Comment by Anonyneko
20 hours ago
I've resigned to the fact that I'll need to use two phones, one with locked down Android/iOS for banking applications and government services (those require strong bank ID around these parts), another with some kind of a Linux or unlocked Android for literally everything else. Oh well, such is life, most people don't care enough about this to pressure Google/Apple/banks/governments into yielding.
A big reason why a non-locked-down OS is absolutely vital to me is that sometimes I (reluctantly) have to travel to places where I need to install obscure VPN/proxy services to be able to access international internet. Most services present in app stores have been banned for years now, and the government sometimes even succeeds in making Apple/Google remove the more effective ones from the stores.
What we need to push back on is making a phone a requirement to do routine banking and conducting other necessary business. There is no reason I should be required to have a phone in order to query my balance or transfer money to someone, when I have a perfectly good computer sitting here.
The physical keys, like Yubico, help with that. However, I have not been convinced that a password manager with unique, strong passwords on all my accounts shouldn't suffice. I don't know why I have to be penalized because other users don't use best practices.
Bank apps in India don't run on rooted phones, need developer mode and adb disabled. At the same time, their website works fine on Firefox on Linux where I can literally go through all their front-end source, attach and run debuggers.
What even is going on? Why are banks doing this security theatre when all their apps are doing is calling some backend apis?
I think most bank apps in the western world also refuse to run on rooted phones. To my pleasant surprise my banking app worked on GrapheneOS though.
Is Linux for phones a thing? Or are you referring to GrapheneOS or LineageOS?
GNU/Linux phones exist: https://en.wikipedia.org/wiki/Librem_5 and https://en.wikipedia.org/wiki/Pinephone
In my informed opinion, anybody who does banking on their phone is taking a big and unnecessary risk. I wish I could say more.
> anybody who does banking on their phone is taking a big and unnecessary risk
It is not necessarily a matter of choice. Besides what the other commenter notes about 2FA, in some countries banks have been removing functionality from their online-banking website, and you can only do certain things in the phone app.
> in some countries banks have been removing functionality from their online-banking website, and you can only do certain things in the phone app.
The most infuriating I've seen, is a bank which removed the anual tax report (which you need to do the anual income tax) from the online-banking website, requiring you to use the phone app... to download a PDF file, which you then have to transfer to the computer anyway so you can print it!
2 replies →
This annoys me to no end. I have an old phone that I boot up occasionally because it holds all the apps that I only need once per year for a niche feature that is only accessible in their app. I don't need 200 apps on my main that I would otherwise never open.
See, the thing is, here you can't use banking on your computer without having a bespoke authentication app on your phone. There used to be a system of one-time codes sent via paper mail, but even that has been scrapped by now, so using bank ID apps is literally the only option across all of the local banks. In my bank the ID app and the bank app are even different apps, and it's the ID app that's the truly important one to have (and that, of course, hates rooted/modified phones with a passion).
The government services also go through these ID apps, although there is a poorly supported alternative that uses USB smart card readers. I have not seen a single person actually use it, probably for a reason, though I'm planning to get one just to have a backup...
At least in Finland's Nordea bank you can order a physical code calculator, they used to be small enough to keep on your wallet but the new one is the size of an old small phone. It even has a QR scanner. So I just keep it at home.
I see you suggest you can't say more, but I'll still ask the questions:
Is it a privacy or financial risk to have banking on your phone?
How is banking on a phone app more dangerous than banking via mobile or desktop websites?
It is a privacy risk, a financial risk, and a security risk.
The issue is the platform. Obviously there are issues with desktop platforms too, but those are easier to mitigate.
Not a choice if you live in a "developed" country
I live in a "developed" country and don't have a banking app on my phone. It's a choice. Sometimes it's a choice of which bank you bank with. Sometimes it's a choice to stick with more traditional means of interacting with that bank and not even checking your account using a website, but it's absolutely a choice.
I think this is the only long term solution, even if cumbersome.
I’m curious what secondary devices people are using. I have a second hand Surface Go running Fedora 43 with Gnome, it’s a bit big but it’s doing its job well.