Navigasi

09 July 2020


Tutorial: How to use banking apps on rooted Android phones

This is the official English translation of a post. The original post in bahasa Indonesia can be found here: Tutorial menggunakan aplikasi perbankan (BCA, Mandiri, Mega) pada ponsel Android root.
Note: You can always translate any article using Google Translate tool on the upper right corner (or lower part for mobile view) of this blog.

Hi! As I once told in the previous post, this time I'm back with a tutorial post. A how-to guide for using banking apps on rooted phones.

But first, to be able to follow this tutorial, make sure that you already have a rooted phone. Since I won't discuss how to root in this post. Anyway, for those who don't, maybe because you are still in doubt, you can read the post about "My rooted Android phone and how it came" first.

Before we begin,



Types of
menu
As it is well known by many, some apps intentionally prohibit their usage on phones that have been rooted. Of course, due to security reasons. Yes, they are usually banking and financial apps. Besides this restriction, there are also others which use more lax approaches. For example, one chatting and one ride sharing apps that are quite popular in Indonesia did this. They won't block, but will send "a bit of" additional information to their service instead if our phone is rooted.

The focus of this post is the first one, where the apps are completely unusable. Before we begin, let me tell you the specifications that are being used here. There may be different steps or terms for other devices and operating systems, but they should be adjusted as needed. Please note, I only discussed root with Magisk in this tutorial.
  • Device: Xiaomi Redmi Note 3
  • Operating system: MIUI Global 10.2.1.0
  • Recovery boot: TWRP 3.2.1.0 Kenzo
  • Root: Magisk 20.4
  • Root manager: Magisk Manager 7.5.1

Basic trick: Magisk Hide


Most apps can be used again on rooted phones after following these steps. Try these steps first, but if they don't work, please continue to the steps in the next trick.

Example of app that currently can be fooled with this trick is Mega Mobile. Mega Mobile will display message: "Info: Untuk keamanan transaksi perbankan Anda, aplikasi Mega Mobile tidak dapat digunakan pada perangkat yang sudah di Root / Jailbreak. Silakan menggunakan SMS banking" when launched on rooted phone.


Illustration of Mega Mobile apps on rooted phone before and after the trick

Other banking apps such as Sakuku and Mandiri Online were originally can be fooled with this basic trick. On the earlier BCA Expoversary in 2019 for example, Sakuku app can still be launched with this trick. But on the last BCA Expoversary, this trick no longer works. I don't know exactly when this hole was patched. Likewise with Mandiri Online, in early 2020, this trick can still be used, but not anymore now.

Another example is Payfazz. Payfazz will display message: "BAHAYA! Handphone Anda Terdeteksi di-ROOT / Untuk melindungi keamanan Anda, PAYFAZZ tidak lagi mendukung handphone yang di ROOT. Silahkan gunakan aplikasi PAYFAZZ pada handphone yang tidak di ROOT"[sic] when launched on rooted phone.


Illustration of Payfazz apps on rooted phone before and after the trick

Here are the steps:
  1. Open Magisk Manager app
  2. Touch the hamburger menu in the upper left corner
  3. Touch Settings
  4. On the Magisk section, enable the Magisk Hide toggle on the right
  5. Close and reopen Magisk Manager app
  6. Touch the hamburger menu in the upper left corner
  7. Touch Magisk Hide
  8. Beside the name of the app that cannot be opened, check the circle on the right
For more details, see the screenshot below. Click to enlarge.


Intermediate trick: Repackage Magisk Manager


To determine root, some apps are not only just checking flags on the operating system or just trying to write files on the root partition. They will even read what are the apps that are installed by the user on their phone, send the list to their server, then match them to the block list they have. If an app that meets the criteria was found (in this case Magisk Manager), then the app usage cannot be resumed.

With this trick, we will change the APK name and the App name of this Magisk Manager. So, when they are being matched, their servers will not find banned applications on the phones. FYI, Magisk Manager has "com.topjohnwu.magisk" as the APK name and "Magisk Manager" as the App name by default.

Example of app that currently can be fooled with this trick is Sakuku. Sakuku will display message: "Maaf, ponsel tidak dapat melakukan registrasi Sakuku. Hubungi Halo BCA di 1500888" when launched on rooted phone. But, you still want to use the app on a rooted phone, right? I know, since sometimes there are special discounts when we pay using this app, especially during BCA Expoversary.

Other banking apps such as Mandiri Online can sometimes also be fooled with this intermediate trick, depending on the version of Magisk and Magisk Manager used. But if it doesn't work, you can try the steps in the next trick.


Illustration of Sakuku apps on rooted phone before and after the trick

Here are the steps:
  1. Open Magisk Manager app
  2. Touch the hamburger menu on the upper left corner
  3. Touch Settings
  4. On the General section, touch Hide Magisk Manager
  5. Type the desired App name by avoiding the word Magisk
    Here, I'm using "Magısk Manager" with the i without dot above them (ı) on the word Magisk.
  6. Touch OK
  7. Wait until the hiding process is complete and the app closes
  8. Open Magisk Manager app
  9. Make sure there is a random APK name that appears in the Magisk Manager information
For more details, see the screenshot below. Click to enlarge.


Advanced trick: Dual Apps


This is the most extreme checking. If after the two tricks mentioned above are done, but the app still can not be run, then they might recognize the signature, hash, or icon of the apps that is included in their block list. Because this checking technique is quite complex - they will try to extract and analyze every single app on our phone, usually the loading page of their app will be relatively longer.

With this trick, we will isolate that problematic app. By logging in with a new user account to the system, installing and running them on this new account, of course when they check, they cannot find other apps running by the user. This means that other applications that have been installed in the main user account, including Magisk Manager, cannot be analyzed by them.

Example of app that currently can be fooled with this trick is Mandiri Online. Mandiri Online will display message: "ER-R4 : Aplikasi Mandiri Online tidak dapat dijalankan pada device yang di telah root"[sic] when launched on rooted phone. But, you still want to use the app on a rooted phone, right? I know, since even if you use the Internet Banking from a browser, you still have to authenticate with this app. Moreover, it seems that Mandiri also no longer issues physical tokens. I myself have gone to the Mandiri branch office several times (even to two different branches), but they always said that they don't have it now.


Illustration of Mandiri Online apps on rooted phone before and after the trick

Here are the steps:
  1. Open Security app
  2. Touch Dual apps at the bottom
  3. Beside the name of the app that cannot be opened, enable the toggle on the right
  4. Wait until the process is complete
  5. Touch the icon of the problematic app in launcher
  6. Touch the icon that has the Dual apps mark again
For more details, see the screenshot below. Click to enlarge.


Before we end,


For those who have a rooted phone, do you feel helped by this tutorial? I hope you can always support this blog. And don't forget to also share your impressions and messages in the comments column below.

As for those who haven't, I hope that with this tutorial you won't hesitate when you want to root your phone, because as I said before, actually there are many benefits from it.

Please also read other tutorials from Isamu no Heya. Finally, see you in the next posts!

See also

Kirimkan komentar

Silakan masukan komentar pada kotak teks yang tersedia, lalu klik tombol biru. Periksa kembali secara berkala untuk menemukan balasan terbaru. Anda mungkin tidak menerima notifikasi saat seseorang membalas komentar.