Paylib: blocked application

[djolitsu]

Hi,
I've just bought a Samsung S9 and installed LineageOS with microG 15.1.
I wanted to install "Paylib" (French e-wallet that contains cards) via "Aurora Store" but when I launch the app I have this error message : "Blocked Application: Your device is not compatible with the service" ( translated from French ).
I saw in French Forums that this message appears if the Phone is rooted OR has SuperSU installed.
But my phone is not rooted neither has SuperSU installed.

[Nanolx]

Does your device pass SafetyNet attestation? If not, that's likely the cause.

I suppose SafetyNet is properly enabled from microG Settings and set to use official servers in the advanced SafetyNet settings in microG?

[djolitsu]

SafetyNet was not enabled. I enabled it and installed DroidGuard Helper to use official servers.
But Paylib still prints the error message.
I can't test to pass the SafetyNet attestation because this option is greyed (I have Samsung S9).

[djolitsu]

I've just installed "SafetyNet Helper Sample" app.
Result:
"- SafetyNet request: success

• Response validation: fail
  Error Msg:
  ApiException[14] 14:"

[Nanolx]

Ah yes, @mar-v-in has not yet merged the changes @ThibG made to microG DroidGuard Helper, so the upstream version currently only works on 32 bit arm (and your device is 64 bit arm).

Uninstall DroidGuard Helper and use my build instead, which is based on upstream + ThibG's changes

• custom microG DroidGuard Helper
• ThibG's changes in source form

[djolitsu]

Now I have new result:

• CTS profile match: false
• Basic Integrity: false

[Nanolx]

OK. So something on your device triggers SafetyNet

• is your ROM rooted (either explicit or with built-in su)?
• is your device KNOX-tripped?
• is the bootloader unlocked? (I guess so)
• are developer settings enabled?

all this and several other things may trigger SafetyNet. The easiest work-around is to use Magisk, it's Magisk Hide functionality eliminates any SafetyNet triggers in 99 % percent of all cases.

Once you pass SafetyNet you may re-setup the Play Store (clear data and all), after that in the Play Store settings you should see device certified instead of the current device not certified.

[djolitsu]

• is your ROM rooted (either explicit or with built-in su)? I have the option in parameters but but default it's disabled
• is your device KNOX-tripped? I don't know well KNOX. I just bought S9 and installed Lineage for microG. Nothing else.
• is the bootloader unlocked? I don't change the bootloader
• are developer settings enabled? No
  I don't have any GApps installed. I installed"Paylib" via "Aurora Store".
  I will try Magisk.
  Thanks

[pgera]

@Nanolx , with the droidguard helper from the microg fdroid-repo, both the tests fail. With your version, basicintegrity is true, but ctsprofile is false. This is on AOSP build of Android P on pixel with magisk.

Edit: I didn't build droidguard helper in the ROM as a priv-app. Is that a requirement ? If so, I'm less enthusiastic about it.

[Nanolx]

@pgera depends, on some ROMs it works as user-app, some ROMs need it as priv-app. If attestation works, it's fine (regardless of result). If ctsProfile is false, there's still something that SafetyNet doesn't like about the ROM.

Did you use the Magisk 17.2 beta release? It contains additional improvements. Else there's a Magisk module that aids in passing SafetyNet, but that's obviously out-of-scope here.

Just check the Magisk section of XDA.

[pgera]

@Nanolx , thanks for the hints. priv-app is required. Also had to change the build fingerprint based on the module that you mentioned. Works after that. I don't have a real use for it, but good to know that it works.

[ale5000-git]

This should be already fixed, if there are other problems please open a new ticket.