Comment by bergheim

Because a phone running an unknown OS is significantly more dangerous than a phone that hasn't received security updates for years. For example, a malicious OS maker could add their own certificate to the root store, essentially allowing them to MitM all the traffic you send to the bank.

Liability works on the principle that "if it's good enough for Google, it's good enough for me." A bank cannot realistically vet every vendor, so they rely on the OS maker to do the heavy lifting.

Even if they wanted to trust a third-party OS, they would need to review them on a case-by-case basis. A hobbyist OS compiled by a random volunteer would almost certainly be rejected.

> If they're worried about liability, why not check the security patch level and refuse to run on phones that aren't up to date?

Google doesn't provide an API or data set to figure out what the current security patch level is for any particular device. Officially, OEMs can now be 4 months out-of-date, and user updates lag behind that.

Your guess is good, but misses the point. Banks are worried about a couple things with mobile clients: credential stealing and application spoofing. As a consequence, the banks want to ensure that the thing connecting to their client API is an unmodified first-party application. The only way to accomplish this with any sort of confidence is to use hardware attestation, which requires a secure chain-of-trust from the hardware TEE/TPM, to the bootloader, to the system OS, and finally to your application.

So you need a way for security people working for banks to feel confident that it's the bank's code which is operating on the user's behalf to do things like transfer money. They care less about exploits for unsupported devices, and it's inconvenient to users if they can't make payments from their five-year-old device.

And this is why Web Environment Integrity and friends should never be allowed to exist, because Android is the perfect cautionary tale of what banks will do with trusted-computing features: which is, the laziest possible thing that technically works, and keeps their support phone lines open.

It's more frustrating because my partner's pixel 4A cannot use google pay or the bank apps because it is an invalid os - I am guessing due to lack of updates? So, perfectly fine hardware, but crippled in functionality due to the lack of software updates.

at best it's "cover your ass security" so when you do get pwned you can say you went through an "accrediting auditor" - blah blah blah.

Agreed on everything you said. Just wish there was a more efficient way to do things :/

[dead]

That’s why for most transactions I do with a credit card in my country, you need an extra validation with the mobile app. It is mostly American websites that do not enable this functionality.

I always ask them if they have root/admin on their computer. Then follow up playing dumb with "shouldn't we lock out PCs too?". Watching them stammer is worth the 30 second aside.

Start by calling (or visiting the area office of) your senator and congressman. If you are reasonably articulate, they engage and listen. Doesn't matter if the listener is not a techie; they will ask questions around policy and why it affects constituents.

This is 1000x more useful than online petitions or other passive stuff. Politicians know that one person to have taken the effort to do this, means 1000 others are feeling the same thing but are quiet.

Moreso, the project advises against rooting your phone and tells you that if you install GrapheneOS and root it that you aren't running GrapheneOS anymore.

No it's not, but it's bundled in the same basket. "Didn't pass DEVICE_INTEGRITY -> rooted"

Unfortunately, root detection is greatly flawed, most of the time.

Your password must be between 8 and 12 characters, and must have lowercase, uppercase, numbers, and punctuation.

Pick up the can!

  > This should be illegal that the government forces people into apps controlled by private, commercial entities. I call such a government corrupt.

Or how about schools requiring parents to use WhatsApp to receive updates and information? Luckily my ex forwards to me the important stuff, but not everyone is as lucky to have an ex like mine ))

Especially in Europe! They shouldn't be forcing you to run an OS from an American company.

I switched bank in the UK due to enforced app use, from Starling to Nationwide. They use a card reader to issue codes, so I can still use the web. I see this as a much of a must-have as physical bank branches with real cashier services.

The DSA European digital wallet spec currently requires Google or Apple attestation, so not for much longer.

And that is mandated by the EU.

My bank still supports TAN codes with a device too. Unfortunately, once it breaks or the battery goes dead you cannot get a new one and have to use their app. Fortunately, their app works on GrapheneOS without issues.

As long as it includes websites made by commercial entities. Only standardized API endpoints!

Where is the government forcing you here? Does Spain have regulation that obliges the use of apps for banking for certain functionality and disallows websites? Or what are you talking about?

[flagged]

In Estonia you can easily do banking via the website on all the banks (LHV, Swedbank, SEB). That said, we do have it all integrated with our digital-ID (which every ID card has private keys encoded into with a PIN you know) so it's not like you can access it with a simple password (our online voting works the same way).

TOTP not accepted?

(When will people learn that biometrics are not another factor: they're entirely public and irrevocable. It's not just security theater, but Apple & Google know that this forces you into their ecosystem, which should be illegal. Of course, Brussels is full of rubes anyway.)

> And in practise that means a banking app, because most people do not want a separate token they have to buy and can lose.

It can be SMS. As said in another comment, the main banks in Spain offer this authentication method while being PSD2 compliant. Some also offer a card with coordinates. So it's not mandatory in any way to use a banking app.

In my country we have a large religious population who eschew the smartphone. This means that no government, banking, or other services require a smartphone.

Can you access their websites without the need to confirm 'who you are' with their app? In my case, not anymore.

My bank used to have other options but it has made mandatory the use of their app.

My bank used to have it as well but not anymore. I wonder for how long Triodos will be able to keep that option.

> They do it so they don't have to stand up their own push servers

I don't agree with this dependency on being in good standing with Google either.

But there is a technical reason that isn't wanting to avoid using their push servers. It is about battery usage and radio bandwidth.

Keeping open an idle connection over WebSocket, long-poll HTTP or TCP/IP needs regular pings (typically 30 seconds are used), one ping per connection. Otherwise your app can't be sure to receive messages from the server in real time, as the connection can disappear into CGNAT or similar hole where it doesn't receive messages sent by the server. To an app not using pings to check, such a blackholed connection is indisinguishable from an idle connection with no pending messages.

Waking the radio every 30 seconds, times 2 (back and forth), times the number of registered applications, would be quite battery draining. It drains battery both for background CPU usage and radio processing. Those pings in aggregate can even amount to a significant amount of data usage for users on smaller plans.

So there is a battery and radio advantage in using a shared push service, which only need a single idle connection to be kept live with 30 second pings.

There's another level to this, not available to regular developers using TCP/IP, HTTP or WebSockets.

The mobile network itself has to maintain handset connection liveness to the nearest tower, at a lower level than IP pings, and this is obviously optimised for battery and radio performance, and always running.

With arrangements in place with the mobile networks (which Google and Apple have), the mobile OS can leverage that for more reliable, lower power push notifications, by either guaranteeing the network will send something technically similar to a low-level SMS when there's an outstanding message, or by guaranteeing their special push IP connection will stay live by itself (no CGNAT blackhole) or be notified if something happens to it.

This allows the mobile OS to offer a shared push service that's fairly reliable at real-time notifications, with zero continuous CPU and radio power overhead for the idle connection.

I thought this was what Larry meant when he said surveillance will keep citizens on their best behavior. If one’s reputation score is low, sorry no money. Also, if anyone in one’s network has bad behavior, no money and no friends. Maybe the kids will learn to accept it, but being of the last analog generation, to me it seems like a painful future.

As far as I remember, last time I needed to use Google play on a shared phone I could just create a random Google address (I mean, completely invented name, etc.) and it allowed me to do anything, just as my normal Android.

I am too lazy to test, but did this change? Can't you just make a "fake" account and continue with your life? The phone company knows where you are, the bank knows what you purchase. Compared to that Google will know far less (ofc, if you don't activate everything)

I find it much more insane that it was possible for so long to do banking WITHOUT strong authentication (however implemented) by just providing those 3 numbers on the back of the card (strong security!)

In Germany for some banks you can buy a TAN generator and then you do not need a smartphone app anymore. Is this an option in your area as well?

It seems like the right time to advocate for open standards in things like banking.

Why? Technofeudalism is not going to impose itself

Especially with how things are currently, I whole heartedly agree - you cannot operate as a human being in Europe without having a good standing with either Alphabet or Apple.

Absolute madness.

Yes, the way I explained it was misleading, mainly because the different persona's tend to use different sets of apps. The personas, in general, are:

- Personal

- Work

- Sporting Club Committee

- Testing (kinda persona, for things I'm not sure of yet and don't want jumbled together with one of the other personas)

This is where it may become a pain, but for some people it may be worth it: sub-personas or topic-specific like streaming or finance or torrenting or porn or any other category you can think of if you want to keep certain things behind a boundary in case you need to share your phone (main profile) with friends or family members for whatever reason.

I hope and pray that is a Samsung S Ultra device. The built-in stylus transforms the whole user experience, I would not go back to a device that I must swipe my dirty fingers across.

as long as it is not fairphone. I am out. I don't want to have to choose between privacy and sustainability.

Cough cough, Nationwide UK. I emailed them, they said they had no plans to make the Nationwide UK app available globally on the iOS App Store.

Oh! Sorry, you described the current state of things so well I assumed you were close to the project.

Here is the github repo where banking app compatibilities are tracked: https://github.com/PrivSec-dev/banking-apps-compat-report

And it's rendered to a page here: https://privsec.dev/posts/android/banking-applications-compa...

Yep! Perfectly, I use it daily. (The private customer one, not sure about business.)

“Installing alternate OSs” is juicy bait for “tech enthusiasts” who know just enough to be effectively worse off than someone with a browser, yes, and at its core is this holier than thou attitude.

Needing to use a verified boot chain with keys that the bank trusts is essentially the same as using the authenticator device from said bank, except this one costs 100€ or more, has a microphone and camera built in, and you use it for private messages as well. That's not a future I want to live in

We have secure hardware already, it's called a smartcard and is what you find in all bank cards, SIM cards, authenticator devices... my phone is my phone, not a second factor, or at least I (as a hacker/tinkerer) don't want it to be that way, just like with my desktop which is also not the bank's to mandate whatever from

Somehow they got the memo for devices where it is normal to have admin permissions, but for mobile devices the two big tech companies successfully scaremongered non-techies

You'll quickly find out - as people are finding out in EU nowadays - that *no* bank will go through the trouble of fighting checklist security auditors to keep your linuxes working.

Wait till you find out that your prefered Linux bank won't have the same mortgage terms as you'd like and you'll be running to buy a Google/Apple phone to get those % down.

I agree completely, except looking at my 2fa app I'd need 20 physical tokens, so we actually need a super-duper-yubikey

Generally Lineage is the latest. Unfortunately, there are other issues (such as the blobs that Lineage needs drifting out of date, and it's usually suggested that you'll should backup and then wipe to upgrade to the next major release, etc.)

Well, I’ve jinxed it. My current “neobank” of choice, TNG eWallet, is onto me now :(

(Not because of my comment, probably – I’ve upgraded LineageOS and had to reinstall everything. But just in case you guys read this – please, just let me bypass it, I’m aware of the risks :)

Thank you!