Comment by ordainedclicks
4 days ago
One of the only big downsides I've noticed with GrapheneOS is that several banking apps don't work with it at all thanks to being tied to Google's verification ecosystem.
Luckily I have hardware 2FA keys from my bank so I can authenticate using that. It also slightly decreases the suck-factor from whenever the phone decides to fly off down a drain. This may not be the case for you, so do your research on what you need for daily living.
I contacted my bank, insisting that GrapheneOS is one of the most secure OS on the market and therefore should be supported if they actually care about users' security (it's actually far more secure than all the old, far less secure but Google-approved devices out there). They acknowledged an fixed their app, one of the most popular in France.
Still missing Android Pay but that's due to Android Pay being closed. I wish banks would do something and support NFC payment systems that don't require the device to be controlled by Google (how can we be okay with this?!)
German bank Comdirect / Commerzbank did this as well, whitelisting GrapheneOS signing keys for their 2FA app. https://github.com/PrivSec-dev/banking-apps-compat-report/is...
> I wish banks would do something and support NFC payment systems that don't require the device to be controlled by Google
There are countries where it's possible to pay everywhere with the banking app scanning a QR code. No need for NFC :-).
The point of NFC-on-a-phone is that you don't need the damn banking apps and internet and retailer support for all that to validate a simple transaction. My credit card has NFC, no internet and no app, and it's universal.
2 replies →
I use qr based payments regularly where I live, and in my home country I use nfc payments (watch/phone/card) essentially always, when we visit.
NFC is by far more convenient and reliable.
9 replies →
I’m interested which french bank is this?
Play Integrity and APIs like it aren't about security, they are about anti-fraud/anti-scam.
"Banking Applications Compatibility with GrapheneOS" https://privsec.dev/posts/android/banking-applications-compa...
Of course that is highly depdendet on the bank used, but so far none of my banking apps didn't work!
If you are using a rather popular banking app, chances are high that it has been discussed in the GrapheneOS forum.
Anyway, with google play services installed, mine have worked out of the box.
What about the small matter of having to purchase a Google phone in the first place?
Most anti-google move: buy a second hand pixel, they receive no revenue on the device which is (assumed) already highly subsidized by google so that they can profit off users' data, then you use their subsidized hardware without running their spyware OS. Google only loses money in this scenario, it is a great protest.
Have you seen those prices? I don't think the devices need subsidising at all. How else could competitors, who aren't selling off your data, offer it for cheaper?
2 replies →
I see it as a necessity, because the Google phone is the only one worth it if you care about security.
The problem is not GrapheneOS, but rather that phone manufacturers other than Google don't care. Now if there were millions of GrapheneOS users, it would start becoming interesting for other phone manufacturers to care.
My point being that I buy Pixel in order to give more weight to GrapheneOS, in the hope that other manufacturers will eventually realise that.
Google makes high quality hardware and untrustworthy software. Graphene's approach is to take the hardware and leave the software.
Besides the already mentioned point of getting one refurbished, Pixels tend to get really cheap towards the end of the yearly cycle. At that point, they were mostly going to make money from you using their ecosystem and then you are sticking it to them by installing GrapheneOS :p (probably they don't care).
E.g. a new Pixel 9a is currently 369 Euro in The Netherlands and 367 Euro in Germany. The Pixel 10a will be released soon, but the 9a will run GrapheneOS just fine (same SoC except modem as the vanilla 9).
Yup, also Google Pay doesn't work, though there are other providers which work fine (Curve Pay I think works in all of EU), but it just made me carry my wallet everywhere and I understood I don't mind that at all.
Since all of comments are about NFC payments, this should be higher. Can confirm Curve Pay works (pixel 9a) at least with one Greek bank and Revilut. Not affiliated in any way with them and don't know this service is actually works just Yeah I'm amazed too.
I still have my Apple Watch configured, so I'm just doing the NFC payments with that :).
Author is installing Google Play Services it seems, wouldn't that work around this?
In any case, for me this also sort of defeats the purpose: I'd rather break free from Google and Apple, not just (stock) Android and iOS.
No, because most banking apps call upon the Google Play Integrity API, which GrapheneOS doesn't (or can't?) use. There's a decent list kicking around of which ones work (Monzo, for instance).
https://privsec.dev/posts/android/banking-applications-compa...
It's more common in banking apps than in other apps to implement Play Integrity but it's cetainly not "most banks" that do it. It's still only a small subset. Sucks of course if it's your bank.
1 reply →
> this also sort of defeats the purpose
Not really. On GrapheneOS, the Play Services/Play Store run as sandboxed apps, i.e. they are not system apps like on Android. They just run like a normal, unprivileged app. That's a lot better than on Android.
> I'd rather break free from Google and Apple, not just (stock) Android and iOS
If you want to break free, you don't have to install the Play Services / Play Store on GrapheneOS, just like you don't have to install microG on LineageOS. There is a misconception that microG is better than sandboxed Play, but I disagree. With microG, your apps still connect to the Google servers, so you're not "breaking free".
With microG, your apps still connect to the Google servers, so you're not "breaking free".
Moreover, some OSes (e.g. /e/OS) give certain Google apps higher privileges than other apps even with microG, install Android Auto and it's still game over. GrapheneOS does not have this issue because as you say, Google apps/services get sandboxed.
Obligatory link: https://eylenburg.github.io/android_comparison.htm
Does anyone know if HSBC's UK app works on it? I've seen inconsistent reports that it does and doesn't.
Edit: ignore this - there's a list elsewhere in this thread!
yep - tried GrapheneOS for the first time today and my banking app detected that the phone was jailbroken.
Did you relock the bootloader and disable OEM unlocking as part of the GrapheneOS onboarding?