My bank thinks GrapheneOS is rooted
DBS locked me out today. Not for a suspicious login, not for a dodgy transfer. For “root”.
Here’s the thing: my phone isn’t rooted. It runs GrapheneOS with a locked bootloader and verified boot, and there is no root anywhere on it. Verified boot means it cryptographically checks its own OS on every start and won’t boot if it’s been tampered with. A locked bootloader means you can’t flash whatever you like onto it. No root means no app, me included, gets god-mode over the system. That is a more locked-down phone than the stock one in most people’s pockets, and it’s the one getting flagged as “jailbroken”.
Now the honest part. My first instinct was to blame Play Integrity, Google’s attestation service, and write a rant about how DBS was really just detecting the absence of Google. I was wrong, and I want to own that.
What actually tripped the alarm was GrapheneOS’s exploit protection. Its hardened memory allocator makes some apps’ native code misbehave, and DBS’s root-detection library read that misbehaviour as a tampered device. GrapheneOS has a per-app “Exploit protection compatibility mode” toggle for exactly this situation. I flipped it on for DBS, and the app works. So the real message wasn’t “you removed Google”. It was “your phone is too hardened for our anti-tamper code to run cleanly”.
The irony survives the correction, though. A blunt heuristic still looked at a phone that’s harder to compromise than the norm and decided it was the dangerous one. Root detection is a crude proxy for safety, and a hardened setup is exactly the false positive it can’t tell apart from a real threat.
But here’s what actually worries me, and why I jumped to Play Integrity in the first place: the version I feared is coming, and it won’t have a toggle.
Play Integrity doesn’t ask “is this device secure?”. It asks “is this a Google-certified Android running Google’s services?”. GrapheneOS answers no on purpose. Today a compatibility switch got me back into my bank. If a bank moves its checks onto Play Integrity’s stricter tiers, no switch will help, because the check was never about my phone’s security. It’s a vendor allowlist wearing a security costume. And if an app genuinely wants to prove a device hasn’t been tampered with, there’s a proper way to do it: the standard Android hardware attestation API, which a hardened phone passes cleanly. GrapheneOS even publishes a guide for developers on how to support it.
And I don’t think it’s far off. It would take just one Singapore bank to swap its root check for Play Integrity, and my hardened phone stops being able to bank at all. Not a toggle away, not a workaround away. Just out. Once one bank does it, the rest tend to follow, because “align with whatever Google blesses” is the easy answer for a compliance team, and the people it shuts out are too few to count.
It won’t stop at banks, either. What really keeps me up is SingPass, the app almost everyone here is forced to use. It just rolled out a round of security hardening, and I have no proof Play Integrity is next, but it feels like the obvious step. If the government’s identity app goes that way, de-Googling your phone slowly locks you out of ordinary life: your bank, then the login for government services, then everything downstream. You wouldn’t be less safe. You’d just have made a choice Google didn’t sell.
So this time a toggle fixed it, and I keep both my bank app and my hardened phone. But I wrote most of this worried I hadn’t, because the day that’s actually true is closer than I’d like. And the alert warning me couldn’t even spell “disabled”. For my security, apparently.