Comment by bigstrat2003
4 months ago
Ultimately, I don't think the most important challenge is in binary firmware blobs, but the software which people depend upon to run their lives. What does it matter if you can run a completely free software stack on your phone, if your bank software (or your required government ID, as is looking depressingly likely) requires you to run a Big Tech approved phone OS? Perhaps the FSF can't do much about that, but that is where I feel they could truly make the biggest difference for freedom for the average user.
I think this is the right place to start.
A free OS will empower developers to implement technical workarounds that could trick these apps into working there. If the OS is tightly controlled, we have no recourse.
Even in the worst case scenario, we could use a cheap big-tech-approved phone for these applications (a glorified digital token) and use the free phone for everything else. When there's enough adoption and trust in the new phone, non-technical avenues are available to influence these organizations to accept the alternative.
I've kinda migrated to the worst-case scenario already and it's really not that bad - for my use case.
I have an old phone (actually running LineageOS rather than stock) that works as you perfectly describe as a glorified digital token. This device doesn't come with me. There's no banking I need to do, on a day-to-day basis, requiring said token, that has to be done right now or the world will end. It can wait until I get home (and I usually use the bank's web interface from a desktop). This device has minimal other apps installed, which limits bank app accessibility of other app data, and other app accessibility of bank data.
Then my GrapheneOS daily driver serves my day-to-day needs with minimal data leakage, tracking, ads, other general paranoia-inducing modern-life shit.
I pay for things on a day-to-day basis with a physical debit card due to an existing habit of not wanting to depending on a single device for "all the things", so GrapeheneOS wasn't a downgrade, but it should be noted to others that whilst Google Wallet can run on GrapheneOS, NFC payments through the Google Wallet will not work due to Full SafetyNet requirements that GrapheneOS can not pass. Non-NFC items such as tickets and boarding passes have been reported to work (and I'm pretty sure I've used it for that, although Google Wallet is no longer installed on my device).
I see a trend of banks pushing people off of their websites onto the mobile app.
1 reply →
It sounds utopian except you still have to pay for a cell plan on said device, no? How else to obtain a phone number for MFA?
4 replies →
To me that sounds like sacrificing living for a principle and missing the point.
2 replies →
Having a separate phone as a "glorified digital token" is probably within the top 3 things you want to do anyway if you are serious about digital security.
See the recent discussion about pixnapping: https://en.wikipedia.org/wiki/SIM_swap_scam) from breaking your SMS verification.
> A free OS will empower developers to implement technical workarounds that could trick these apps into working there.
Not if they require something like hardware-backed remote attestation, and only accept such attestation from Google or Apple.
I'd love a practical Linux phone, and being able to run a deblobbed close-to-mainline kernel on a new-ish phone would help with that, but that doesn't really solve the most user-facing problem of mobile phones, the ecosystem lockdown.
And FSF has a history of creating important OS level software.
Like they have been doing for Desktop Linux?
And I feel like it undermines any effort to make free, featureful applications if the hardware itself can't be trusted.
You can trust hardware and software that's easy to inspect.
If you can't be sure what's going on and unable to inspect or debug the hardware and software, how can you trust it's doing what you want?
Proprietary hardware and software is already known to work against the interests of the user. Not knowing exactly what's going on is being taken advantage of at large scale.
Let's put it this way: if you can choose between making your own lasagna with a good recipe vs ready-made microwave lasagna. What would you choose? How about your suit? And would you trust an open known to work well pacemaker vs the latest Motorola or Samsung pacemaker? Would you rather verify the device independently or pay up for an SLA?
13 replies →
Trusted to do what? Work against user's interests? Prevent user from even expressing their interests?
Should the app builder’s ability to “trust” that the hardware will protect them from the user supersede the user’s ability to be able to trust that the hardware will protect them from the app?
In other words, should the device be responsible to enforcing DRM (and more) against its owner?
There is one solution to this problem that many people reading this message can contribute to:
Make sure your app has a progressive web app version that has feature parity with the store apps. That way, the app will work on phones like the librephone, and, if Apple or Google decide to kick you off the store, you and your users have some recourse. As a bonus, it’s compatible with open source — users can modify the app and install it without jailbreaks, root or (for now) sideloading.
React Native supports this (and can mostly be bundled with electron for mac/win/linux support).
Are there other stacks people can recommend?
You are mixed up 3 different tech stacks: 1. React Native has nothing in common with web apps except JS runtime. It uses "native" widgets for Android and iOS. You need to add a new "native" runtime for your free OS. There are some third-party attempts to add mac/win/linux support, but they are not feature complete as officially supported platforms. Again, your free OS will be step behind. 2. Yes, you can write PWA with React (Web), but PWA still have many missing features which offered by platform APIs of Android and iOS. Your app will not be in "feature parity" with "native" app. Especially banking app. 3. Electron apps are integrated with desktop platform APIs, you cannot easily port Electron app to mobile. Every time big company with big investments wins.
What does a banking app need that a PWA can not provide?
2 replies →
I have a react native app, and can compile it to pwa mode. It runs well in a browser.
99% of the code runs fine in electron to. Index.tsx is the main exception.
I’m not saying you can automatically run software for one of these targets across all three. I’m saying it’s straightforward to write portable software that works on all of them.
Also, I can’t think of any apps I use that require any platform-specific APIs at this point. Even if they did, the phone I want would be able to surface those APIs to pwas.
This won't help if Google/Apple/Microsoft roll out integrity checks for browsers, something which they have already suggested they want to do.
It won't just be them. I foresee Cloudflare and other CDNs offering a free checkbox: [] Require age of majority verified user
And it will in turn depend on Secure Attestation, Web Credentials, and other recent W3C work to provide proof that you're the registered owner, age of majority and verified by thumbprint or other biometrics, running an unmodified device. Your ID might be escrowed with your OS vendor, email provider, bank, ISP, or even Twitter/X, who knows. Either way, as an end user you'll be mollified that you don't have to provide your ID to the adult site, and the adult site will be happy that they don't have to implement any of this themselves.
And, of course, this will mean that an intelligence service could have ironclad proof of exactly what person visits what website, effectively killing a lot of online anonymity.
4 replies →
It's something they've already done, they just aren't being public about it yet. Look up the X-Browser-Validation header.
...and packaging my app as a PWA is going to help with cantankerous bank/ditigal-id apps, how, exactly?
Momentum.
It becomes much harder to force attestation on people if there's a significant user base that runs alternative operating systems.
I agree, but unfortunately I think the chances of that are just about zero. The reality is that the vast, vast majority of people don't care about software freedom. They care about the flashy marketing features in the newest iPhone (and competitors). I wish it were otherwise, but alas. Heck, you can't even get people to care about their physical freedom most of the time, let alone their digital life. It's hard to see this effort taking off as a result.
Do you really NEED to be forced to attest if you can make your phone look like any damn PC using a browser?
These days browsers are becoming increasingly distrusted. My bank logs my browser out after 30 minutes inactivity and then to log back in I have to confirm the login on my phone.
13 replies →
I can’t tap my PC to buy a burrito at Chipotle.
15 replies →
My bank doesn't let me do anything in the browser without 2FA, and the only 2FA they offer is their smartphone app.
My other bank offers 2FA via chip reader as an alternative. I guess that's somewhat viable for an alternative phone OS, if you want to carry the reader around with you
That might just be European banks though
1 reply →
My bank is migrating online banking to an app-only platform. I could see attestation following very shortly afterwards.
Some banks require app confirmation for PC-initiated transactions, using play integrity requiring apps. Cause security, you know.
26 replies →
Websites are starting to make use of passkeys and TPM stuff on the device for workflows where money is involved.
Indeed, binary blobs are not much of a problem; it's anti-user "security" that has to be attacked. Otherwise we'll end up with user-hostile systems that we can see the source code of but can't modify, in contrast to systems that we can't see the source code of but can modify. The Windows modding scene of the late 90s/early 2000s is a good example of the latter (and I've joked that every power user was a novice reverse-engineer), while Android is turning out to be a good example of the former.
Stallman had a good idea for free (as in freedom) software, but then "missed the forest for the trees" by focusing on the source code.
>Stallman had a good idea for free (as in freedom) software, but then "missed the forest for the trees" by focusing on the source code.
RMS is afraid of trees!
https://news.ycombinator.com/item?id=28419139
> What does it matter if you can run a completely free software stack on your phone, if your bank software (or your required government ID, as is looking depressingly likely) requires you to run a Big Tech approved phone OS?
What does it matter if you can use any OS you want if your phone is filled with SoCs which are bugged and backdoored by the state and/or who knows who else? The reality is that we need both free hardware and free software. I can always tell my bank to fuck off and move my accounts to one that gives me freedom to use the mobile OS of my choosing, and if there isn't a single bank on earth willing to do that I can always simply refuse to use my cell phone for banking.
I'd much rather keep the phone I control and trust while limiting myself to only having the options of a desktop PC, a laptop, an ATM, a phone call, a drive thru, and walking into my bank's closest branch when interacting with my bank. Not being able to also stab my finger at a cell phone screen to check my balance isn't really that big of a deal.
Safe hardware is super difficult
The only project I know of that really actively addressing the end to end problem is Bunnie Huang's precursor.
Work seems to be going on low-key: https://github.com/betrusted-io/xous-core
> What does it matter if you can use any OS you want if your phone is filled with SoCs which are bugged and backdoored by the state and/or who knows who else?
Perhaps. But how does this effort from the FSF do anything to solve that? They are (as far as I can tell) producing firmware, not hardware. If the hardware manufacturers are working with the government or whomever to spy on you, they will just not use the FSF firmware in that case.
Well you're partially right. After all, the "big tech approved phone OS" is actually Linux, so just having a free OS isn't enough to prevent it from being co-opted and turned into a locked-down platform.
But the partially wrong part is, we can make our own platform. PCs let you install and run any software you want, because it's an open platform. If we make an open platform smartphone that can compete on features with the closed behemoths, and that then becomes popular enough, then banks may offer apps on that.
But this is tricky too. Linux already has issues getting official support from corporations. We'd need our open platform to be compatible with the closed ones, so that it's easy for banks to run their apps on our open platform. There are already ways around this, like virtual machines to run Android, or other methods. But the closed behemoths may try and end-run around this, like DRM. So we'll still need to advocate for our rights and compatibility.
> so just having a free OS isn't enough to prevent it
They have a free kernel not a free OS. Them not having a free OS is precisely what is the issue here.
Get a big tech second phone. Cheapest available. Just perform the needed tasks and use your Libre phone for everything else.
Does anyone remember having a copy of internet explorer that the bank required (or chrome these days) but using firefox for everything else? Apply that concept to a phone.
For people without a viable alternative such as transferring their funds to a bank that does not require Google/Apple certified devices, this seems to be the way. The second phone does not even need to have a SIM card in it, except perhaps during set up. That phone does not leave home and is ideally be powered off with its battery removed when not in use. Everything else can be done on a free device, ideally using FOSS apps. Ideally again, this means no Facebook, no Whatsapp, no IoT crapware.
Luckily, here in the U.S. this is still possible. I run Graphene on a Pixel without Play Store compatibility layer and everything just works. Most of my apps come from F-Droid, with the notable exception of Whatsapp, for which a standalone APK is available. Unfortunately, it is proving difficult to get rid of Whatsapp entirely because of friends and family.
Yup. Right now that's something running graphene for me. I'd prefer full linux but the other options don't seem viable yet to me. When I tried the pine phone a few years ago its battery life was in the 3-5 hours range if I used the phone which is not sufficient.
Some banking apps require relatively new OS, so if you have an old phone with e.g. Android 8 and you can't upgrade (Android 9 removes certain important features), you are out of luck.
But then I would need to constantly charge two phones and keep two phones in my pocket all the time because I never know when I would need to do those things on the go.
I recently added a second phone for secure comms (Graphene). The biggest hassle turned out to be moving data between them. For that I settled on running my own Matrix server.
You check your banking apps multiple times each day with the frequency and unpredictability expected from messaging apps?
If not that frequently or unpredictably then you could just plan to use your laptop for banking some time during the day.
1 reply →
I hope all the things you mention never become mandatory some day because I currently use my phone for voice and text only. Sooner than later I plan to get rid of my phone all together. I'm gonna surprise the phone company and get a land line. That means any online service that uses SMS/text to verify me will fail.
If you're being serious, you're in for a rude awakening. POTS lines are dead and being replaced with VOIP and VoIP to pots modems on the premise. lots of cities have already started to grub the copper out and replaced it a long time ago with fiber.
I get what you are saying but POTS in my location is still copper. I know because I dug it up when putting in a cattle guard. I will have to splice it back together and run it somewhere other than under my driveway which I had paved. 811 marked it as disco/not-in-use. The telco accidentally leaked their plans to run fiber everywhere so I might wait for them to do that. If it ends up being VoIP then maybe I would still have SMS capability for poor mans 2FA? Maybe the competition will drive the cost of my existing fiber down. To userbinator's point the end result will be no more options to install applications. It would just be a phone. I would be back to good old fashioned NSA voice monitoring.
Changing the implementation but not the interface is exactly the point. It doesn't matter how it's delivered; it's just a phone line for voice calls.
Most importantly is to continue supporting web browser access and open web protocols. Then anyone with a web browser and device can use all the apps.
Exactly. A simple phone that runs a browser I can trust that's also capable of running web-based apps is all I need. I already avoid running apps on my iphone whenever possible.
The phone I really want is as uncomplicated and open as possible and beholden to no corporate economic interests or privacy invasions.
Now that I'm retired I'm looking for a project to immerse myself in. This sounds like just the ticket.
It depends on what definition of "uncomplicated" you'll assume, but that's pretty much how I perceive my Librem 5. It's fairly inspectable and relatively easy to understand as a computing device - no weird stuff like hundreds of disk partitions that you can't touch without risking bricking the phone like on Qualcomm devices, but a fairly regular GNU/Linux installation with well-defined boundaries on what's open and what's not - and it runs web apps pretty well. I have things like my bank, public transit planner, ride-hailing, webmail, RSS reader, Matrix client, package delivery status, even Facebook & Messenger for the handful of people that can still be only reached there - all "installed" as web apps using Epiphany (aka GNOME Web). Some of them required a bit of fiddling to discover which user-agent leads to a usable experience, but the results have been pretty good so far. In case I really need to run some Android app for some reason, I can boot Waydroid up and launch it there, though I use it very rarely. No corporate economic interests, no privacy invasions, no invasive notifications or ads, it simply works the way I want it to work. I just have to be careful with battery usage, but it's manageable :)
Actually "open" is a misnomer, maybe it was a decade ago but it's clear that Big G has an effective monopoly over browser(s), the web "standards", and is gradually making them more user-hostile.
It's still significantly more open than any other platform. Believe it or not, Mozilla is not asleep at the wheel, and neither is Apple.
6 replies →
Yeah... Corporations and governments are starting to push remote attestation. There'll be little point to a free computer if it gets us denied service everywhere. At this point we're gonna end up marginalized, like second class citizens of society.
> There'll be little point to a free computer if it gets us denied service everywhere. At this point we're gonna end up marginalized, like second class citizens of society.
Given the apparent trajectory of the corporate/government model of organizing society, it seems like they're going to be the ones that will be second-class citizens.
The mere fact such phone exist could be enough argument for pushing back, for ex. hurtful legislations.
People tend to see current world as carved in stone, like it is not going to change. It is, still not easy but, much easier to ask government not to mandate Windows/MacOS only program for essential task, because of couple of users of other systems, rather than asking to imagine that in future there might be other systems.
Funny that bank software needs approved phone, but runs absolutely fine in the browser. That to me sounds like collusion - something that regulators should look at. There is absolutely no need for banking app to require "legitimate" Android or other operating system.
Increasingly, browser-based online banking requires authentication with a proprietary smartphone app, where it used to accept other forms of 2FA
As terrible as proprietary app 2fa is, it still beats the tar out of SMS or email 2fa, security-wise. I don't get why my bank, who used to be pretty cutting edge, never implemented TOTP or passkeys...
Use the website. I’ve never seen a bank where a mobile app is the only option for remote access. If my bank did that, I’d switch banks.
UBS bank mandates their "Secure Access" app as second factor even when logging in from a desktop. They used to allow the smart card reader for existing customers that had it as a work around for a few years but they disabled that.
Also many websites are making it remarkably hard to not use the app if they even remotely sense you're not on an actual PC. FB and LinkedIn aren't banks but prime examples.
Then don't be a sheep and don't use Facebook or LinkedIn. They are notorious mass surveillance networks.
Good reason to stop using that bank.
I like my credit union.
Oh, and of course the stock app will refuse to run on rooted (or sometimes even just not widely used) phones.
To be clear I'm not saying that alternatives don't exist now. But it's a worrying trend that big businesses, and even governments in some cases, are moving away from such alternatives being available. Look for example at the proposed age verification scheme in the EU, where they don't plan to make a version you can use on a desktop (and even for mobile devices require you use a vendor-attested device). Sure, right now it's just for looking at porn. But it seems to me that once that settles, it won't be long (a decade or two) before you start to see government IDs require a similar mobile app. That's the kind of thing I fear happening soon.
Monzo bank in the UK doesn't have a web access (apart from very basic page where you can block your card and do nothing else, not even see your balance). They also retired support for older Android phones, so if you happen to use it on an old phone, you are out of banking. I, for security, refuse to install bank apps on my phone that I carry, but I have them on a separate phone that I have in safe place.
They more and more force you into 2FA through banking app
Every bank i’ve used (2, so ymmv) allowed 2fa using a totp app, they just don’t make that choice obvious you have to dig around in the settings
1 reply →
I'm starting to see banks retire their web sites and push the app. It's likely that in 5 years most banks will only offer apps.
In SE Asia, most banks I've used no longer offer any services other than through their app.
What about WhatsApp?
2 replies →
This was a problem during the early 2000s when Windows and Internet Explorer were utterly dominant. Some banks, government services, and other essential websites used ActiveX controls, preventing access by non-Windows users. I remember during my senior year of high school being unable to fill out a college financial aid application circa late 2004 or early 2005 on my PC running FreeBSD and Firefox; I needed to use Windows and Internet Explorer.
I remember the stagnation of Internet Explorer combined with increased awareness of security exploits in Windows and Internet Explorer led to the rise of Mozilla Firefox and (to a lesser extent) increased marketshare for the Mac. This, combined with the arrival of smartphones around 2007, put pressure on organizations to make their Web sites accessible to a wider range of browsers instead of just IE.
Perhaps if we had a critical mass of people using phones with FOSS software, this would be enough for banks and other organizations to consider people who don’t use Apple/Google products.
The challenge, though, is getting that critical mass. Firefox benefitted from Microsoft’s fumbles in the 2000s. It’s going to be hard for a FOSS project to compete head-on against Apple and Google.
I agree that FSF and similar groups should be focusing efforts on influencing government policy at least as much as on software. The problem is that in practice, you’ll get a bunch of people who are erstwhile free software supporters, shouting back that the FSF should “stay n their lane” and stay out of politics (missing the point that in life, everything is politics).
Why would the FSF be working on a problem that has absolutely no technical element? What exactly do you want them to tell your bank and your government? Why exactly can't you tell your bank and your government that?
> that is where I feel they could truly make the biggest difference for freedom for the average user.
By doing what exactly? Telling your government to change their ID policies? You seem to be complaining at your health food store about the nutrition of McDonald's food, because most people eat at McDonald's and that's where they would make the most difference.
you have to start somewhere, and with Goggle closing Android to non-approved apps this seems like the right move.
Historically we have seen bumps in Linux usage because of cross-platform support. Either officially or unofficially. So I agree that focusing on making that transition more seamless will be of more benefit than telling people they need to use something different or suck it up. There is a reason rooting and making banking and other high security apps functional has been pretty popular.
i think the best solution to this would be some sort of docker-project for people to remotely access a device hooked up to a raspberry pi or something at home via adb via https://github.com/Genymobile/scrcpy as "natively" as possible.
I agree, and I've done similar to this for mobile banking successfully. This is the way :)
However, I expect at some point they'll insist on biometric authentication.
That'd exclude people who can't use the biometrics. But one bank (Revolut) told me that they're dropping customers who don't have a passport or driving license in the UK, for KYC reasons that they said they were required to follow, despite there being a large number of people without either.
So I expect banks to have no problem excluding <x% of people in a discriminatory way, if they can find an excuse, eventually.
In an emergency, can't you call your bank over the phone? Do you depend on it still if you have a Computer?
No, with some banks you can't.
I tried calling Starling Bank in the UK when my phone screen stopped working. I assumed they would have basic phone banking service.
They told me no. The only service they could provide over the phone was registering a new device to resume access to bank services via their mobile app.
Although they have a web banking service, which can he used on a desktop, that requires authentication via the mobile app too. It's not TOTP, it's their own thing.
As I needed to make a transaction, I had no choice but to buy a new phone in a hurry.to do it.
Several people suggest switching banks and credit card services, but I've found that not so easy. I have accounts with several banks (some for business), and 3 of them require use of their mobile app. Most credit card services I use also require use of their app. Some have websites that hand you over to the app at some point in the flow.
> What does it matter if you can run a completely free software stack on your phone, if your bank software (or your required government ID, as is looking depressingly likely) requires you to run a Big Tech approved phone OS?
Log in to your bank over the internet, the normal way.
You can replace the banking system. Replacing the banking system does nothing if a single tech company can brick the phones of people using the replacement, or block it from launching.
If the government needs me to get a side phone for ID, I'll cross that bridge. For everyday use, I'm fine with having a "rogue" phone as my primary.
The next step will be for them to prevent you connecting to the cellular network.
Just tether through your shit phone
seconding this. more compatible with day-to-day life/apps means more adoption which I believe is a snowball effect.,
In that case, I will own a surveillance phone JUST for the government ID app, and put that into airplane mode almost all the time, except for the few times per month where I need that shitty app.
The rest of the time, I will use a free phone.
All the apps that I will not be able to use any more? Doesn't matter. I am now old and grumpy enough to realise that phones are utterly evil and actually useless. Give me a camera, Google Maps (or better a non-Google alternative), Signal and a browser, and I don't need anything else.
Banking might be the wrong example to choose from here since we discovered with cryptos how to handle money without governments
Banks and national id apps already work on GrapheneOS. Sometimes you just need to msg devs and ask them to use a different OS attestation method - see link 1. This battle is won already.
1.: https://grapheneos.org/articles/attestation-compatibility-gu...
Sorry, but no. Device attestation is another mechanism to track and ultimately exercise control over the user. It fundamentally goes against the freedom of choice. You want me to authenticate with multiple factors? Cool.. let me tell you which method I'm already using on all my other accounts and then tell me how to register that with your service. You want to "measure" my device? Okay, I'll take my business elsewhere..