Comment by arcanemachiner

My bank sends me an alert when my card is used to make a transaction - handy for spotting fraud.

I get an alert when a payment comes it - handy for knowing if a client has paid.

I can quickly check my balance - handy for knowing if I can afford another round of drinks.

I can repay a friend in two taps - handy if they've paid for dinner.

Is anything essential? No. Is it something people use multiple times per day? Yes!

You're definitely not alone. I just checked the list of installed apps on my phone and found three different banking apps that I completely forgot about because I never use them. I installed them because I thought it would be convenient for checking things on the go, but I actually just end up using the computer whenever I need to do real banking business. The only finance-related app I use with any regularity is Venmo for e.g. paying back a friend for covering dinner.

Another commenter mentioned needing to get alerts for fraud, but none of the financial institutions i'm currently doing business with have any trouble sending me text messages. In fact I have the opposite problem, I can't get them to stop using text for 2FA codes...

2FA is a requirement in Europe. I can't log into my bank account without my phone being able to run the app.

I haven't had issues with the mobile apps of 3 of the most major US brokerages. They run fine on rooted phone. They do everything I'd want a bank to do anyway.

Ditch your bank if they have issues. If their retention department asks why you're leaving, tell them their app doesn't work.

"I'm am just an outlier here?"

No. The "banking app doesn't work" argument against non-corporate mobile OS, raised incessantly is HN comments, is bogus

I want a "phone", i.e., small form factor computer, that can run something like NetBSD, or Linux. But I have no intention of using it for commercial transactions. Mobile banking is not why I want to run a non-corporate OS

I want to use it for recreation, research and experimentation

NB. I have more than one "phone". The choice is not corporate mobile OS versus non-corporate mobile OS, i.e., "either-or". I can use both, each for specific purposes

> I know banking apps are the typical example, but I've always wondered why

My bank uses the app for 2FA, and that became a sort of a standard in Brazil, AFAIK. Mine at least gave me the option of using an RSA SecurID or sth alike when I asked, but I don't know how much it would cost me.

My stock broker on the other hand does 2FA exclusively on mobile (and only Android and iOS). The same for the health insurer.

My car insurer didn't force me to so far, which I find strange, given their interest in tracking my location and speed.

These were some of the major factors leading me to give up on using a feature phone when I tried, a few years ago. It was a good experience, especially at those times of pandemics and political instability, but the inconveniences were many.

Banks often use their app for a second factor auth. here.

My main bank is Commonwealth aka CBA (one of the "big 4" banks here in Australia). For a long time, I held out against installing their mobile app (on Android), and managed fine with their web UI (and with 2FA codes via SMS). Then, 2 or 3 years ago, I needed to start using PayID (sort-of Australia's version of Venmo, ie free instant transfers, except it's supported directly by all the major banks here). And I discovered that CBA had (deliberately?) only added PayID support to their mobile app, you absolutely can't use it in their web UI (last I checked). So I had to finally relent and install the mobile app. I started out only opening it on the rare occasions when I needed to send money to someone via PayID.

Then, a while later, CBA pretty much phased out SMS-based 2FA (or they said that if you had the mobile app installed then you can no longer use it?). Only other supported option is in-app 2FA (no support for third-party TOTP apps). So I had to start opening the mobile app every time I needed a 2FA code. Then, within the last year or so, they made a new rule, that in order to log in to the web UI at all (just initial login, I'm not talking about sending money or any other high-risk action), you had to receive a push notification via the mobile app and tap "allow". So now I literally can't log in to the web UI without also logging in to the mobile app!

So, unfortunately, "just keep using the bank's website on desktop" is increasingly and deliberately becoming not an option. I assume there are many similar stories with other banks around the world.

Country dependent of course, but recently i observe steady push from banks to adopt mobile app. Some have webui neglected and glitchy, some openly announce sunsetting, some already killed web access only allowing app.

And this tendency will prevail as bank can collect way more data this way. Just a month ago one of banks that is often praised here sent me a letter saying “your IP activity doesn’t match your residence” (and i am not even installed their app, they pulled data from web ui usage. Imagine what happens when they get access to data mobile app can supply

> I know banking apps are the typical example, but I've always wondered why.

It's because Google created this thing during backroom conversations with bank associations from a handful of countries.

Sounds like you’re using Venmo to fill the same role as a banking app (sending and receiving bank transfers).

Many other countries simply rely on banking apps for these things, and don’t have a separate service for this kind of transaction.

Here in NL many banks (not all) require their iOS or Google app to log into their home banking on a PC/browser.

Fair point - but then take national eID apps instead.

Take Denmark, for example: most banking apps use eID for login, so that problem translates 1:1. But other apps who do the same include the national school communications platform (which is pretty much mandatory for a huge chunk of the adult population, who need to look at it almost daily). Also: social security card (including health portal/doctor booking/comms), driver's license, bus pass, parking app, used-stuff-marketplace, ... eID is _everywhere_ because it's a good idea.

Sure, all of this can be done on a computer. If you're near one. Or you can have separate and physical cards, like we used to have. That still works, mostly: more and more services (eg. bus pass) are going digital-only.

Really, what we need is a top-down embrace of open-source-based platforms as being _as_ (or more) secure than the established tech giants. From governments down, organisations _should_ move away from locked-down (foreign) commercial interests.

I'm not holding my breath though.

Some banks' only interface is the mobile app. And in Europe people typically use their banking app for P2P payments (no need for an app like Venmo)

Have you not had a company block you from doing something on the web and force you to use an app for it?

I can't deposit checks over the website, and I use a bank with no physical locations near me.

Yes. However, I already carry a tethered hand-me-down quarantine phone where I install my work apps and undesirable apps like Whatsapp (for those loved friends and family that can't or won't install Signal). Carrying a third phone for "Play Integrity" starts being a bit much.

Anything movement that requires people to routinely acquire a second phone is doomed to failure (in the “this will never become a mass movement” sense)

And if your bank only does 2FA via app?

Wait till you see how hostile Reddit is when you try and access via a browser on a phone

GrapheneOS supports remote attestation, but banks have to add the fingerprint of the official GrapheneOS verified boot keys:

https://grapheneos.org/articles/attestation-compatibility-gu...

Some banks even do.

They will say: hey, now you're free from Visa and Mastercard for your payments! (only to be forced into the Google/Apple duopoly, which is far worse).

In EU/UK, some are sadly app only. I avoid those. Many others are pushing apps as a 2FA, even if you use their website. You need to insist to get another authentication system, like TAN. Some governments are also pushing mobile IDs.

The best Linux for phones, SailfishOS, has a fairly good Android compatibility layer that runs many bank apps well. But despite that, it's an uphill battle. The network effect of the duopoly is gigantic.

It only has to be something I need to be able to do but can't once a month to be a dealbreaker.

> Some banks have added their verified boot keys.

Seriously?? That was very unexpected... Here's to hoping this becomes standard practice!!

They will.

The /e/OS installer is terrible though and often fails, even on their officially supported phones (like Fairphone). The standard recommendation in their forums is nah, just install /e/OS through the command-line.

Also, /e/OS has pretty bad security practices (shipping very old kernels, very old vendor firmware, and missing most AOSP security patches).

Also, be careful to follow the instructions really carefully. For some devices it's really easy to get the phone in a boot loop, where the only resort is to get your vendor to repair it. E.g. Fairphone 6 has downgrade protection and will become a brick if you relocked the phone when the old system's Android SPL is newer than the new system's.

It's also high risk. I've bricked two phones doing it.

That describes relatively easy for you, but not for the average person who can’t even be bothered to change the default ringtone.

> Even EU is lusting for draconian control features

Even the EU??? Huh? Did you misspell 'especially' there? Because when your governments want to spy on your own citizens more than the big tech companies want to collect data for advertising, you probably have a problem.

In the 90s, you would have said the exact same thing about linux on the PC.

Free software ultimately has time on its side. As long as a project has enough mindshare to keep its momentum, it really is unstoppable in the long run.

I don't care about specs, I care about functionality and price. The camera on the pinephone doesn't practically work because it is too slow and the quality sucks. You basicially cannot record videos whatsoever. I can't use the device for GPS navigation. I can run whatsapp within waydroid, but it isn't practical due to the battery life and startup limitations that imposes. The GPU on the pinephone sucks, is underpowered, doesn't support OpenGL ES 3 or vulkan, and the user interface is always slow as hell to navigate.

So practically I cannot use it as a daily driver.

Librem 5 does have enough GPU horsepower, a functioning camera, and good pmOS support. But $800 is a lot to ask to test out switching to linux with no guarantee that my workflow will work or I will have enough battery life. It looks like the librem 5 can't record videos or do GPS navigation yet.

I am looking at the librem 5 specs again. The EG25-G is probably a better starting point for the modem now that it has been better documented and reverse engineered as a result of the pinephone project. It is interesting that the L5 has a generic smartcard reader though.

If it's got a sim card, it's still phoning home and providing location data. You can't escape the panopticon. A faraday bag gets you mostly there, though, but the point isn't that you can maneuver against it, it's that the device and its operation is fundamentally compromised by design.

There's a whole lot of shady crap underlying the infrastructure and the hardware that consumers cannot touch, pinephone / librephone or otherwise. It's not designed for consent. At best you can gain ephemeral relief, but even that is illusory, because by simple process of elimination, differential analysis allows fine grained ID and tracking of people even if they don't have accounts, phones, interact with websites, etc.

It's not a shady cabal of lizard people, it's just the grubby natural alignment of interests by a wide ranging set of companies and regulators and groups who allow it to happen without imposing any accountability, and ensuring that the system remains structured such that no effective accountability can be imposed.

Extorting constant streams of data for adtech is too valuable and the entire thing is too complex for silly things like ethics to interfere.