me stated my problem was likely with Toybox being on the phone and something about symlinks where he gave another suggestion about loading Busybox and then following with loading a BusyBox binary zip package via TWRP. All this does is render me not able to access MagiskManager any longer.
Do you know anything about such an issue and how I might get around it? I am saddened that using this valuable tool is being made so difficult from all the new hardware changes. I normally stick with age old phones, but accidents happen, the old one's cracked and my new one won't seem to work with Xposed.
Thanks!
BLU STUDIO XL 2 16/2G
MT6737
ARMv7 Processor rev4 (V71)
armv71
Is there anyone who can help me with my issue? I have poor eyesight and need a larger phone like the BLU, plus as often as I drop phones I cannot afford to buy the fancy, expensive and popular gaming models that everyone seems to purchase.
I am willing to do what ever it takes to resolve the issue, including running traces, submitting file structure maps or anything the developer needs to address the issue with Toybox or whatever the problem that is causing XprivacyLua not to be enabled by Xposed.
Thank you again.
Donphillipe said:
Is there anyone who can help me with my issue? I have poor eyesight and need a larger phone like the BLU, plus as often as I drop phones I cannot afford to buy the fancy, expensive and popular gaming models that everyone seems to purchase.
I am willing to do what ever it takes to resolve the issue, including running traces, submitting file structure maps or anything the developer needs to address the issue with Toybox or whatever the problem that is causing XprivacyLua not to be enabled by Xposed.
Thank you again.
Click to expand...
Click to collapse
What about making system run in permissive mode?
have you tried?
I have not "jumped" from superSU to majisk so my method is to use superSU.
I have a recovery install package that sets file in place to make permissive and force superSU to install systemless.
you can give a try.
the updater-script prints out a message it was made for "blu tank xtreme pro" but it is fine for other phones too. I made it for/ with other dev who wanted to have one step to make root and permissive.
I do not know how will respond to majisk, so better off to try ununstall that first, and start fresh.

[Q] Why aren't there any cool modules for Magisk? (compared to modules for Xposed)

Extremely sorry if I am spamming the forum with this thread, but thought of starting this discussion to see if the geeks can help with sharing the knowledge.
I don't think I have to emphasize on why Magisk over Xposed (The Magisk Forum has a lot of articles on why.), but I am surprised to realize that Magisk is still the so called "new guy" even after these many years of launch..
All I get for a sample search "best modules Magisk" is a bunch of tweaking modules which say they can alter your ART mechanism or save your battery, I mean, who cares for the performance in 2019!!! we have got beastly phones and just want magik to happen on them. Magisk is still the same serious experimental mod that lets you root and hide it from banking/work apps but not yet cool.
For example, every time I installed Xposed on a new phone, I would go look for the famous "Gravity Box" just to enable the status bar brightness control gesture.
And the "X-insta" that lets me download media from Instagram . (Of course this module seems to be dead for a few months).
And a bunch of adblockers.
And a hell lot mods that I don't remember from the top of my head, but it was really magic.. And it is slowing down (I feel so..)
Well, someone might say that we can install Xposed itself as a module, but that just crashes the "SafetyNet" which is very annoying, it makes the phone useless without being able to open GooglePay and other banking apps.
I know I might be wrong but I am posting just to see if people use any equivalent "cool" modules in Magisk that are not easily seen in the Magisk Modules repo or if someone has found a way to pass the "SafetyNet" with Xposed+Magisk to make Android awesome again!!:good:
sagar2208 said:
Extremely sorry if I am spamming the forum with this thread, but thought of starting this discussion to see if the geeks can help with sharing the knowledge.
I don't think I have to emphasize on why Magisk over Xposed (The Magisk Forum has a lot of articles on why.), but I am surprised to realize that Magisk is still the so called "new guy" even after these many years of launch..
All I get for a sample search "best modules Magisk" is a bunch of tweaking modules which say they can alter your ART mechanism or save your battery, I mean, who cares for the performance in 2019!!! we have got beastly phones and just want magik to happen on them. Magisk is still the same serious experimental mod that lets you root and hide it from banking/work apps but not yet cool.
For example, every time I installed Xposed on a new phone, I would go look for the famous "Gravity Box" just to enable the status bar brightness control gesture.
And the "X-insta" that lets me download media from Instagram . (Of course this module seems to be dead for a few months).
And a bunch of adblockers.
And a hell lot mods that I don't remember from the top of my head, but it was really magic.. And it is slowing down (I feel so..)
Well, someone might say that we can install Xposed itself as a module, but that just crashes the "SafetyNet" which is very annoying, it makes the phone useless without being able to open GooglePay and other banking apps.
I know I might be wrong but I am posting just to see if people use any equivalent "cool" modules in Magisk that are not easily seen in the Magisk Modules repo or if someone has found a way to pass the "SafetyNet" with Xposed+Magisk to make Android awesome again!!:good:
Click to expand...
Click to collapse
Magisk doesn't work the same way as Xposed,one mounts and modifies files and the other hooks and modifies app code at runtime,and yes there is a way to use Xposed and pass safetynet if you are either on Oreo or Pie,it's called Edxposed
Edxposed is an open source Xposed alternative released early this year that uses a different method to hook into the system which allows it to pass safetynet and it allows you to blacklist apps in which you don't to load Xposed into,and if you are in pie there is already a beta of gravitybox that fully supports Pie (it's not yet in the Xposed repo because it's not fully stable yet)
Here are some pictures showing edxposed passing safetynet and me using the event lock module on Android pie,incase you are interested here are the links to edxposed https://forum.xda-developers.com/xposed/android-9-0-xposed-solutions-t3889513 it works on both Oreo and Pie (ignore the last step and just use edxposed installer) it's the last link and the first post,if you have any doubts feel free to ask there
DanGLES3 said:
Here are some pictures showing edxposed passing safetynet and me using the event lock module on Android pie,incase you are interested here are the links to edxposed https://forum.xda-developers.com/xposed/android-9-0-xposed-solutions-t3889513 it works on both Oreo and Pie (ignore the last step and just use edxposed installer) it's the last link and the first post,if you have any doubts feel free to ask there
Click to expand...
Click to collapse
A Hope!!
Thank you very much for the info, will try and post an update..
Even after these many years of launch people seems to not understand Magisk purpose, features and way of work. Same for Xposed.
Does Magisk has "modules" ? Yes! Does Xposed has "modules" ? Yes! But that's it. The name. The only thing in common between Magisk and Xposed is _the name, the word, "module" _ for their respective plug-ins, addons. Nothing more. Period.
Magisk attachs to Android, works completely different from the way Xposed does. What they do and what they can do are different. They are not even closer to be an alternative of one to another.
Having that said, do not expect that modules of one can deliver similar features of a module of another. If this somehow someday for an specific pair of modules happen be sure they are accomplishing that but doing in complete different ways behind the scenes.
About Xposed not breaking SafetyNet, we have now for Android O+ the alternatives EdXposed (open source) and Tai Chi (closed source). They do not break it because the way they're implemented is different from original Xposed by Rovo. They are different approachs, new code with new ways of work, but that delivers same entrance points, same nomenclature, as original Xposed itself. Thus being (generally speaking) compatible with modules originally built to original Xposed.
Both EdXposed and Tai Chi are experimental yet, although working fine at least on Android P. If they show themselves as solid solutions then probably we will see new Xposed like modules appearing out there. I do hope so.
wilsonhlacerda said:
Even after these many years of launch people seems to not understand Magisk purpose, features and way of work. Same for Xposed.
Does Magisk has "modules" ? Yes! Does Xposed has "modules" ? Yes! But that's it. The name. The only thing in common between Magisk and Xposed is _the name, the word, "module" _ for their respective plug-ins, addons. Nothing more. Period.
Magisk attachs to Android, works completely different from the way Xposed does. What they do and what they can do are different. They are not even closer to be an alternative of one to another.
Having that said, do not expect that modules of one can deliver similar features of a module of another. If this somehow someday for an specific pair of modules happen be sure they are accomplishing that but doing in complete different ways behind the scenes.
About Xposed not breaking SafetyNet, we have now for Android O+ the alternatives EdXposed (open source) and Tai Chi (closed source). They do not break it because the way they're implemented is different from original Xposed by Rovo. They are different approachs, new code with new ways of work, but that delivers same entrance points, same nomenclature, as original Xposed itself. Thus being (generally speaking) compatible with modules originally built to original Xposed.
Both EdXposed and Tai Chi are experimental yet, although working fine at least on Android P. If they show themselves as solid solutions then probably we will see new Xposed like modules appearing out there. I do hope so.
Click to expand...
Click to collapse
Couldn't have said it better (my previous texts were written at 3am so pardon for any mistake I did XD)

com.adobe.ims.accountaccess (Adobe Account Access) seems to detect Magisk, even while hidden.

H! So I am actually unsure where to post this..
Here's hoping you can figure something out and not be mad at me if this is the wrong place to post this.
Initially, i was going to post this as a Bug report on Github. However, I figured this was not correct.
Technically speaking this also isn't really an issue with magisk itself, more that adobe might have found a way to circumvent magisk anti detection methods.
In short: The App "Adobe Account Access" (com.adobe.ims.accountaccess on the play store: https://play.google.com/store/apps/details?id=com.adobe.ims.accountaccess) seems to have found a way to detect magisk and/or root, even though root detection is hidden in magisk.
The App just displays a prompt, saying "Device not supported. Sorry, your phone is not supported for Adobe Account Access.", even though the device used should be supported.
I checked with adobe community support on whether my Phone is supported or not and according to them, it should indeed be supported: https://community.adobe.com/t5/acco...-access-app-device-not-supported/m-p/11696613
I suspect they have found a way to get around all magisk anti detection methods and i would be grateful if someone would be kind enough to check if there is a workaround or if magisk's detection prevention needs an update.
Unfortunately, i don't have much more to say other than that..
There aren't any magisk log entries that would indicate something went wrong (only entries mentioning the app are"i" loglevel, one coming from hide_list_add and one coming from proc_monitor).
I could not find anything out of the ordinary in the logcat, although i suppose i could be more thorough with my search.
My technical/general info would be:
Magisk Version used: 22.0 (22000) (18)
SafetyNet integrity: Both basicIntegrity AND ctsProfile = pass; evalType = BASIC
ROM used: OxygenOS 10.0.11.GM21BA
Android version: 10
Device name: OnePlus 7 Pro
"Adobe Account Access" App version: 1.6
+++ Please feel free to ask for any additional info in case I missed it +++
Thanks in advance for any productive suggestion!
When does it display this "device not supported" message? I tested just now and could log in and set everything up without even adding the app to the Hide list, and with the Magisk app unhidden.
Didgeridoohan said:
When does it display this "device not supported" message? I tested just now and could log in and set everything up without even adding the app to the Hide list.
Click to expand...
Click to collapse
Oh? That is peculiar.. Damn, that implies an issue somewhere else i reckon ://
It displays it immediately after launching the app. The very first screen..
What phone and which OS (/ROM) are you using? Might just be that my phone is genuinely not supported and the folks over at the adobe community forum lied when saying my phone should be compatible..
Also, which android version are you on if you don't mind me asking?
You don't have any modules installed? No edxposed or lsposed, or magisk modules?
Have you tried root detection apps like Root Beer Fresh to see if indeed the app is unable to detect root? If you try any such app, remember to add it to the Magisk Hide list beforehand, otherwise the app will clearly detect root.
It's a OnePlus 3T with Android 9 ArrowOS. As stated above, it could very well be a module, like EdXposed. Or a root app, or a file or folder on your device, or something completely different.
It's not detecting Magisk at least, that's for sure...
General root hiding tips:
https://www.didgeridoohan.com/magisk/MagiskHide#hn_Hiding_root_from_apps
@Barrel Titor
Samsung Galaxy S7 Custom 9.0 Pie, Magisk 22 root with random name, application without hiding works fine.
Hi all!
First of all: Apologies! I meant to respond sooner to this, but work has kept me occupied and the one time I actually was available, XDA Forums went down into maintenance mode..
Secondly: Sorry for maybe jumping the gun here a bit!
It does look like I should have tested this issue a bit more! I am definitely going to keep on trying to fix this on my own using the resources and methods you have suggested!
I have tested com.adobe.ims.accountaccess on my sisters unrooted OnePlus Nord.. It works fine there, which is really confusing. None of the other apps I am using show this sort of issue :c Not even my banking app!
@mario0318 Thanks for your suggestion! I know it is good practice to remove/disable all your modules. However, none of the modules I have currently installed are particularly large and they certainly do not modify much compared to what is possible. I am going to attach a list to this response, however I am also going to try disabling them one by one and see if I can find the culprit! Unfortunately, I will not be able to disable the "Google Dialer Framework" module, since it causes the device to bootloop if the google dialer app is still present.
Here is a list of all the modules I have installed and enabled at the moment:
Spoiler
App Systemizer (Terminal Emulator)
Busybox for Android NDK
Google Dialer Framework
Looki75 Product Sans font
Systemless Hosts
ViPER4ANDROID FX
Honourable mentions (these modules are completely DISABLED):
Spoiler
Riru
Riru - EdXposed
However, please note again that SafetyNet seems to be INTACT, with "basicIntegrity" and "ctsProfile" still passing and "evalType" being "BASIC".
In any case. Thanks to everyone for their contribution! I really appreciate any suggestion!
Edit: @mario0318 right after I posted this message, I went ahead and gave "RootbeerFresh" a shot. It does not detect root when it is hidden from it. This makes my leading theory to be that the app truly does not support OnePlus 7 Pro devices. Wouldn't know why it doesn't support this model in particular though. Until I either unroot or find someone with the same device, willing to install Adobe Account Access, i can't say for sure though.
Barrel Titor said:
Hi all!
First of all: Apologies! I meant to respond sooner to this, but work has kept me occupied and the one time I actually was available, XDA Forums went down into maintenance mode..
Secondly: Sorry for maybe jumping the gun here a bit!
It does look like I should have tested this issue a bit more! I am definitely going to keep on trying to fix this on my own using the resources and methods you have suggested!
I have tested com.adobe.ims.accountaccess on my sisters unrooted OnePlus Nord.. It works fine there, which is really confusing. None of the other apps I am using show this sort of issue :c Not even my banking app!
@mario0318 Thanks for your suggestion! I know it is good practice to remove/disable all your modules. However, none of the modules I have currently installed are particularly large and they certainly do not modify much compared to what is possible. I am going to attach a list to this response, however I am also going to try disabling them one by one and see if I can find the culprit! Unfortunately, I will not be able to disable the "Google Dialer Framework" module, since it causes the device to bootloop if the google dialer app is still present.
Here is a list of all the modules I have installed and enabled at the moment:
Spoiler
App Systemizer (Terminal Emulator)
Busybox for Android NDK
Google Dialer Framework
Looki75 Product Sans font
Systemless Hosts
ViPER4ANDROID FX
Honourable mentions (these modules are completely DISABLED):
Spoiler
Riru
Riru - EdXposed
However, please note again that SafetyNet seems to be INTACT, with "basicIntegrity" and "ctsProfile" still passing and "evalType" being "BASIC".
In any case. Thanks to everyone for their contribution! I really appreciate any suggestion!
Edit: @mario0318 right after I posted this message, I went ahead and gave "RootbeerFresh" a shot. It does not detect root when it is hidden from it. This makes my leading theory to be that the app truly does not support OnePlus 7 Pro devices. Wouldn't know why it doesn't support this model in particular though. Until I either unroot or find someone with the same device, willing to install Adobe Account Access, i can't say for sure though.
Click to expand...
Click to collapse
So upon Google searching "oneplus 7 pro adobe account access" it appears to be a common problem.
mario0318 said:
So upon Google searching "oneplus 7 pro adobe account access" it appears to be a common problem.
Click to expand...
Click to collapse
I cannot find any results using this search term on google other than my own post on the adobe community forums.. This one: https://community.adobe.com/t5/acco...access-app-device-not-supported/td-p/11695914
@mario0318 do you happen to know a way to somehow "pretend" to the app that i am in fact using a different phone? Something that would allow me to make the app believe it is running on a different device?
Barrel Titor said:
@mario0318 do you happen to know a way to somehow "pretend" to the app that i am in fact using a different phone? Something that would allow me to make the app believe it is running on a different device?
Click to expand...
Click to collapse
Well, the well known magisk module MHPC or Magisk Hide Props Config comes to mind. You can change device fingerprints and maybe also give the Device Simulation feature a go, or custom edit any range of configurable props.
You could do so without the module editing the build.props yourself. Or if you stick with edxposed and deal with not having magisk manager's hide enabled, perhaps any of the device spoofers on the xposed repo could fool the app. Or Sudohide if you set Adobe app to hide from any and all apps that are root relevant. May also consider removing directories in your internal and removable storage for things like TWRP or PBRP, Titanium Backup, xposes, etc, you know, things that a simple media scan looking for any sign of root apps might pick up.
But for now, I'd give MHPC a try and change device fingerprint and maybe enable device simulation if simple fingerprint change doesn't work.
I'm having the same issue on a rooted OnePlus 8T
Same for me on op7 pro. Hiding with somiko but Adobe still not working. Nor could I bypass square, it notes root when it pairs Bluetooth

Categories

Resources