Magisk: com.starfinanz.mobile.android.pushtan detects root with enabled Magisk Hide

1 - you've either not added the app to the Hide list, or not enabled the feature to hide the Magisk Manager with a random package name (or both). In other words, MagiskHide works perfectly for that app. I've tested...

2 - you can close this since there is no actual issue.

How does this random name thing works ?

Am 15. Februar 2019 16:41:33 schrieb Didgeridoohan notifications@github.com:

1 - you've either not added the app to the Hide list, or not enabled the
feature to hide the Magisk Manager with a random package name (or both). In
other words, MagiskHide works perfectly for that app. I've tested...

2 - you can close this since there is no actual issue.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.

Magisk Manager - Settings - Hide Manager.

I have uninstalled everything again, pushtan, magisk manager and magisk. I installed pushtan, activated it and installed magisk again. After a reboot i installed magisk manager, changed package name, disabled and reenabled magisk hide, choosed all apps to hide and tried again to open the app, it crashed :/

I am using Oneplus 6T with OxygenOS 9.0.12
Magisk 18.1
MagiskManager 7.0.0

In that case it's detecting something else on your device, or it's possible that your device is affected by the intermittent MagiskHide issues with v18.0 and v18.1 (see issue #907). I have confirmed that MagiskHide works for that app, so there's nothing to do about that.

And, MagiskHide is being completely rewritten at the moment, which hopefully will take care of the above mentioned bug.

As I said before, the issue you've raised is actually not an issue. You can close this now...

I can confirm (on my device) that PushTAN 1.3.1 no longer starts with Magisk Hide / Magisk Props configurations which work correctly after a downgrade to PushTAN 1.3.0

Tested v1.3.1 of the app, with Magisk Canary (build 18108). The app on the Hide list and with the Manager hidden. The app starts without issue...

Hm, that's frustrating. Updated to Canary Release (18108). PushTAN 1.3.0 continues working flawlessly, 1.3.1 exits immediately. Magisk app hidden, PushTAN in the hide list, etc. Using 1.3.0 is a fine workaround for now, but it would be nice to understand why it fails on some devices. Happy to collect/provide logs if anyone is interested.

Could be that v1.3.1 looks for root apps on your device, some specific setup/prop value/etc. A logcat (or probably better with strace) when he app triggers might show something. Or you could decompile the apk and see if you find something there.

Unfortunately the workaround using PushTAN 1.3.0 does not work for me. I tried versions down to 1.0.13. No luck. I'm on an Honor 8 with EMUI/Android 8.0.0 (Magisk app hidden, PushTAN in the hide list).
Any ideas?

Looks like they found a way to detect Magisk again. Please reopen this ticket @topjohnwu

Some logs 8499 is pushTAN:

07-18 15:00:49.439  8499  8499 W         : type=1400 audit(0.0:26286): avc: denied { read } for name="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c151,c256,c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
07-18 15:00:49.443  8499  8499 W         : type=1400 audit(0.0:26287): avc: denied { getattr } for path="/system/bin/atrace" dev="sde21" ino=961 scontext=u:r:untrusted_app:s0:c151,c256,c512,c768 tcontext=u:object_r:atrace_exec:s0 tclass=file permissive=0
07-18 15:00:49.486  8499  8528 W ziparchive: Unable to open '/system/app/YouTube/Youtube.apk': No such file or directory
07-18 15:00:49.487  8499  8528 E android.pushta: Failed to open APK '/system/app/YouTube/Youtube.apk' I/O error
07-18 15:00:49.487  8499  8528 E ResourcesManager: failed to add asset path /system/app/YouTube/Youtube.apk
07-18 15:00:49.487  8499  8528 W PackageManager: Failure retrieving resources for com.google.android.youtube
07-18 15:00:49.489  8499  8527 I FA      : Collection disabled with firebase_analytics_collection_deactivated=1
07-18 15:00:49.493  8499  8527 I FA      : App measurement is starting up, version: 16250
07-18 15:00:49.493  8499  8527 I FA      : To enable debug logging run: adb shell setprop log.tag.FA VERBOSE
07-18 15:00:49.493  8499  8527 I FA      : To enable faster debug mode event logging run:
07-18 15:00:49.493  8499  8527 I FA      :   adb shell setprop debug.firebase.analytics.app com.starfinanz.mobile.android.pushtan
07-18 15:00:49.509  8499  8528 W android.pushta: resources.arsc in APK '/data/app/com.alibaba.aliexpresshd-09cIi09ym_Xo6k-KgXxqAA==/base.apk' is compressed.
[...]
07-18 15:00:50.417  8499  8528 E Report  : Exiting: 
07-18 15:00:50.417  8499  8528 E Report  : xjggvndx.djZQst2V: 00
07-18 15:00:50.417  8499  8528 E Report  :      at xjggvndx.AQgWkUqO.XCiA4gTU(Unknown Source:62)
07-18 15:00:50.417  8499  8528 E Report  :      at xjggvndx.AQgWkUqO.uwhUfFSD(Unknown Source:0)
07-18 15:00:50.417  8499  8528 E AndroidRuntime: FATAL EXCEPTION: 
07-18 15:00:50.417  8499  8528 E AndroidRuntime: Process: com.starfinanz.mobile.android.pushtan, PID: 8499
07-18 15:00:50.417  8499  8528 E AndroidRuntime: xjggvndx.djZQst2V: 00
07-18 15:00:50.417  8499  8528 E AndroidRuntime:        at xjggvndx.AQgWkUqO.XCiA4gTU(Unknown Source:62)
07-18 15:00:50.417  8499  8528 E AndroidRuntime:        at xjggvndx.AQgWkUqO.uwhUfFSD(Unknown Source:0)

As far as I can tell it looks at the apk files of apps. I guess as he can't find YouTube.apk (I use YouTube Vanced through Magisk) he blocks access? Don't know.

Okay I disabled YouTube Vanced and it still does not work. Investigating

I have created a log file with comments of the entire process. I hope someone can do something with this. I did as much as I could (explain a few things, name Apps it is scanning for). Just look out for comments I made there (Search for #)

pushTAN.log

Looks like latest Magisk canary works. No need to do anything. Thanks for the awesome work @topjohnwu

Can confirm that with Magisk Canary Build, pushtan App works again after update from 15.7.2019

With the app update from today and Magisk 19.3 its detecting root again and force close. Damn. The devs of this app are doing a good job.

The latest pushtan was detected again on stable and on beta.

Changed to the canary channel and it's working fine again.

Edit. Thanks to topjohnwu and the others for their continued efforts.

And the devs of Magisk are doing a damn good job also btw.

Confirm. Also not working for me.
Magisk 19.3
S-pushTAN 1.3.2

Bzw.: how can I downgrade the app?

Edit: I was able to downgrade to version 1.3.1 from a backup. Now pushTAN is working fine.

@odoooooo Use Magisk Canary Channel and Upgrade.

The current canary version fixed the problem. I had the same issue.

Just remove Magisk fully, and install the canary!

Date: 2019-07-26
Magisk Manager hidden: yes
Magisk Hide activated for apps: yes
Works when Magisk is removed: yes
Modules installed: none
SafetyNet Status: true/true
Starfinanz App Version: 1.3.2
Magisk Version: 19.4-736729f5(19307)
Magisk Manager Version: 7.3.3-f1112fdf (228)
What happend: On start the app crashes and opens an website that explains, that it detected root

just for docu:

Date: 2019-08-04
Magisk Manager hidden: yes
Magisk Hide activated for apps: yes
Works when Magisk is removed: yes
Modules installed: none
SafetyNet Status: true/true
Starfinanz App Version: 1.3.2
Magisk Version: 19.4-736729f5(19307)
Magisk Manager Version: 7.3.3-f1112fdf (228)

works , had to uninstall xposed leftovers, rootswitch and toggle hide on ->off-> on

can confirm latest canary version works. i hope this will get merged into stable branch.

Version 1.4.0 of pushtan just came out. Does anyone have a problem using it with Magisk v20.0 installed? (+Hide, +obfuscated packet name)

for me v1.4.0 works fine with 20.1-59fd38bb on Android 10

Works fine for me on latest xiaomi.eu, Magisk 20.0, Magisk Hide and obfuscation of package name.

1.5.0 failes again. Pixel 2, Android 10, Dec security patch, Magisk v20.2-11b7076a
Manager hidden, name obfuscated, hide root ticked.

Opens browser to webpage with "warning":

pushTAN Safety notice
We have determined that necessary security mechanisms on your device are not fully effective.
This can have the following causes:

The device has already been shipped with Android system settings that reduce system security.

The device has been "rooted". This means that you have system authorizations that no longer guarantee the protection of your data against access by third parties.

Logs:
I/ActivityTaskManager( 1418): START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.starfinanz.mobile.android.pushtan/com.starfinanz.mobile.android.spushtan.SPushTan bnds=[439,1592][641,1845]} from uid 10034
D/android.hardware.[email protected]( 885): LAUNCH: 1
E/system_server( 1418): Invalid ID 0x00000000.
D/Zygote ( 823): Forked child process 17413
I/ActivityManager( 1418): Start proc 17413:com.starfinanz.mobile.android.pushtan/u0a337 for activity {com.starfinanz.mobile.android.pushtan/com.starfinanz.mobile.android.spushtan.SPushTan}
E/android.pushta(17413): Not starting debugger since process cannot load the jdwp agent.
W/droid.deskclock(17413): type=1400 audit(0.0:1155): avc: denied { read } for name="tcp" dev="proc" ino=4026532113 scontext=u:r:untrusted_app:s0:c81,c257,c512,c768 tcontext=u:object_r:proc_net_tcp_udp:s0 tclass=file permissive=0
W/droid.deskclock(17413): type=1400 audit(0.0:1156): avc: denied { read } for name="/" dev="tmpfs" ino=17370 scontext=u:r:untrusted_app:s0:c81,c257,c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
I/ActivityTaskManager( 1418): START u0 {act=android.intent.action.VIEW dat=https://www.sparkasse.de/... flg=0x10004000 cmp=com.android.chrome/com.google.android.apps.chrome.IntentDispatcher} from uid 10337
D/android.hardware.[email protected]( 885): LAUNCH: 1
I/ActivityManager( 1418): Process com.starfinanz.mobile.android.pushtan (pid 17413) has died: fore TOP
I/Zygote ( 823): Process 17413 exited cleanly (255)
I/libprocessgroup( 1418): Successfully killed

fails with still 1.4 now also, think playservices got updated
updated latest canary, works with 1.4

fails with still 1.4 now also, think playservices got updated

I don't think so. I'm using Sony Xperia 1 (J9110) with Magisk-Hide and random package name v20.1 and s-pushtan 1.4.0 and it works fine.

Just downloaded 1.5.0 and it is also working without issues.

just for docu:

works ,[...] toggle hide on ->off-> on

This just did the trick for me.

v1.5.1 does again fail to start...

Tried: different package name + different Manager-Appname + rechecking Hide pushtan, but does not start.

In the Changelog they say -> Stepped up safet policies.. And since SafetyNet is failing on my Xiaomi MIX 3 5G, I think there's no way to get it back working.

@Henrocker It isn't detecting Magisk at least (if added to the Hide list and with the Manager hidden), I just tested and can start v1.5.1 without issue.

If you're failing SafetyNet, that might be it of course. But it could also be other root apps on your device or files and folders that hint at a modified device (the TWRP directory has been a favourite lately).
https://didgeridoohan.com/magisk/MagiskHide#hn_Hiding_root_from_apps

@Didgeridoohan I got the same issue as @Henrocker with my Galaxy Note 8.
I tried the same things like him, but my SafetyNet Check is still succeeding.

In this XDA-thread they are also talking about the problem regarding the mentioned pushTAN-Apps.

@viertel97 As mentioned in there, there are a few ways to get the app to work. Like using a work profile app... That indicates that the app isn't detecting Magisk (which I've already confirmed by being able to start the app without issue), but other stuff like I've mentioned above. Also see the link I posted for more tips and tricks.

I just rolled back to the previous version. deleted app data and then set it up again - seems to be working for now.

I just rolled back to the previous version

would be really happy if you could upload 1.5.0!

Magisk: 20.4
Manager: 7.5.1
Pushtan: 1.5.1

Magisk Manager is hidden under Manager

using Titanium backup -> locate the Manager -> long press on it -> freeze

Pushtan should work now when finished unfreeze and refreeze whenever needed.

So they now invoke Manager to check for root? sneaky...

apparently, @pijiman from xda was the one to report the fix not me :).

If the Manager is still detected after having repackaged it, that usually means that it's not using the Manager stub, which in turn usually (but not always) means an Android version before 9 (full obfuscation is only possible on 9+)... That the case for you guys?

Can confirm freezing the manager also works for DKB tan2go. OnePlus 3T with Android 9, manager repacked.

@Didgeridoohan I'm running HadesRom on Samsung s10, android v.10

Like I said, it's not necessarily caused by a too old Android version.

But, the important question is if your repackaged Manager is using the stub or not. You'll know by the Manager version string. For example, the current stable Manager is v7.5.1 (267) (7). That means it's build 267 and stub version 7. Current Canary is build 283 and stub version 9. If you have the 7 (or 9) showing in your installed Manager version string it's using the stub.

Here's the thing, I've tested the app (v1.5.1) and can start it just fine by just having it on the Hide list and with the Manager repackaged (with the stub). That's on my OnePlus 3T, Android 9, using Canary debug build 20407 with Manager 283/9 (not frozen). Of course, there might be other variables as well (I don't have a TWRP directory, as an example, but that wouldn't have anything to do with the Manager). Unless of course there further points where the app detects root after starting it and logging in, but I can't test that.

Edit: got the version numbers for S-pushTAN and DKB-TAN2go mixed up (too similar). But both apps behave just the same...

v7.5.1 (267) (7) is what I'm currently running. Maybe the Canary build fixes the problem? I will test this out, but for now I do have a TWRP directory and no there is no difference if logged in or not.

I switched to the Canary build (283)(9), repacked Magisk (as Manager) and set up Magisk hide and tan2go is working without freezing the Manager app. Thanks so far!

Look it up on xda, you can't select canary in the stable app.

@tcmaps https://aapks.com/apk/pushtan/version/50762883/ 1.5.0

Just in case you can't find the canary build, you can download it directly from https://github.com/topjohnwu/magisk_files/raw/canary/app-release.apk

That the case for you guys?

6.0 ZX551ML

I have
S-pushTAN 1.5.0 fresh installed
Magisk 7.5.1 (267) (7) repacked and Hidden
Oneplus 5T with Android 9
and still get flagged as rooted by S-pushTAN

Same Issue!
Repacked Magisk 7.5.1 (267) (7) with most Apps hidden. Using Stock OS on OP7 Pro. (Android 10)

Suddenly stopped working today, without any App updating. Clearing cache / storage of S-TAN doesn't help after re-packing Magisk.

Same goes for me since about 2 days ago it's telling me it detected root

Updated to Android 10 on my OnePlus 5, got redirected when opening until downloading the newest Magisk Manager Canary (284) + hide and repack, now it works again.

Can confirm on my OnePlus 3 with lineage_oneplus3-userdebug 9 PQ3A.190801.002 deef1172a1 and Magisk Manager Canary 284 + Magisk Hide. App starts and i receive PushTANs.

Just installed magisk on a completely fresh phone (twrp and magisk) I have no modules and root apps installed but push tan still detects it! (Jackpotlte)

Fails again with latest canary and version 1.5.2, any legit 1.5.0 apk available?

@simonbuehler https://github.com/topjohnwu/Magisk/issues/1084#issuecomment-622401401

Still not working though

@simonbuehler it is working with version 1.5.0 for me. 1.5.2 brakes it

Specs

Phone: Mi9
Rom: Xiaomi EU MIUI 12.3 Stable
Magisk (Binary): 97b72a59 (20419)
Magisk Manager: Canary Branch 07f712a1 (291) (9)
Magisk Modules: Systemless Host
SafetyNet: basicIntegrity, checked
ctsProfile, checked
evalType, BASIC
_SafetyNet is working out of the box, without any Mods to it_
Xposed: Not installed

Steps:

1. Check if latest Magisk bin is installed (These are the root files, wich root your phone)
2. Check if latest Magisk Canary Manager is installed
3. If somethings missing, install it!
4. Repack Magisk Package with a custom name (i just added a "g" at the end of "Manager")
5. (Optional Info) Sometimes Magisk will not let you enough time to rename your package properly, happens to me, so you need to be fast.
6. If you use TWRP, delete the "TWRP" folder from your internal storage
7. Activate Magisk Hide --> go to the Magisk Hide Settings and hide it for "Google Play Services"
8. Disable any active Magisk Modules
9. (Optional) you can try to disable "Play Protect" from your "Google Playstore"
10. (Optional) disable Developer Settings in Settings
11. Reboot to Recovery, clear Cache and boot back into your System
12. Install "Sparkasse Banking" from the Playstore, but don't open it yet!
13. Hide it in Magisk
14. Install "pushTAN" from the Link #1084 (version 1.5.0)
15. Hide "pushTAN" in Magisk
16. (Optional) Reboot back into Recovery , Wipe Cache and you're done ))

Info:

I would skip all the "Optional" Steps except for Step 12 on your first run through.
If it still won't work after this, try it with all the "Optional" Steps .

@C0nvert thanks for the writeup, not all play services components were hidden, works now!

@simonbuehler
You got it working for 1.5.0 or 1.5.2 ?
Cause as stated above 1.5.2 brakes it for me :/

OnePlus 8 pro with Android 10 here:
I fully removed canary and magisk and freshly installed v20.4 which works great with 1.5.2,
canary version doesn't work atm

Tried it with v1.5.0 and didn't dare to touch it once it worked.... Will test when some needed transactions are done

I tested it this time on LOS 17.1 on my cepheus.
Only 1.5.0 works , if anyone wo got it working can post a tutorial it'll be nice

@C0nvert This method is still working for me on 1.5.2

@HaniAlshikh ty ))
Working Perfectly

@HaniAlshikh just tried your solution and I can confirm it works for me too

FYI, v3.0.2 s-pushtan was released moments ago and it works with v21.0 Magisk and v8.0.2 Manager like a charm. :-)

v3.1.0 breaks it again with Magisk 20.4; tried both hiding and repacking to no avail and without Magisk installed, it works indeed on the same device.… I'm not skilled enough to investigate their detection mechanism, maybe someone could help looking into this?

With Magisk v21.0, it works just fine.

Oh, I totally missed that, thank you very much!