← Back to context

Comment by 3abiton

1 day ago

Not to mention, play integrity is being used a some sort of "anti cheats" by bank apps and other essential services. Even some government apps in the EU, essentially forcing you to be spied on by google.

The worse part is that, you can do all of those functionality with a browser on linux (or Android), yet to use them as Android apps on a device without gapps (even if jt's not rooted and with locked bootloader) is not allowed. Make this make sense.

19 comments

3abiton

Reply
goku12  1 day ago

> Even some government apps in the EU, essentially forcing you to be spied on by google.

The same in India. I can't use even the government weather app and the disaster alerts app without signing in to google play.

Seeing that this malpractice (of forcing the users into Google's surveillance net) is widespread among seemingly unrelated agencies like banks and government agencies of several nations, I would really like to know who is peddling this draconian scheme among them.

I want to send some angry rants to the app owners/developers and ask for those malicious peddlers to be permanently banned from further interference in cyber security matters of these institutions.

  • 3abiton  1 day ago

    I would not be surprised if Google is sponsoring a lot of this efffort targeting young devs, and "teaching about security". They basically positioning their services as "authenticators" of truth, despite it 100% being cat and mouse game still.

    • _heimdall  1 day ago

      That really makes sense though if you think about it. When a company has an annual revenue that would put them around the 43rd largest country by GDP, they could very well begin acting more like a state. States spy and states claim to be the arbiters of truth.

  • Zak  1 day ago

    Play Integrity and Play Services are two different things.

    Play Integrity is a remote attestation scheme by which apps can ask the OS to prove to a remote server that it is unmodified. It allows apps to refuse to run on devices with root or third-party ROMs.

    Play Services is a set of libraries and APIs for things like network-based location, push notifications, and advertising. Nearly all Android phones include it, and users of third-party ROMs can add it at install time (but not later) with packages like MindTheGapps. There's an open source substitute called MicroG that allows most apps to run without it.

    • goku12  21 hours ago

      > Play Integrity and Play Services are two different things.

      You're right in your elaboration, but I didn't mention which one it is. My primary concern is that it forces me to log in to my play services account, which I haven't agreed to so far.

      > There's an open source substitute called MicroG that allows most apps to run without it.

      It's not for the lack of trying and I probably wouldn't even be complaining if it had worked. Phones are getting harder to root these days, much less install a custom ROM. Everyday feels like the ecosystem is tightening around us.

  • metalman  1 day ago

    moto g15 in hand, deguggled as much as possible right out of the box, no guggle accounts or big tech apps, bank through a browser, but there is defintly a lot of outright fraud as to bieng able to turn off google apps, it is an arcane procedure to turn off notifications, insisting that nothing will work without "play store" installed, though it is clear that going to a linux phone will become the only way to avoid adversurvielance security and tracking from taking over my device completly. keep in mind that our techno facist elite did provide the "intel" that led to ICE bieng sent to a particular area code in minaipolis, where they executed a mild mannered chearfull poet, who's last words, somehow knowing, were, "i dont hate you". "tech" is central to whatever comes next

    https://calebhearth.com/dont-get-distracted

    • microtonal  1 day ago

      Get a phone that runs GrapheneOS (second-hand Pixel 7 or 8 will do fine). Run apps that do not require it without Google Play Services and run apps that do require Google Play Services with the sandboxed Google Play Services. That will constrain the data that can be collected a lot.

      (Yes, there will still be issues if you use apps that require Google's remote attestation, but at least in Europe, many banks etc. do not require it.)

  • throwaway140820  1 day ago

    Yeah India, because a lot of people are having their lives ruined by scammers everyday. Get off your fucking high horse, it literally protects users. Before you start judging, do a simple search. It's not one off cases.

    • alexgieg  1 day ago

      The scamming problem is a fault of the government. It's trivial for a national government to make rules forcing banks to become able to reverse wrongful transactions. That'd stop scammers cold. If your government doesn't do this, and instead transfers the responsibility to the client, it's because the government doesn't care for the people.

    • goku12  21 hours ago

      Oh Please! Can't protect the users without forcing them to log on to Google and subject themselves to surveillance? That too even for the weather and the emergency alerts? Give me a break! And stop ruining the discussion with your misguided condescension and nationalist rhetoric.

cromka  1 day ago

> The worse part is that, you can do all of those functionality with a browser on linux

This isn't true, actually. Banks and gov entities use those mobile apps as authenticators. They do have a distinct purpose.

  • lrvick  1 day ago

    I do not have a smartphone and have had no problem being a customer of multiple top banks. They strongly _encourage_ you to use apps, but if smartphones are against your unspecified religion, alternative paths always appear.

    • cromka  1 day ago

      In EU? For internet banking you need a mobile phone or a dedicated hardware token (thing you own), as part of the Strong Customer Authentication (SCA) requirement under the PSD2 regulation: https://ec.europa.eu/newsroom/fisma/items/658958

      I know in some countries (UK, Germany, Switzerland, Austria) they're used to hardware tokens already since they were in use long before PSD2. But I seriously, seriously doubt banks in e.g. Poland specifically implement support for hardware tokens issued to very few annoying customers who refuse to use an app but otherwise want internet banking.

      3 replies →

interpol_p  1 day ago

The reason this happens is because big companies get their software pen tested. Part of the pen test report will include something like “accessible from jailbroken devices.”

The pen test results get put into the ticket system as immovable entries. Engineers will question them, only to be shot down by the cyber security department who organized the pen test. The engineers will eventually accept that they cannot convince cyber to drop the issue, and implement the jail break detection.

Why does cyber mandate it? Because no one in a large company wants to accept the risk, even imaginary risk. They want to be able to say, when security is breached, “we did our due diligence. Look at the report, we implemented everything in it”

Why do firms offering penetration testing keep putting junk like this into their reports? Because their automated tools list them out and they’re getting paid to find issues. The more the better.

It’s insane and entirely about passing off risk.

brnt  1 day ago

> Even some government apps in the EU

The Dutch ID app got rid of all trackers and such requirements last year, but they didn't go the full length and made an F-droid repo (or a government store or sth).

Google actively guiding developers to APIs like the Play Integrity API (which requires not only you register the phone with Google on a Google account, but also an untampered device, outdated or not.

I don't even root my devices, just using something like Lineage already gets you the basic-integrity Max. Not enough for many banking apps.