How to Run Any Bank App Safely on a Rooted Phone?

Almost all banking apps tend to block phones with root access; that is, they fail to run on phones that have privileged user access to Android. This guide will look at ways to help you run banking apps on your rooted device, albeit at your own risk.

Why Do Banking Apps Block Rooted Devices?

While the discussion of bypassing built-in security measures to run apps with sensitive financial data is still up for debate, here’s why companies restrict rooted phones from running banking apps:

• Your financial data is extremely sensitive; root access is simply a security risk.
• Companies need to protect themselves. It’s their responsibility to secure their clients’ information and funds; any breach could result in extremely dire consequences for the bank.
• A rooted device is an easy target for malicious actors; there is a small but existent chance that they could steal your money without you knowing.

How to Run Banking Apps on a Rooted Phone?

Disclaimer: The information provided in this article is for educational purposes only. Modifying your device to run banking apps on a rooted phone involves security risks and may void warranties or violate terms of service with your hardware provider and banking applications. Proceed at your own risk. We are not responsible for any damages or losses incurred as a result of following this guide.

The main idea for banking apps to run on rooted phones is to bypass device state detection by hiding privileged access from these apps. While there are other root solutions, this section will particularly touch upon the most common tool, Magisk.

1) Shamiko in Zygisk

With anything Magisk, you’ll be looking at a modular approach — using Magisk modules — to circumvent root detection and hide the device state from the app. In the past, the MagiskHide module was the go-to way to bypass SafetyNet Attestation, but in 2021, the feature was axed.

Note: After the retirement of MagiskHide, Zygisk took its place. It is essentially a module that runs Magisk directly in Zygote, a process that Android uses to start apps, and handle the forking of each application process.

↪ Make Sure Your Device Passes Play Integrity

Before proceeding to flash Shamiko, all of your Play Integrity checks must be passed. Most banking apps, if not the majority, would do just fine without STRONG_INTEGRITY, but rooting, or even unlocking the bootloader of your device unchecks the rest.

We have a detailed guide for bypassing Play Integrity API checks for all apps. They won’t be included in this guide since they are a must-install, even if you don’t need to run banking applications on your device. Without passing the checks, app support on your phone would likely be limited.

1. Update Magisk to Canary Release 27005+ since Shamiko won’t be compatible with previous releases.
2. Download the Shamiko module from LSPosed’s GitHub repository.
3. Uninstall any bank apps that you’ve installed.
4. Open Magisk and tap the settings (gear icon) on the top right-hand side.
5. Scroll down to Zygisk and turn on the feature via the toggle in front.
   • Don’t enable “Enforce DenyList” since this method uses Shamiko instead of Zygisk itself to bypass detection for apps in DenyList.
6. Go back to the home page, and tap on Modules (jigsaw puzzle-like icon) on the bottom right-hand side.
7. Tap on “Install from Storage” and select the downloaded Shamiko module.
8. Once the installation is complete, reboot your device.
9. Open Magisk again and check if Zygisk is enabled.
10. Go to settings and tap “Configure DenyList.”
11. This will open a list of all apps installed on your phone. The selected apps in the list will be used as a reference to hide root from them.
    • Tap on the three vertical dots on the top right-hand side and select “Show system apps.”
    • Select all banking apps from which you wish to hide root access.
    • Check all tick boxes under “Google Play Services” or “com.google.android.gms”
12. Reboot your phone once again.
13. Open Magisk and check to see if Zygisk is still enabled. Now, once root is hidden from selected apps, the Magisk app itself needs to be hidden.
14. Go to Magisk’s settings and tap “Hide the Magisk app.”
    • This will duplicate the app under a different name that can be used to bypass Magisk detection, as many apps look for Magisk itself to detect if a phone is rooted.
15. Rename Magisk to whatever you wish, and tap “OK.”
16. A popup will appear, asking you to add the shortcut to your home screen. Select “OK” or “Allow.”
17. Remove the Magisk icon from your home screen.
18. Reboot your device, and your banking apps should be up and running.
    • Keep in mind that some apps may still fail to work. However, in the majority of cases, apps tend to start up without any issues.

↪ Additional Step for Xiaomi Phones

If you’re on a Xiaomi device, you’ll need to check off one last step before opening up your banking apps, and that is to hide certain apps from accessing the list of installed apps. See, when an app has access to the list of all apps on your phone, it’ll likely find root tools and modules and can infer that the device is insecure.

1. Long-press the app you need to hide root from, and select “App info.”
2. Head on over to Permissions > Other Permissions.
3. Scroll down to find “Access list of installed apps,” and uncheck the permissions in front of it.

2) MagiskHide (Deprecated)

Some online threads have mentioned the procedure to bypass root detection via MagiskHide. As discussed above, this module is deprecated and won’t function on the latest versions of banking apps. Back when it was still the go-to method, it wasn’t reliable, really.

With MagiskHide, it was a constant rat race to install new updates when older ones got patched. This is why, even if you have an older version of the said module running, it may be a good time to switch to Shamiko.

What if Apps Still Don’t Run?

On the off chance that your banking apps still fail to start, there may be an issue with spoofing your phone’s hardware integrity, or the root modules may not have been configured correctly. Here’s what you can try.

1) Check if Your Device Passes Play Integrity Checks

The Play Integrity (PI) API allows developers to detect and verify the authenticity of device software and hardware. If PI checks aren’t passed, you won’t be able to use most banking services. Chiteroman’s PlayIntegrityFix (PIF) is commonly the go-to module for bypassing basic verification checks.

You can check your device’s Play Integrity status using the ‘Play Integrity API Checker‘ on the Google Play Store. If it doesn’t pass the basic tests, it is highly recommended that you flash the PIF module in Magisk manually.

2) Disable Chiteroman’s BootloaderSpoofer (If in Use)

The BootloaderSpoofer module is primarily used to hide the bootloader lock status from phone apps, which is sometimes essential when working with services with better root detection techniques. However, a few users have reported that using the spoofer with banking apps sometimes leads to a positive on the root status.

If you have the module installed, remove the app from the spoofer and clear the app cache before trying again. BootloaderSpoofer is based on the Xposed framework, which has a certain reputation for being easy to detect.

3) Try a Clean Install of Magisk

If all else fails, consider a clean install of Magisk, repeating the entire procedure above and manually flashing the Play Integrity Fix module. This will single out any issues with the module or Magisk itself. Trying a different version of Magisk can also help, but this isn’t recommended since you’ll need to install a similar version of Shamiko that is compatible with the version you’re using.

If your banking app, by some chance, requires Play Integrity to meet its “STRONG_INTEGRITY” requirements, you need to know that it is nearly impossible to have that enabled on a device with an unlocked bootloader; you’ll either need to revert back to a locked bootloader or make system-level changes that are beyond the scope of this guide.

4) Check if Your Phone Has Any Root Files in Storage

As mentioned above for Xiaomi phones, most devices and apps use access to internal storage and scour documents and files to see if any files signal that the device is modified. To be on the safe side, delete any recovery files, such as twrp.img, if you have them in your device’s storage.