How to Bypass root detection in banking apps ? Google pay, Phonepy, Bhim and more

This is basically from the Magisk Discussion channel on Telegram

extended with my own experiments, experience and observations:

If CTSProfile and basic integrity are both failing even though you are 100% sure that you didn't tweak or change anything like SELinux permissive/enforcing.. etc.. and the ROM maintainer is saying that SafetyNet should work then flash this module:
install Busybox module & MagiskHide Props Config module and fake a fingerprint of a known device , there's a special setting in MagiskHidePropsConfig that is setting the devices' props to mimic a devices that has only basic attestation so you can force the phone not to use hardware attestation.

When your CTSprofile and basic integrity are both true
but banking app isn't working u may try any of the following steps :

!!! IMPORTANT !!!
!!! Before every attempt to start the involved app !!!
!!! Always wipe it's data to get a fresh start !!!

#0 If your ROM doesn't pass without Magisk.. that means something is wrong with your ROM.. possibly you will have to hack hell a lot of things.. first of all if your ROM does not pass SafetyNet by default then report it to the developer / device maintainer.

#1 Go to the app settings of Google Play Services and disable the telephone permission there. Then clear the data and cache of the banking app. Hide root in Magisk Manager for that app and start fresh.

#2. Do #1 again and hide root in Magisk Manager for that app and repackage Magisk Manager with random package name and clear data cache for that app and start fresh (This is called Magisk Manager Hide)

#3a Install MagiskHidePropsConfig module, go to a terminal, issue su then props, in the menu choose 2 (Force basic key attestation) and use a device which is known to be "basic attestation only" and Google cannot force hardware attestation thus SafetyNet might pass easily.

#3b Install MagiskHidePropsConfig module or reset it's config or reinstall it, go to a terminal, issue su then props, in the menu choose 1 and use the same device of yours and set the same fingerprint as your phone's factory ROM. Or try a Pixel phone's fingerprint. Try to use Force Basic Attestation menu and fake a Pixel ROM or your phone's factory ROM props if you are using a custom ROM..

#4a. use the method described here - but use always the latest components!!!

Component sources:

https://github.com/RikkaApps/Riru/releases - the magisk-riru-v21.1.zip is the most recent at the moment (07.05.2020)

https://github.com/ElderDrivers/EdXposed/releases - the v0.4.6.2 is the most recent at the moment (07.05.2020)

https://github.com/ElderDrivers/EdXposedManager/releases - the v4.5.7 is the most recent at the moment (07.05.2020)

HERE ARE THE STEPS TO FIX MAGISK CTS PROFILE FALSE ERROR WITH THE NEW METHOD

First, Install Riru Manager. In case you get the Unknown Sources error, just enable ‘Allow from this source’ and Install it.

Once you install it, go to Magisk Manager, then swipe from the left side, & go to Modules section. Tap on the Plus Button.

Now, if you don’t have the ‘Show Internal Storage’ option enabled in File Manager, then tap on the three dots on the top right corner and select it. In case it is already enabled, you will see ‘Hide Internal Storage’ option in its place. So, you don’t need to do anything. 

Navigate to the folder in the internal storage where you have all the downloaded files and then select the ‘MAGISK RIRU-CORE’ ZIP file. Once installed, Reboot the phone. (Check the Modules section in the Magisk Manager if the module has been installed properly. You will see a checkmark if it is installed successfully). 

In the App Drawer, you will now see a new app called ‘Riru’. Open it and if it says ‘Everything Looks Fine’, then you’re all set to follow the next steps. If you get any error, try installing Riru Module again.

Now, once again go to the Magisk Manager > Modules and then press the Plus button. Now, we need to install the ‘EdExposed Module’ and as mentioned above there are two versions to choose from. You have to try and see which one works for your device. We will recommend starting with ‘Yahfa’ version first. Once again, once installed, reboot the phone. After reboot, once again confirm if the module installed properly.

Now, go to the File Manager and then install the ‘EdExposed Manager’ via the APK file. You will see the App in the App Drawer.

Open it to see if there are any errors or not. If there are any, then this means the ‘Yahfa’ version didn’t work. So, in that case, go to the Module section, remove the Yahfa version, reboot the phone, and then install the ‘Sandhook’ version.

Finally, install the ‘HiddenCore’ Xposed Module via its APK file. Now, go to ‘EdExposed Manager’, swipe from the left side, select the ‘Modules’ option, then enable the ‘HiddenCore’ Module. Now, reboot your phone.

After Reboot, you should check if the ‘HiddenCore’ module has been enabled successfully in the EdExposed Manager. 

Well, that’s it! Now, go to Magisk Manager, tap to start the SafetyNet Check and you will now see that the ‘ctsProfile’ shows as True! This means we successfully did the SafetyNet Bypass. 

NOTE THAT IF THIS METHOD ALSO DOESN’T WORK THEN WE WILL HAVE TO WAIT FOR THE DEVELOPERS TO FIND ANOTHER FIX FOR THIS. 

#4b. Do #1 (and probably #2 too) again and flash liboemcrypto disabler module and clear data and cache of that app and start fresh

When your app is finally working you can give back the telephone permission to Google Play Services if you want.

You can try to use some custom kernel, too,  some of them has SafetyNet bypass included (written by Sultanxda @XDA) - so check some custom kernels and their feature list / changelog, probably it is included.

And let me talk about "indirect 'root' detection": app devs are not stupid.. Lot's of apps are looking for indirect traces of ROM and phone manipulation. Like.. why do you have TWRP or OrangeFox directory on your phone if you have a locked bootloader? 'Obviously' you have those dirs because the bootloader is unlocked and you've flashed / installed nasty things.. right?.. Lot's of apps are checking the list of installed apps and looking for well-known apps that well-known to work correctly when the phone is rooted. Apps like  Lucky Patcher, CreeHack, Freedom APK, AppSara, IAP Cracker APK, Leo PlayCard, IAPFree, SB Game Hacker download, GameCIH, Cheat Engine, Titanium Backup, Swift Backup, Root Checker, Logcat apps, et cetera.. (hope you get the idea) Satisfying such aggressive banking apps are not an easy job but if you remove these apps the banking apps more than likely start to work. (Then you can reinstall them.)

Try out RootBeer Sample app from Google Play to see how your ROM is performing in terms of root hiding - banking apps are used to use the same methods the RootBeer Sample app uses.

So yeah, some developers are very smart and their apps are trying to indirectly find traces of a "modified system", like Pogemon Go and Ingress is looking for directory called TWRP in internal- and external storage, the logic behind this is: if you have a TWRP folder you already opened you bootloader or run a custom recovery at least once (from fastboot mode..) thus your ROM/system is already compromised.. and thus the app stops..