This is where the magic of Magisk truly shines. In the past, simply having a "Root Granter" installed on your system (like a SuperSU APK in /system/app) would trip Google's SafetyNet. Why? Because it was an obvious modification.
The Magisk Root Granter operates on the principle of DenyList and Zygisk.
Here is the critical nuance: The DenyList is not a "hide root" feature. It is a "do not grant root to these apps" feature. To truly hide the existence of the Root Granter from banking apps, you need to enable Enforce DenyList and add the banking app to the list. The Granter will then automatically revoke any suspicion and conceal the fact that the su binary even exists for that specific app.
Strictly speaking, the "Magisk Root Granter" isn't a separate application you download. It is the core permission management system built directly into the Magisk application (usually just called the Magisk app or "Magisk Manager").
In older rooting methods (like SuperSU or ClockworkMod), the root granter was a standalone APK that would pop up a dialog box asking "Allow?" whenever an app requested root. Magisk integrates this function natively into its own interface. magisk root granter
Here is the technical breakdown: When a rooted app (like Titanium Backup, AdAway, or a build.prop editor) requests superuser access, the Linux kernel sends a request up the chain. Magisk’s daemon (magiskd) intercepts this request. The "Granter" is the UI component that asks you for a decision and then records that decision for future use.
Magisk does not modify the actual /system partition. Instead, it creates a mirror or overlay. It adds files to the boot partition and creates a virtual folder (/sbin/.magisk/mirror/system) that looks like a modified system to apps, but the real system remains untouched.
This is a semi-automated state. Every time the app launches and requests root, the dialog box will reappear. This is excellent for debugging or for scripts that run infrequently.
Pro Tip: Check the "Auto-allow" box only if you are 100% certain of the app's source. Once granted, the Magisk Root Granter will create a persistent rule. This is where the magic of Magisk truly shines
This is the most critical step. You need the boot.img file that matches your phone's current software build.
Method A: If you have the Stock Firmware file (ZIP or IMG)
Method B: If you have a Custom Recovery (TWRP)
(Method A is recommended for modern devices running Android 10+ as it supports "Systemless Root" more reliably). Here is the critical nuance: The DenyList is
Superuser (Middle Tab):
Modules (Right Tab):
Settings (Gear Icon):