Stock LineageOS + microG with banking-grade Play Integrity

The full writeup behind Banking apps on stock LineageOS + microG in 2026. Internal specifics are scrubbed; this is generic enough to run on your own gear.

Complete guide: from a freshly-flashed phone to a stock LineageOS device with working microG where every app you install just works - including banking apps with Play Integrity DEVICE-grade requirements, Play-Store-DRM apps that check installer source, and apps requiring Play Services. No GApps. No manual workarounds per app.

Requires root (APatch / KernelSU / Magisk) - root is what lets you install microG as a system priv-app with the privapp permissions XML that grants signature spoofing. Without root, this guide doesn't apply.

Tested on Galaxy S10+ (stock LineageOS 23.2 / Android 16, APatch 11142) 2026-05-19. KernelSU / Magisk users follow the same procedure with their manager's UI in place of APatch's.

Table of Contents#

What this guide produces
Prerequisites
Phase 1 - Install LineageOS
Phase 2 - Root with APatch
Phase 3 - Install the spoof + hiding stack
Phase 4 - Install microG
Phase 5 - the load-bearing microG toggle
Phase 6 - PIF: enable all spoof flags
Phase 7 - TEESimulator config (via WebUI)
Phase 8 - Vector + HMA
Phase 9 - Aurora Store: the installer that just works
Phase 10 - Shelter (work profile)
Phase 11 - George (Erste) special case
What works and what does NOT
Configuration files reference
Troubleshooting
Maintenance schedule

What this guide produces#

Revolut, McDonald's, s Identity, Erste George, Aurora-Store-installed apps - all work.
Play Integrity DEVICE - achievable through microG's DroidGuard path with a live community hardware keybox.
Installer-source checks ("must be installed from Google Play") - handled automatically by Aurora Store's Root installer.
No GApps anywhere on the device.

Prerequisites#

An unlocked-bootloader device with LineageOS Recovery (preferred) or TWRP. LineageOS Recovery handles file-based encryption (FBE) correctly; TWRP on many modern devices either can't decrypt /data or breaks encryption when wiping. LineageOS Recovery ships in the LineageOS ZIP itself (the boot.img IS the recovery on devices with no separate recovery partition; otherwise there's a separate recovery.img).
A computer with adb and fastboot (for ROM install and APatch boot.img patching).
Full backup of any data you can't lose.

# Install adb / fastboot
sudo pacman -S android-tools          # Arch
sudo apt install android-tools-adb android-tools-fastboot   # Debian/Ubuntu

For Samsung devices, unlocking the bootloader trips Knox permanently.

Phase 1 - Install LineageOS#

Why not just install microG from F-Droid as a user app? Signature spoofing (which makes microG able to pretend to be Google) requires GmsCore to have FAKE_PACKAGE_SIGNATURE permission. Stock LineageOS doesn't auto-grant this; you have to install microG as a system priv-app with a privapp-permissions-org.microG.xml alongside it. Phase 4 walks through this.

Download#

ROM: https://download.lineageos.org/devices/ - select your device codename. Download both the lineage-*.zip (ROM) and the recovery.img if your device page lists one separately.
The LineageOS install page for your device has the exact fastboot flash sequence - follow that. Don't use TWRP unless LineageOS Recovery isn't available for your device, because TWRP often breaks file-based encryption (/data won't decrypt after wipe).

Flash#

The exact procedure varies by device. Generic shape (check your device's LineageOS install instructions for specifics):

adb reboot bootloader.
Flash LineageOS Recovery: fastboot flash recovery recovery.img (or fastboot flash boot boot.img on devices where boot IS the recovery, A/B partition layouts).
Boot into recovery: fastboot reboot recovery (or device-specific button combo).
In LineageOS Recovery: Factory reset -> Format data. Wipes user data, preserves encryption setup.
Apply update -> Apply from ADB -> on your computer: adb sideload lineage-*.zip.
Reboot to System.

Post-install: install an F-Droid client + Aurora Store#

F-Droid client: pick one (they connect to the same F-Droid repositories, different UIs):

Droidify (com.looker.droidify) - modern, faster, cleaner UI. Recommended. Get from https://github.com/Droid-ify/client/releases/latest.
F-Droid (org.fdroid.fdroid) - the official one, slower UI. Install via APK if you prefer it.

Either works for installing FOSS apps from the F-Droid repo (and the IzzyOnDroid repo if you add it).

Aurora Store: install from your chosen F-Droid client or from https://gitlab.com/AuroraOSS/AuroraStore/-/releases. This is the Play Store anonymous-access client - your main installer for proprietary apps.

Phase 2 - Root with APatch#

Why APatch#

APatch patches the kernel via boot.img injection - works on devices where Magisk's userspace approach has issues, and gives a kernel-level SU primitive that integrates cleanly with the integrity-hiding modules below.

Install#

Download:

APatch app: https://github.com/bmax121/APatch/releases/latest - install the APK normally.
Your device's stock boot.img: extract from the LineageOS ZIP you flashed (payload.bin inside, use payload_dumper or similar) OR from a recovery dump.

Procedure:

Open APatch app -> Settings -> SuperKey -> set a long random string. Write it down / store in your password manager. This SuperKey gets embedded into the patched boot.img and is the key APatch uses to verify root requests. Lose this key = lose root (would require reflashing).
Back in APatch app -> tap "Patch boot.img" -> select your stock boot.img -> APatch produces boot_patched.img.
Pull to PC: adb pull /storage/emulated/0/Download/boot_patched.img.
adb reboot bootloader.
fastboot flash boot boot_patched.img.
fastboot reboot.

After reboot, open APatch app. It should show "Working" with the KernelPatch version. If it shows "Not installed", the boot.img flash didn't take - re-verify the patch step.

APatch's permission model is opt-in - apps do NOT auto-prompt#

Important difference from Magisk/KernelSU: APatch does NOT show a permission dialog when an app calls su. Apps trying to get root just get permission denied silently.

You grant root manually, per app, ahead of time:

APatch app -> SuperUser tab.
Find the app in the list (system + user apps shown together).
Toggle Allow root ON.
Optionally also toggle Umount modules ON (for apps you want to hide root modules from - banking apps etc.).

For most apps in this guide:

Aurora Store -> grant root (it needs root to use Root installer in Phase 9).
Banking apps (Revolut, George, McDonald's, etc.) -> enable Umount modules, leave Allow root OFF.
Apps that need root (Termux, MMRL, Iconify, WireGuard tunnel, etc.) -> grant root, leave Umount OFF.

The "ahead of time" model means: if a new app needs root and you didn't pre-grant it, the app fails silently. Watch app behavior the first time you use it and check APatch SuperUser if it acts weird.

Phase 3 - Install the spoof + hiding stack#

Install MMRL (Magisk Modules Repository Loader) from your F-Droid client (Droidify or F-Droid). MMRL handles module installs from URL across Magisk / KernelSU / APatch.

For each module below, in MMRL: tap Install from URL and paste the GitHub release ZIP URL. Install order matters for some - install NeoZygisk first so dependent modules detect a zygisk implementation at install time.

#	Module	Source URL
1	NeoZygisk v2.3	`github.com/JingMatrix/NeoZygisk/releases/download/v2.3/NeoZygisk-v2.3-275-release.zip`
2	Vector v2.0 (renamed LSPosed)	`github.com/JingMatrix/LSPosed/releases/download/v2.0/Vector-v2.0-3021-Release.zip`
3	TEESimulator v3.2	`github.com/JingMatrix/TEESimulator/releases/download/v3.2/TEESimulator-v3.2-67-Release.zip`
4	Tricky Addon - Update Target List v4.3	`github.com/KOWX712/Tricky-Addon-Update-Target-List/releases/download/v4.3/TrickyAddonModule-v4.3.zip`
5	Play Integrity Fix [INJECT]	`github.com/KOWX712/PlayIntegrityFix/releases/latest` (use the `inject_s` branch zip)
6	microG installer (pick one - see below)	see microG install section below
7	zygisk-detach	`github.com/j-hc/zygisk-detach/releases/latest`
8	Busybox NDK	search MMRL repos or `osm0sis` XDA thread

Install HMA (HideMyApplist) separately - it's a regular Android APK, not a module:

github.com/Dr-TSNG/Hide-My-Applist/releases/latest
Or via Droidify (it's in the F-Droid repo).

Reboot when all modules are installed.

Modules NOT to install#

Tricky Store - dormant since Nov 2025. TEESimulator replaces it (same module ID, in-place).
Zygisk Next - works but NeoZygisk is the JingMatrix-ecosystem coherent pick.
Zygisk-LSPosed v1.x - renamed to Vector in 2026-03-22.
playcurlNEXT - obsolete since PIF inject-s v4.4 self-fetches.
Network proxy modules (xray4magisk etc.) - banking apps detect proxy via /proc/net/route. Add back later if you need them and test each affected app.

Optional, works with or without: Zygisk Assistant. Some guides claim it's required for DEVICE integrity; testing here shows it's neither required nor harmful.

Phase 4 - Install microG#

Stock LineageOS has no microG. The procedure has a chicken-and-egg quirk: the microG Installer Reborn module (which sets up signature spoofing properly) only works with microG 0.3.6 already installed as a user app. So you install old microG first, then the module promotes it to system priv-app, then you update to current via Droidify.

Install old microG 0.3.6 as user apps. Download both APKs via browser, then tap to install:
- GmsCore: https://github.com/microg/GmsCore/releases/download/v0.3.6.244735/com.google.android.gms-244735012.apk
- Companion / Vending: https://github.com/microg/GmsCore/releases/download/v0.3.6.244735/com.android.vending-84022612.apk
(Use the standard .apk files, NOT the -hw.apk Huawei variants.)
Install microG Installer Reborn module via MMRL: Install from URL -> https://github.com/Bakoubak/microg_installer_reborn/releases/download/v1.0.0-0/microG_Installer_Reborn.zip. The module's install script reads your user-installed microG APKs, copies them to /system/priv-app/, and drops the privapp-permissions-org.microG.xml that grants signature spoofing.
Reboot.
Open Droidify -> Settings -> Repositories -> tap + -> add:
- URL: https://microg.org/fdroid/repo
- Fingerprint: 9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165
Wait for Droidify to sync the new repo, then update microG Services Core and microG Companion to current via Droidify. In-place upgrade works because the signing key matches.
Open microG Settings -> Self-Check -> all items green except SafetyNet (Google killed that endpoint, ignore).
Enable in microG Settings: Cloud Messaging + Google device registration.

Done. Future microG updates arrive in Droidify automatically.

Note: don't try to install current microG directly first - the microG Installer Reborn module aborts if it sees anything newer than 0.3.6 already installed. The trick is start with 0.3.6, run the module, then upgrade.

Phase 5 - the load-bearing microG toggle#

This single setting is what makes DEVICE-grade Play Integrity work through microG. Default is ON (blocking); you turn it OFF.

Path: microG Settings -> Device Attestation -> Advanced -> Block hardware attestation -> uncheck.

Reboot for the toggle to take effect (microG reads the setting at DroidGuard service start, not live).

Verify (optional):

adb shell 'su -c "grep hw_attestation /data/data/com.google.android.gms/shared_prefs/com.google.android.gms_preferences.xml"'
# Expect: <boolean name="droidguard_block_hw_attestation" value="false" />

Phase 6 - PIF: enable all spoof flags#

Open APatch -> Modules -> Play Integrity Fix [INJECT] -> Action / Open WebUI. Enable ALL six toggles:

Spoof Build
Spoof Build (Play Store)
Spoof Signature
Spoof Props
Spoof Provider
Spoof SDK (Play Store)

PIF auto-fetches a Pixel Canary fingerprint with its security patch date. The date matters for Phase 7.

Phase 7 - TEESimulator config (via WebUI)#

Open APatch -> Modules -> TEESimulator -> Action / Open WebUI.

(The WebUI files are provided by Tricky Addon and surfaced via TEESimulator's webroot symlink. Both modules need to be installed; you reach the UI through TEESimulator's Action button.)

Target list#

Tap Target list in the WebUI. Add each app you care about. Mode suffix:

? = leaf-patching mode. Use for apps that call Play Integrity API. Standard choice.
! = generate mode. Use when stuck on a software-only keybox (no hardware chain).
bare name (no suffix) = monitor-only. Use for apps with their own internal hardware-bound keys (rare; George works either bare or ?).

Example minimum target list:

at.erstebank.george?
at.erstebank.securityapp
com.android.vending?
com.aurora.store?
com.google.android.gms?
com.google.android.gsf?
com.mcdonalds.mobileapp?
com.revolut.revolut?

Add any other banking app or PI-checking app with ?.

Security patch#

Tap Security patch in the WebUI. Two options:

Auto-roll (recommended): pick the template that matches PIF's current rotation. Tricky Addon will update monthly to stay aligned.
Manual: enter the date that matches PIF's SECURITY_PATCH value exactly.

Mismatch between PIF's SECURITY_PATCH and Tricky Addon's security_patch.txt will cause Google's verifier to reject the chain. This is the most common cause of "I had DEVICE last week and now it's BASIC" regressions.

Keybox initial setup#

The keybox is a file at /data/adb/tricky_store/keybox.xml, not a separate module. TEESimulator reads it to build the attestation chain. There's no "keybox module" - the file just needs the right content.

In the TEESimulator WebUI, tap Keybox. You'll see four options: AOSP, Valid, Unknown, Custom.

AOSP = the built-in software AOSP example keybox (DeviceID="sw"). Default after fresh install. Useless for DEVICE-grade integrity.
Valid = "fetch a CRL-validated keybox from community feeds". Requires the WebUI's internal HTTP client to reach GitHub. In practice this often fails with "Please check your internet connection" even when device internet works fine - a known issue with the WebUI's WebView network access.
Unknown = use a keybox even if its CRL status can't be verified.
Custom = point to a keybox file path on the device.

Since Valid typically fails, the working procedure is: manually download the keybox file and use Custom (or copy via adb):

On your PC, download and decode the latest community keybox:

curl -sL https://raw.githubusercontent.com/KOWX712/Tricky-Addon-Update-Target-List/keybox/.extra \
  | xxd -r -p | base64 -d > keybox.xml

Sanity check - the file should have 6 BEGIN CERTIFICATE blocks (ECDSA + RSA chains, 3 certs each):
```
grep -c BEGIN.CERTIFICATE keybox.xml
# expect: 6
```
(Optional, recommended) Verify the leaf serial isn't on Google's CRL - see the recovery procedure below for the one-liner.
Either method to get it on the device:
- Via WebUI: adb push keybox.xml /sdcard/Download/keybox.xml, then TEESimulator WebUI -> Keybox -> Custom -> point to /sdcard/Download/keybox.xml. Apply.
- Via adb direct (faster):
```
adb push keybox.xml /sdcard/Download/keybox.xml
adb shell 'su -c "cp /sdcard/Download/keybox.xml /data/adb/tricky_store/keybox.xml"'
adb reboot
```

Either way the final state is /data/adb/tricky_store/keybox.xml containing the live hardware keybox. TEESimulator's daemon reads it at boot.

Community keyboxes survive 6-31 days before Google adds the leaf to the CRL. Because the Valid auto-fetch is broken, there's no real auto-rotation - you have to manually refresh weekly. See the recovery procedure below.

When keybox expires - recovery procedure#

Community keyboxes get added to Google's CRL on Google's schedule (days to weeks after distribution). You'll know it happened because:

Apps that worked yesterday now show integrity errors (Revolut "device tampered with after login", George 1007).
TEESimulator WebUI Keybox tab shows status revoked or sw.
Enginex0/tricky-addon-enhanced (if installed) flips its keybox badge red.

Recovery (5 minutes):

On your PC, fetch the latest community keybox (the WebUI's Valid button typically fails with internet-connection error, so do it on PC):

curl -sL https://raw.githubusercontent.com/KOWX712/Tricky-Addon-Update-Target-List/keybox/.extra \
  | xxd -r -p | base64 -d > keybox.xml
grep -c BEGIN.CERTIFICATE keybox.xml   # expect: 6

Check the leaf serial against Google's CRL before installing - revoked keybox is worse than no keybox here:

SERIAL=$(awk '/BEGIN CERT/,/END CERT/' keybox.xml | sed -n '1,/END CERT/p' \
  | openssl x509 -noout -serial 2>/dev/null | cut -d= -f2 | tr A-Z a-z)
echo "Leaf: $SERIAL"
curl -s https://android.googleapis.com/attestation/status | grep -ic "$SERIAL"
# 0 = LIVE, install. 1+ = REVOKED, skip - try Yurikey fallback URL or wait a day.

Yurikey fallback if KOWX712 returns revoked:

curl -sL https://raw.githubusercontent.com/Yurii0307/yurikey/main/key | base64 -d > keybox.xml
# Same sanity + CRL check as above.

Push and install (if leaf is live):

adb push keybox.xml /sdcard/Download/keybox.xml
adb shell 'su -c "cp /data/adb/tricky_store/keybox.xml /data/adb/tricky_store/keybox.xml.bak.$(date +%s) && \
  cp /sdcard/Download/keybox.xml /data/adb/tricky_store/keybox.xml"'

Once keybox status shows green/valid, verify the security patch alignment is still correct (next step). PIF's fingerprint rotates independently of the keybox; both need to be aligned for Google's verifier to accept the chain.

Check security patch alignment:

# PIF's current SECURITY_PATCH:
adb shell 'su -c "grep SECURITY_PATCH /data/adb/modules/playintegrityfix/pif.prop"'

# Tricky Addon's current security_patch.txt:
adb shell 'su -c "cat /data/adb/tricky_store/security_patch.txt"'

The PIF SECURITY_PATCH=YYYY-MM-DD value must match TS system=YYYYMM, boot=YYYY-MM-DD, vendor=YYYY-MM-DD exactly. If they drift, the chain validates but the verifier rejects the verdict.

If patches drifted: open TEESimulator WebUI -> Security Patch -> re-pick the auto-roll template OR manually enter PIF's current date. Save.
Reboot so TEESimulator daemon reloads keybox + patch state.
Test with the actual target app (Revolut, George, etc.). Don't use Play Integrity API Checker - returns -100 on microG regardless of integrity state, see the troubleshooting section.

If the app works -> done. If the app still fails -> see the troubleshooting section for symptom-specific debugging.

Recommended upgrade: `Enginex0/tricky-addon-enhanced`#

For more aggressive, dependable automation, swap Tricky Addon v4.3 for Enginex0/tricky-addon-enhanced v5.53.1 (released 2026-05-01). What it adds over the standard Tricky Addon:

Rust daemon with continuous keybox rotation across multiple sources with automatic failover (Yurikey -> KOWX712 -> custom).
Live CRL check against android.googleapis.com/attestation/status before installing any keybox.
Per-key validation report exposed in WebUI (chain_valid, revocation_reason, root_type, revocation_source).
6-hour default polling cadence (configurable down to 5 min, but GitHub rate-limits below 6h).

Hard prerequisite: APatch 11159+. You are likely on 11142. Update APatch first via github.com/bmax121/APatch/releases/latest (download the new APK, re-patch boot.img if there's a KernelPatch update, reflash). The Enginex0 module refuses to install on older APatch.

Setup (after APatch update):

MMRL -> Install from URL: https://github.com/Enginex0/tricky-addon-enhanced/releases/latest.
During install you have ~10 seconds to press Vol+ to opt into full automation. Vol- = manual-only mode (gives up most of the value, don't use).
Hot install - no reboot needed. Daemon starts immediately, captures vbmeta.digest, populates target.txt, fetches keybox, validates, installs if live.
Open the WebUI (via APatch module Action) -> Keybox section:
- Source: yurikey (more reliable in 2026 than the KOW upstream)
- Interval: 21600 seconds (6h)
- Keep CRL check enabled

Verify via the WebUI badge or CLI:

adb shell 'su -c "ta-enhanced keybox validate"'

Output is a JSON ValidationReport. If revocation_source shows embedded, the device couldn't reach Google's CRL endpoint - check network / firewall. If revocation_source is online with revocation_reason=null and chain_valid=true, you're green.

Source comparison (May 2026)#

Source	Cadence	CRL-validated by Enginex0	Note
Yurikey (`github.com/Yurii0307/yurikey`)	every 4-10 days	yes	Most reliably fresh in 2026. Knox-rooted keyboxes tend to outlast Google-rooted ones. Primary recommendation.
KOWX712 Upstream (`KOWX712/Tricky-Addon-Update-Target-List` `keybox` branch)	irregular, slower in 2026	yes	Was primary in 2025, slowed since v5.0-beta rewrite. Keep as failover.
Custom URL	manual	yes	Set if you have a private Telegram-sourced feed mirrored to a GitHub gist.

Do NOT bother with: MeowDump/Integrity-Box (no auto rotation, no CRL), Mark-Joy keybox-yurikey (pure mirror of Yurikey).

Proactive notifications (optional but worth it)#

The CRL is reactive - Google adds a revoked serial after the decision, not before. Two ways to shorten the "key burned -> you notice" window:

https://tryigit.dev/keybox/status/ - browser push notifications when keyboxes get added to the public CRL. Open in a daily browser, allow notifications.
Telegram t.me/CitraIntegrityTrick - mirrors revocation events within hours.

Neither prevents revocation; they make you aware faster so you can manually trigger a fetch before the next scheduled poll.

What still requires manual intervention#

Even with full automation:

Both upstream feeds simultaneously stale or down for >24h -> switch to custom URL temporarily.
Banking apps that do server-side CRL lookup independently (some Revolut / George flows do this) -> grab a fresh keybox from a paid Telegram source, install via ta-enhanced keybox set-custom /sdcard/keybox.xml.
APatch version drift -> Enginex0 daemon's module.prop parser can break on new APatch builds. Watch the addon release notes after APatch updates.

Realistic expectation: with this setup you intervene maybe once a month, triggered by a notification or a failing app - not on a calendar.

Phase 8 - Vector + HMA#

Vector v2.0 framework loads automatically via NeoZygisk at boot. It's reachable via its persistent notification in the status bar - tap or expand to access the scope UI. The standalone Vector manager APK is optional and not needed.

In Vector notification -> Modules tab:

Find HMA -> toggle ON.
Tap HMA -> scope -> tick:
- System Framework (mandatory - without this no hooks load)
- Each banking app you want HMA to hide root packages from

Reboot (Vector scope changes need a full reboot).

After reboot, open HMA app. For each scoped app:

Tap it -> enable HMA for the app.
Apps to hide -> tick me.bmax.apatch (APatch manager), org.lsposed.manager (Vector manager if installed), any visibly root-related app.
Save.

Note: HMA refuses to launch from work profile (user 10) by design. Install in user 0 only.

Phase 9 - Aurora Store: the installer that just works#

Aurora Store 4.7.5+ has a Root installer mode that automatically tags every install with installerPackageName=com.android.vending. Apps that check the installer source (McDonald's, large retail apps, some games) accept this and don't show "must be installed from Google Play" warnings.

Setup:

APatch app -> SuperUser tab -> find Aurora Store -> grant root permission (toggle on).
Open Aurora Store -> Settings -> Installer. The Root installer option only appears after root is granted.
Select Root installer.

Every subsequent Aurora install gets the right installer source automatically. You can stop doing per-app manual workarounds.

Caveat: Aurora always installs to user 0#

whyorean/AuroraStore RootInstaller.kt hardcodes the target user as user 0:

Shell.cmd("pm install-create -i $PLAY_PACKAGE_NAME --user 0 -r -S $totalSize")

Meaning: Aurora running in a work profile (user 10) will still install apps into user 0 (primary). For the cleanest workflow, install Aurora in user 0 and use it from there. Running it from a work profile doesn't isolate the installs - they still land in user 0.

Phase 10 - Shelter (work profile)#

Shelter creates an Android Managed Profile - a separate user namespace (user 10) that's isolated from primary (user 0). Useful for:

Apps that require work profile (George specifically; see Phase 11).
Apps you want isolated from your main data / contacts.
Apps you want to "freeze" individually without uninstalling.

Install Shelter from Droidify / F-Droid (net.typeblog.shelter).

Setup#

Open Shelter -> tap Set up profile.
Android prompts: "Set up work profile?" -> tap Set up.
Android creates user 10. Shelter installs itself in the work profile too. You now have two Shelter app instances (one per profile).
The work profile shows up in your launcher as a separate "Work" tab or section (launcher-dependent).
Notifications from work profile apps are tagged with a small briefcase icon.

Day-to-day use#

Open Shelter (primary profile):

Main profile apps tab: apps in user 0. Long-press any -> Clone to work profile copies it into user 10.
Work profile apps tab: apps in user 10. Long-press -> Freeze to disable without uninstalling, Uninstall to remove from work profile.

To launch a work-profile app, use the launcher's Work tab OR Shelter -> Work profile apps tab -> tap.

Work-profile quirks#

HMA refuses to launch from work profile (see Phase 8 note). Install HMA in user 0 only.
Aurora Store's Root installer always installs to user 0 (hardcoded - see Phase 9). Apps you want in work profile must be cloned via Shelter OR installed via pm install --user 10 from adb.
Each user profile has its own UID per app (e.g. George in user 0 = uid 10515, in user 10 = uid 1010515). APatch SuperUser shows per-profile entries; you toggle umount/root per profile.

Phase 11 - George (Erste) special case#

George (Austrian Erste Bank, package at.erstebank.george) uses Promon Shield commercial RASP and requires the work profile to run on this stack:

In user 0: George crashes on launch. Promon's TEETESTSUPPORT keystore probe gets an unexpected response from TEESimulator and Promon calls abort() (htchom.z: 16 SIGABRT).
In user 10: same install runs cleanly. Reason for the user-context difference is empirical only - likely SELinux context differences for untrusted_app between primary and work profile.

So you need Shelter (Phase 10) installed first to have a work profile.

Install George into work profile#

Option A - via Shelter (no adb needed):

Install George in user 0 first - via Aurora Store with Root installer enabled (Phase 9).
Open Shelter (primary profile) -> Main profile apps tab -> find George -> long-press -> Clone to work profile.
Open Shelter (or launcher Work tab) -> find George in work profile -> launch to verify.
Once you confirm the work-profile copy works, uninstall the user-0 copy: Settings -> Apps -> George (in user 0) -> Uninstall.

Option B - via adb (one-time):

Download or grab the George APK (Aurora puts it in /data/data/com.aurora.store/files/Downloads/).

Install into user 10:

adb shell 'su -c "pm install --user 10 -i com.android.vending /sdcard/Download/George.apk"'

If George is in user 0 too: adb shell 'su -c "pm uninstall --user 0 at.erstebank.george"'

Configure umount in APatch#

APatch app -> SuperUser tab -> switch context to work profile (or find the user-10 entry for George in the unified list) -> enable Umount modules ON, root permission OFF.

First launch#

Launch George from the launcher's Work tab. First launch takes 10-20 seconds while Promon initializes. Should reach the login screen, accept credentials, work normally.

If it still hits the 1007 device does not meet safety requirements error: walk through the George troubleshooting checklist below.

What works and what does NOT (verified 2026-05-19)#

App	Where	Status
Revolut	user 0	works
McDonald's	user 0	works (Aurora Root installer handles installer-source check)
s Identity (Erste 2FA)	user 0	works
George (Erste, `-google`)	user 10 (work profile)	works
George in user 0	n/a	crashes - don't try
McDonald's in user 10	n/a	refuses non-primary - don't try

Integrity verdicts you should see (test with a real app, NOT Play Integrity API Checker which is broken on microG):

MEETS_BASIC_INTEGRITY (pass)
MEETS_DEVICE_INTEGRITY (pass, with live keybox + microG hardware-attestation toggle disabled + matching security patches)
MEETS_STRONG_INTEGRITY (pass, same conditions + ro.build.version.security_patch <= 365 days)

Configuration files reference#

For sanity checks or restoring from a backup. All under /data/adb/, require root to read.

Path	Content
`/data/adb/tricky_store/target.txt`	packages list with `?`/`!`/bare suffixes
`/data/adb/tricky_store/security_patch.txt`	`system=YYYYMM, boot=YYYY-MM-DD, vendor=YYYY-MM-DD`
`/data/adb/tricky_store/keybox.xml`	hardware keybox, rotated automatically
`/data/adb/zygisksu/denylist_enforce`	must contain `1`
`/data/adb/ap/package_config`	APatch per-app umount/root state CSV

Banking app entry in package_config:

<pkg>,1,0,<uid>,0,u:r:untrusted_app:s0

Where 1,0 = umount modules ON, grant root OFF.

Aurora Store (needs root):

com.aurora.store,0,1,<uid>,0,u:r:magisk:s0

Where 0,1 = umount OFF, grant root ON.

You don't need to umount Google Play Services packages (GMS / Vending / GSF) - the hiding stack (NeoZygisk denylist + microG hardware-attestation toggle + TEESimulator) handles those.

Troubleshooting#

NeoZygisk denylist_enforce=1 (Vector notification confirms via "DE" badge).
Revolut in target.txt with ? mode.
No network proxy module active.

Play Integrity verdict failing. TEESimulator WebUI -> Keybox tab -> status should be green/valid. If not, tap Fetch keybox.

George 1007 "device does not meet safety requirements"#

In order:

George installed in user 10 (work profile)? If user 0, reinstall to user 10.
microG hardware-attestation toggle OFF (Phase 5)?
Tricky Addon security_patch.txt exactly matches PIF SECURITY_PATCH?
Keybox status green in TEESimulator WebUI?

George crashes immediately on launch#

Installed in user 0 - move to user 10.

McDonald's "must be installed from Google Play"#

Aurora Store wasn't using Root installer when McDonald's was installed. Uninstall, then reinstall via Aurora with Root installer enabled.

McDonald's "can only run from primary workspace"#

You installed it in work profile. Reinstall via Aurora (which installs to user 0).

microG SafetyNet self-check fails#

Google killed the legacy endpoint. Expected, ignore. Apps that matter use Play Integrity API.

`Play Integrity API Checker` returns -100#

microG quirk with the checker's hardcoded cloudProjectNumber. Not a useful test on microG. Use the actual target app.

Push notifications not working#

microG Settings -> enable Cloud Messaging. If still broken, ensure microG GmsCore is up to date (Phase 4).

Apps crash asking for Google Play Services#

microG Self-Check should pass all items (except SafetyNet). Re-verify Phase 4 microG update.

Maintenance schedule#

Weekly: glance at Tricky Addon (or tricky-addon-enhanced) WebUI Keybox tab. If not green, tap Fetch. With the Enginex0 upgrade, intervention drops to ~once a month.
Monthly: check https://github.com/microg/GmsCore/releases for microG updates. Install the right APK variants.
Per-module: MMRL handles update checks for installed modules. Update via MMRL when prompted.
Per-app: nothing. Aurora Root installer handles installer-source spoofing automatically for new installs.