Been using this for about a year on a p9 pro. It works very well. I hear the google tap to pay does not work, but I've never tried it. However Vipps with their tap to pay works fine. BankID works but not with biometric login, which some things require IIRC. And for some reason DnB private works fine, but you are not allowed in on the corp app.
It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro, crazy that they trust me since it is not Windows - the truly secure OS!
Knew about those things before I started, so all in all I'm pretty happy. I'd recommend NOT using different users for different things (I started with banking etc in one profile, that ended up being a huge PITA and according to their docs it is mostly security theater anyway). Happy tinkering!
A collegue of mine was tech lead at a large online bank. For the mobile app, the first and foremost threat that security auditors would find was "The app runs on a rooted phone!!!". Security theater at its finest, checkboxes gotta be checked. The irony is that the devs were using rooted phones for QA and debugging.
Meanwhile, it's probably A-OK for the app to run on a phone that hasn't received security updates for 5 years.
I don't get it. If they're worried about liability, why not check the security patch level and refuse to run on phones that aren't up to date?
I'm guessing it's because there are a lot of phones floating around that aren't updated (probably far more than are rooted), and they're willing to pretend to be secure when it impacts a small number of users but not willing to pretend to be secure when it impacts many users.
> If they're worried about liability, why not check the security patch level and refuse to run on phones that aren't up to date?
Google doesn't provide an API or data set to figure out what the current security patch level is for any particular device. Officially, OEMs can now be 4 months out-of-date, and user updates lag behind that.
Your guess is good, but misses the point. Banks are worried about a couple things with mobile clients: credential stealing and application spoofing. As a consequence, the banks want to ensure that the thing connecting to their client API is an unmodified first-party application. The only way to accomplish this with any sort of confidence is to use hardware attestation, which requires a secure chain-of-trust from the hardware TEE/TPM, to the bootloader, to the system OS, and finally to your application.
So you need a way for security people working for banks to feel confident that it's the bank's code which is operating on the user's behalf to do things like transfer money. They care less about exploits for unsupported devices, and it's inconvenient to users if they can't make payments from their five-year-old device.
And this is why Web Environment Integrity and friends should never be allowed to exist, because Android is the perfect cautionary tale of what banks will do with trusted-computing features: which is, the laziest possible thing that technically works, and keeps their support phone lines open.
There's definitely some way of telling, Enterprises can block sign in with no recent updates in Microsoft authenticator or whatever app they use.
All good points. Thanks for that!
I'm not an Android developer, but I was thinking they could use something like the android.os.Build.VERSION.SECURITY_PATCH call to get the security patch level. Maybe that's not sufficient for that purpose, though.
Sure, there is enough information available to the app to determine what OS version and patch level it is running under. The issue is, the app would need to communicate this to the bank via an API, and the bank wants to trust the app in the first place in order to rely on this information.
Even then, two things turn out to be true:
- Banks don't actually want to put in the effort and deal with angry customers with slightly-out-of-date devices.
- All the credential-stealing malware on Android works perfectly fine on stock, unmodified, non-rooted OS images anyway. They just need to socially-engineer the user to grant accessibility permissions to the malicious app.
ive seen: -"but ios can be jailbroken and it doesnt have an AV!" while the MDM does not allow jailbroken devices, and they also allowed sudo on linux.
auditors are clueless parasites as far as im concerned. the whole thing is always a charade where the compliance team, who barely knows any better tries to lie to yhe auditor, and the auditor pick random items they dont understand anyway. waste of time, money and humans.
at best it's "cover your ass security" so when you do get pwned you can say you went through an "accrediting auditor" - blah blah blah.
Agreed on everything you said. Just wish there was a more efficient way to do things :/
As long as copying some numbers, printed on a piece of plastic, into an online order form is all the authentication that is needed for a transaction, anything more than that is inherently security theater.
That’s why for most transactions I do with a credit card in my country, you need an extra validation with the mobile app. It is mostly American websites that do not enable this functionality.
Yes, because we don't want these stupid locked down apps. Credit cards give buyers many protections, it's very easy to dispute an illegitimate transaction.
However, you pay 2.7% for that convenience
Yeah that's the first thing a pentest will complain about, had the same problem too. I pushed back enough so that it's trivial to bypass but the bank and pentesters also agreed with me that it's security theater or else I would never had the chance.
I always ask them if they have root/admin on their computer. Then follow up playing dumb with "shouldn't we lock out PCs too?". Watching them stammer is worth the 30 second aside.
> Then follow up playing dumb with "shouldn't we lock out PCs too?".
Unfortunately, some banks do, for various functionality; there are many things you can do via bank apps and not typically via their website.
Locking down PCs is easy: just set a random password.
Just blow the right hardware fuses and secure boot will be forced with a key that doesn't (or can't) exist.
[dead]
Who do we lobby to get this removed from the auditors checklists? This is a solvable problem but it’s political. And if we don’t solve it personal computing is at risk.
Start by calling (or visiting the area office of) your senator and congressman. If you are reasonably articulate, they engage and listen. Doesn't matter if the listener is not a techie; they will ask questions around policy and why it affects constituents.
This is 1000x more useful than online petitions or other passive stuff. Politicians know that one person to have taken the effort to do this, means 1000 others are feeling the same thing but are quiet.
This is nothing to do with politicians.
But grapheneos doesn't need to be rooted!
Unfortunately, root detection is greatly flawed, most of the time.
Oh how I fucking wish "security" wasn't a stupid cargo cult checkbox list 3/4 of the times.
Unfortunately, the rot runs too deep.
Your password must be between 8 and 12 characters, and must have lowercase, uppercase, numbers, and punctuation.
Pick up the can!
My favorite is when it must have punctuation, but certain punctuation is silently banned, so I have to keep refreshing my password generator until it gives me an acceptable combination.
I came across a "special character" requirement while creating an account. The client validation was not the same as the server validation. The client proceeded as if my account was created, but it never was. The client functioned without an account until it was closed. I asked the creator what their app's problem was, why did I need to keep resetting my password, then be told that I don't have an account, and have to create it anew.
They would not believe I was creating an account and using the device, because their own logging was so terrible.
I had to send them a screen recording from me using this abomination, and only then was I told "you're using the wrong special characters". They helpfully gave me some examples of allowed special characters, which then would pass the server validation.
I wish they would have gotten rid of the account requirement, as the device and client software seemed to work fine without them.
Somewhat unrelated, is there any technical reason certain punctuation might be banned? I can understand maybe not allowing letters with diacritics or other NON-ASCII chars but why would a system reject an @ sign or bracket > for example?
Depending on the protocol they can be url encoded or even helpfully html encoded; the same password can be used over different protocols. It's the best to not use punctuation by default (length supplies more entropy than charset), I add -0 at the end to make dumb password policies happy.
Often, the same ones with limited punctuation also have length limits, so maximizing the character options is the only way to maximize entropy.
A lot of the restricted stuff is cargo-cult fear of symbols that could be used in SQL-injection or XSS attacks.
A properly-coded system wouldn't care, but the people who write the rules have read old OWASP documents and in there they saw these symbols were somehow involved in big scary hacks that they didn't understand. So it's easier to ban them.
Having more than just alphanumeric characters widens the domain of the password hash function, and this directly increases the difficulty of brute-force cracking. But having a such a small maximum password length is... puzzling, to say the least. I would accept passwords of up to 1 KiB in length.
With rainbow tables, even 11-character simple passwords like 'password123' can be trivially cracked, and as the number of password leaks show, not everyone is great at managing secrets and credentials.
It's easier for me to remember really long passphrases than even short alphanumeric strings - small maximum password lengths set my teeth on edge. The passwords should be getting hashed anyway right?
The problem is that you never really know what a website operator does with your credentials. Ideally, you have both a unique email and a unique password for each site, because sadly credential stuffing [1] is a thing.
Should being the operative word...
I bet the rationale would be "anything over 12 characters will be too hard to remember and people will just write down the password."
But it's a maximum. It prevents people that want to use passphrases from doing so.
I think we (whoever we is) should start normalizing the concept of passphrases; on sign-up screens they should show the benefits of a passphrase. I'm surprised that Googles PW generator does not use passphrases, and I don't know about ios because I haven't tried theirs yet.
I started using passphrases after I saw this xkcd https://xkcd.com/936/
When I'm trying to log into something on a device that has a terrible keyboard, like a TV or giant touchscreen, it's a lot easier to type words I know than gibberish.
correct horse battery staple; knew it before I clicked the link.
Until the late 2010s, the AD account password at my financial institution employer was capped at 12 characters because, for a subset of workers, AD creds were sync'ed to a mainframe application that could only support that many characters.
I recommend all my friends and family to use a password manager like Bitwarden, and if they can't do that for some reason, at least use a 3-word passphrase separated by a hyphen.
The amount of times people have complained to me that this doesn't work because of low max-chars on passwords is insane.
One time I had to reset my password with the power company - they had such a system, and the lady had to read me something like:
Uh4zB4DP55WD!
Apparently I was a bit salty with the system when I set it.
The fact that she shouldn't have even been able to look up the password in the first place due to hashing was lost on her.
That's pretty funny on a few levels, not in the least that they required a "secure" password like that but stored them in plain text.
I regularly conduct transactions at the branch of my local bank wherein they ask me for no credentials whatsoever. I also once forgot to bring my account number with me and the teller said "no worries, I'll look it up for you." Kind of horrifying.
It helps that it’s a jailable offense to make fraudulent transactions
Oh! But that’s safe! Secret question time: What’s your mother’s maiden name.
Yeah I was a bit shocked... like... you're not supposed to know that!
My bank’s password field is case insensitive. Of course they could have lowercased it before hashing but I doubt it.
Haha having such a low range of max chars just makes it that much easier to brute force doesn't it?
On password length, I once had an account on Aetna that let me put whatever I want for my password, so I used a three-word passphrase that bitwarden generated for me. It ended up being like 20 chars.
Then I tried to log in with that password. Whooosies, the password input only allowed max 16 chars!
Ended up using a much less secure password because of this.
Maximum lengths like this are like a big neon sign that says:
"Hey idiot, I'm storing your password in plaintext, don't know anything about password security, and I'm also going to make you pick something you can't remember for 'security'."
> Pick up the can!
Gotta admit, this triggered me. I don’t think those are the same thing. If no one had a good password we wouldn’t affect each other negatively. If no one picked up trash, we would.
Edit: Sorry folks, didn’t get the reference.
I'm pretty sure it's referencing Half-Life 2, where an agent of an oppressive regime tells you to pick up a can that they just dropped on the floor as a sadistic display of authority (and to provide world-building and teach the grab mechanics to the player).
The GP is equating policies for strong passwords that aren't trivially cracked with authoritarianism.
If no one had a good password, we actually would affect each other negatively. If your personal banker can be easily compromised, that means that you could be easily parted with your money.
I do agree that they are not the same thing.
> The GP is equating policies for strong passwords that aren't trivially cracked with authoritarianism.
Incorrect - the requirements I mentioned make passwords less memorable and less secure (maximum length 12???). Obviously that's not as bad as authoritarianism, but I was trying to capture the arbitrary act being forced on us for no real justifiable reason.
It's a Half-Life 2 reference: https://www.youtube.com/watch?v=nJshjMyg6no
> the first and foremost threat that security auditors would find was "The app runs on a rooted phone!!!".
GrapheneOS is not rooted, or is not required to be.
> It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro...
Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.
I have several linux phones but I can only do banking with their app downloaded from Aurora Store in my Vollaphone.
This should be illegal that the government forces people into apps controlled by private, commercial entities. I call such a government corrupt.
Here in central Europe I can still access the bank website fine without smartphone. I need a physical device to yield a TAN though, but I can access and do online transactions fine. So I think something is wrong with the spanish government. People need to protest.
Or how about schools requiring parents to use WhatsApp to receive updates and information? Luckily my ex forwards to me the important stuff, but not everyone is as lucky to have an ex like mine ))> This should be illegal that the government forces people into apps controlled by private, commercial entities. I call such a government corrupt.If the government (or school) is going to require us to have a smartphone in order to access critical government information, then we should demand that the government provide us with a compatible smartphone.
Forget exes—-how about current partners! I predict with high confidence that my wife’s response to such a request would be “grow up and install WhatsApp already.”
I switched bank in the UK due to enforced app use, from Starling to Nationwide. They use a card reader to issue codes, so I can still use the web. I see this as a much of a must-have as physical bank branches with real cashier services.
But Starling has always been app only?
Especially in Europe! They shouldn't be forcing you to run an OS from an American company.
Even the EU initiative Wero requires Google or Apple. You can't even use it on a desktop pc and you're not even allowed to have developer options on. Ridiculous. I've never seen any app that is so strict.
That's not exactly right, Wero the app is not Wero the payment system. Banks and payment processors are expected to integrate Wero the same way they do with iDeal and similar systems. So ultimately if your bank's app doesn't require attestation you will be able to use Wero through it.
Weird, because Wero is an internationalization of the dutch iDeal and that worked fine without any apps. You clicked ‘continue to bank’, select your bank, and then login on the bank web portal.
American here who values individual liberties greatly. I know things are politically tense at the moment, but I’m not sure I understand this popular contemporary sentiment.
I’ve always believed governments and companies should be regarded with fairly low trust, and the behavior of big tech companies and some recent government actions are great examples why.
But what disappoints me a bit about this moment is (the perhaps inevitable?) response to nationalism with more nationalism.
Just as I didn’t seek to punish the EU over authoritarianism in Hungary and Poland, I feel the current moment has many responding to the symptoms instead of the sources of the problems. This is not a defense of policies I believe concern you, it’s a question of priorities.
I think the author of the article got it right. Because in addition to privacy, I believe one should be able to navigate the internet freely without a mandate to do business with monopolistic dominant companies, which includes rights like ownership of your data.
I don't think this is about the current situation in the US.
Big US tech companies are infamous for not following the EU's data protection rules, and they wouldn't even able to, because some US regulations (I think PRISM, FISA and others) are incompatible with the requirements of EU GDPR. This dates back at lest to Snowden leaks and the invalidation of EU-US data protection agreements by Schrems judgments.
https://en.wikipedia.org/wiki/Max_Schrems#Complaints_with_th...
> But what disappoints me a bit about this moment is (the perhaps inevitable?) response to nationalism with more nationalism.
Unfortunately it is now a question of sovereignty and basic risk management, not nationalism ([0] and multiple other sources).
[0]: https://mspoweruser.com/europe-calls-out-us-tech-after-micro...
As long as it includes websites made by commercial entities. Only standardized API endpoints!
My bank still supports TAN codes with a device too. Unfortunately, once it breaks or the battery goes dead you cannot get a new one and have to use their app. Fortunately, their app works on GrapheneOS without issues.
The DSA European digital wallet spec currently requires Google or Apple attestation, so not for much longer.
And that is mandated by the EU.
Sigh.
Reputational awareness is what keeps people safe!
[flagged]
> Not in Spain. I can access my bank's website but I can't do anything without their bank app.
I don't know about Spain specifically, but as far as I understand it no bank in the European Economic Area + UK should allow banking via just the website alone anymore, because of the "Revised Payment Services Directive" (PSD2) regulation.
Essentially, banks are required to implement "strong customer authentication", which in essence is just multi-factor authentication with a password + either biometrics or a security device of some sort.
And in practise that means a banking app, because most people do not want a separate token they have to buy and can lose. Though a lot of banks do offer those as well.
In Estonia you can easily do banking via the website on all the banks (LHV, Swedbank, SEB). That said, we do have it all integrated with our digital-ID (which every ID card has private keys encoded into with a PIN you know) so it's not like you can access it with a simple password (our online voting works the same way).
Can the PIN change? How to issue new key if needed? How does it integrate with the voting?
Voting, much like all other things in Estonia such as getting married/divorced, doing taxes, signing documents, starting/closing companies, notary dealings, bank dealings, selling/buying vehicles, and many more things I can't even think of right now are entirely done via the digital ID that every citizen has. This means that you authorize/sign actions with it, including voting, because only you have your private keys (either in your personal ID card, in your phone's sim card, etc) that you yourself know the PIN for, which then authenticates you as being you. I think we're now at a point where there isn't a single government or business dealing you can not do entirely online (https://e-estonia.com/solutions/).
> Can the PIN change?
You can change it in the app, yes.
> How to issue new key if needed?
I think you’ll have to reissue your ID.
There’s also digi-ID (similar e-signature certificate on a card, but without any ID features), Mobiil-ID (e-signature on a SIM-card, no idea how it works), Smart-ID (in app, tied to secure storage in Android/iOS, cross-signed by the server which is supposed to check the device somehow) and probably something else I don’t remember. All of these are independent options, so you can, for example, revoke your Mobiil-ID if you lose your phone, and still use the your main ID card to sign things.
> You can change it in the app, yes.
Is the app tied to Google or Apple?
Nope, there’s a desktop version, too. And it’s all free/open source: https://github.com/open-eid
(Though Smart-ID is its own thing and is a fair bit more locked down, but I’ve managed to get it running on a phone without Google services IIRC.)
Wow, that is nice!
How much the certificate costs and lasts?
It costs as much as your ID card costs by the government, and lasts as long as well. They are one and the same. Applying for a new ID card / national ID document in Estonia costs 35€ and the document is valid for 5 years. If you forget your PIN code, you can reset it with your PUK codes, but if you also lose your PUK codes you need to apply for a new ID card. The process for getting a new ID card from the moment you applied for it takes no more than 30 days. You can also have it fast tracked for 250€ and get it in 2 days.
But, like the parent said, you have many other options other than the physical ID-card as well. Most people these days use Mobiil-ID or SmartID, which works on your phone and even smart watch. SmartID is completely free and Mobiil-ID is tied to your phones carrier, so the cost varies, but it's a one-time set-up fee of around 5€. Mobiil-ID certificate also lasts 5 years.
TOTP not accepted?
(When will people learn that biometrics are not another factor: they're entirely public and irrevocable. It's not just security theater, but Apple & Google know that this forces you into their ecosystem, which should be illegal. Of course, Brussels is full of rubes anyway.)
The question is what generated that TOTP code. The banks must ensure that they "are independent, in that the breach of one does not compromise the reliability of the others," as article 4(30) states. That text is vague as hell, but published opinion of the European Banking Authority on the matter[0] is:
"a device could be used as evidence of possession, provided that there is a ‘reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device’"
So in essence the TOTP has to be bound to the device in a way that prevents users from just extracting the secret and putting in in their password manager. Hypothetically that would still allow Yubikeys and other security keys that provide attestation from the factory, but in practise banks probably don't want to deal with the support headache and just provide their own, like the TAN generator mentioned by other commentors.
Two other highlights from the interpretation of the EBA:
"App installed on the device" -> not sufficient/compliant
"In the case of an SMS, and as highlighted in Q&A 4039, the possession element ‘would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number’."
"SIM-card associated with the mobile number" - is that even technically possible? Do mobile carriers provide a API for banks to verify that a number still corresponds to the same SIM card? If so I've never heard of it.
[0] https://web.archive.org/web/20191207213213/https://eba.europ...
But they do use apps, and since everything happens on a smartphone - a single point of failure - they aren't independent.
Like most security regimes, it's both overly prescriptive and woefully insufficient. In short, dumb. :(
TOTP not accepted, because the confirmation for payment must include the amount to be paid, which cannot be done under TOTP as far as I know.
Some UK banks (Nationwide and Barclays I know for certain) have had mini card-reader PIN devices since around 2010 that they've given customers, that basically generate on an LCD screen an 8-digit code for authentication.
When confirming a large transfer, you also need to enter the payment amount in the device, and I assume this gets hashed into the number as well.
More recently (last 3/4 years), you can also use their mobile app to do this instead / as well as.
Moved from the UK to Germany. My German card reader is even better, no manually entering the transaction details, I just scan a QR code from my laptop, and the card reader display shows the IBAN and amounts, before I confirm to get the code.
> And in practise that means a banking app, because most people do not want a separate token they have to buy and can lose.
It can be SMS. As said in another comment, the main banks in Spain offer this authentication method while being PSD2 compliant. Some also offer a card with coordinates. So it's not mandatory in any way to use a banking app.
Probably not for much longer though. Several countries, including mine, have already banned SMS 2FA for banking, and it's likely that that will be implemented for all of Europe in the near future, possibly with PSD3. Not that SMS 2FA was ever a good idea in the first place.
But yes banking apps are not mandatory, and likely won't be in the near future either, though the alternatives are treated a bit like second class citizens.
My bank offered that option but not anymore. The use of their app is mandatory now.
Edit to add this anecdote. My bank told me I need to use their app because SMS is not secure, but you need to activate their app using an SMS code!
I don't know which banks you are using but in my case I work with five Spanish banks and I can do everything from their websites, no app required. Yes, they try to push you to use their app, some tried to activate mobile 2fa for me when this psd2 thing became mandatory but I always told them their app doesn't work on my phone (which is true) and they offered me alternate methods like sms.
In my country we have a large religious population who eschew the smartphone. This means that no government, banking, or other services require a smartphone.
Can you access their websites without the need to confirm 'who you are' with their app? In my case, not anymore.
My bank used to have other options but it has made mandatory the use of their app.
> Can you access their websites without the need to confirm 'who you are' with their app?
Yes, none of them required me to use the app a single time. In fact, for all the banks I work with, I always identified myself at a local office when opening the account for the first time, the last one less than a year ago. And all of them allow me to operate in the website without the need of an app (actually I could never use any banking app as my telephone lacks Google Play).
> Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.
https://triodos.es has 2FA via SMS, for what is worth.
My bank used to have it as well but not anymore. I wonder for how long Triodos will be able to keep that option.
I have been using GrapheneOS for a few months in Spain with and out of three banking apps only one gave me trouble, I had to enable "Exploit Protection Compatibility Mode" on "app information". Personally I refuse to pay with the phone so I am okay not having that option.
If someone wants to try Graphene os maybe that option will work on their banks too.
Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.
I've seen this elsewhere, and it's absolutely ridiculous.
Why?
Because in almost all cases, the apps may only be installed with Google Play, and require the framework to work correctly. And that means?
If you are not in good standing with Google, you cannot bank!!
I cannot stress how inane it is, to have Google or Apple as the gatekeeping to identify verification. How not having an active, in good standing account with one of these two, means you cannot bank.
And it's happening more and more.
Meanwhile, banks -- which tend to make billions in profits quarterly, do this to save on infrastructure costs. They do it so they don't have to stand up their own push servers, or have an app which doesn't require firebase.
Well cry me a river, boo-hoo Mr Banker, I'm not even remotely interested in you saving on infra-structure costs at the loss of autonomy. And on top of this, many banks are reducing hours, closing branches, claiming that they don't need them.
Leaving absolutely no other choice.
This sort of thing should be illegal. Being in Spain, but requiring a US megacorp to tell your own bank, that you're you.
> They do it so they don't have to stand up their own push servers
I don't agree with this dependency on being in good standing with Google either.
But there is a technical reason that isn't wanting to avoid using their push servers. It is about battery usage and radio bandwidth.
Keeping open an idle connection over WebSocket, long-poll HTTP or TCP/IP needs regular pings (typically 30 seconds are used), one ping per connection. Otherwise your app can't be sure to receive messages from the server in real time, as the connection can disappear into CGNAT or similar hole where it doesn't receive messages sent by the server. To an app not using pings to check, such a blackholed connection is indisinguishable from an idle connection with no pending messages.
Waking the radio every 30 seconds, times 2 (back and forth), times the number of registered applications, would be quite battery draining. It drains battery both for background CPU usage and radio processing. Those pings in aggregate can even amount to a significant amount of data usage for users on smaller plans.
So there is a battery and radio advantage in using a shared push service, which only need a single idle connection to be kept live with 30 second pings.
There's another level to this, not available to regular developers using TCP/IP, HTTP or WebSockets.
The mobile network itself has to maintain handset connection liveness to the nearest tower, at a lower level than IP pings, and this is obviously optimised for battery and radio performance, and always running.
With arrangements in place with the mobile networks (which Google and Apple have), the mobile OS can leverage that for more reliable, lower power push notifications, by either guaranteeing the network will send something technically similar to a low-level SMS when there's an outstanding message, or by guaranteeing their special push IP connection will stay live by itself (no CGNAT blackhole) or be notified if something happens to it.
This allows the mobile OS to offer a shared push service that's fairly reliable at real-time notifications, with zero continuous CPU and radio power overhead for the idle connection.
Why does a banking app that I'm not currently using need to ping a server occasionally?
When I want to do banking I'll open the app, do my business, then close the app. A banking application does not need push notifications.
My comment was about push service sharing generally, not banks, from a technical point of view that many people aren't aware of but may find interesting.
Clearly, real-time notifications are useful with many apps, notably real-time messaging, even if you don't think they have a place with bank apps.
For bank and credit card apps, I find their push notifications to be very useful. They are among the most useful notifications I get, because they tell me about things I find important, which I wouldn't notice otherwise.
They tell me things about transactions that have gone through, sometimes after a long delay, transactions that need confirmation right now or they will be blocked, balance being too low, or too high (credit cards), payments that are required today, refunds that came through after a product was returned, transfers that completed on the receiving said, payment received from a client, direct debits that are going out tomorrow so I will need to make sure there's enough in the account, customer service messages that require a response from me or they will eventually close the account, and so forth.
"Just open the app" doesn't work: All of those, except transaction confirmations, are things where I wouldn't know to open the app if I didn't get a message of some kind to tell me.
These days, in some juristictions it's also required to send real-time notification to confirm some purchases, because the phone's security is considered better than card details alone. Depending on how the purchase is made (e.g. in-person vs online, different payment terminals), you might not know the reason a transaction is blocked or held is because it's waiting for you to confirm in the app, so the notification is useful for this.
All these used to be done by SMS, and that was useful too. But SMSs are just push notificatons with a worse UI and worse visual cues.
... and no dependence on Google or Apple.> But SMSs are just push notificatons with a worse UI and worse visual cues.
Unfortunately it needs push notifications to authorize online payments.
So open the app when performing an online payment.
I thought this was what Larry meant when he said surveillance will keep citizens on their best behavior. If one’s reputation score is low, sorry no money. Also, if anyone in one’s network has bad behavior, no money and no friends. Maybe the kids will learn to accept it, but being of the last analog generation, to me it seems like a painful future.
As far as I remember, last time I needed to use Google play on a shared phone I could just create a random Google address (I mean, completely invented name, etc.) and it allowed me to do anything, just as my normal Android.
I am too lazy to test, but did this change? Can't you just make a "fake" account and continue with your life? The phone company knows where you are, the bank knows what you purchase. Compared to that Google will know far less (ofc, if you don't activate everything)
I find it much more insane that it was possible for so long to do banking WITHOUT strong authentication (however implemented) by just providing those 3 numbers on the back of the card (strong security!)
No, they will either immediately or shortly thereafter require you to link a phone number, etc
The original comment was saying:
> If you are not in good standing with Google, you cannot bank!!
> I cannot stress how inane it is, to have Google or Apple as the gatekeeping to identify verification. How not having an active, in good standing account with one of these two, means you cannot bank.
Having to register some phone number (does not need to be your main number, a sim card is quite cheap) to a "fake/unused" email address (even if as you say you are required yo) does not require you to "be in good standing with Google" and they are not gatekeepers of identity.
At this point in time I feel the banks and the mobile phone operators are much worse managers of identity, because, for example they even accept stolen identifiers to make an account in "your name" - for me that's more ridiculous, not that they require some multiple factor of authentication.
In Germany for some banks you can buy a TAN generator and then you do not need a smartphone app anymore. Is this an option in your area as well?
It seems like the right time to advocate for open standards in things like banking.
Why? Technofeudalism is not going to impose itself
Especially with how things are currently, I whole heartedly agree - you cannot operate as a human being in Europe without having a good standing with either Alphabet or Apple.
Absolute madness.
Absolute madness or complete nonsense - I have neither an Apple account or device, nor a Google account or mandated device (e/os on Fairphone 3+) and operate perfectly successfully in the UK with (almost [1.]) zero friction.
1. Revolut app stopped working so I emptied my account and opened a Wise account which is fully administer-able from their website. Revolut has subsequently started working again after a couple of app/OS updates.
> Revolut app stopped working so I emptied my account and opened a Wise account
Same, though I’ve never returned to Revolut.
Wise does have some quirks (e.g. they’ve blocked me from unfreezing or reissuing my cards recently for no apparent reason), but still they’re way way closer to zero-bullshit than any other neobanks I’ve tried.
Similar in Canada.
- RBC 2FA is that if I try to login through my browser, the phone app will ask if I authorize the login. I think I can disable this and use sms/call, but that's even more insecure, so I don't.
- TD lets me login fine and do everything in the browser. But any online transaction that is moderately large or presumably fishy, will force me to authorize the transaction via the app.
These are among the largest banks in Canada.
I'd also recommend to slowly migrate to GrapheneOS, getting to know where the boundaries are for specific apps. Once you've got your 'dailies' all up and running predictably, then you're good to go, but it could take a few days depending on how much spare time you have to find said boundaries. Having said that, I turn on most of the higher level security protections, which quite a few apps need exceptions from.
But, yes, you can't tap to pay and it's unlikely you ever will. Banking apps will be hit and miss depending on their (generally hypocritical) paranoia levels.
I pay with a tap-to-pay card, and I have never needed to do banking related things immediately, I've always done it via the bank's website.
I also still have a not-very-old 'normal' android phone for some edge cases - which are few and far between (actually, I think it's usually to cast youtube to the TV since I only have the revanced youtube app on the GrapheneOS device).
P.S. On the use of profiles, I use them to separate work apps and notifications from personal, from sporting club, from X, Y, and Z. Yes, they're a pain in the arse to switch between, but I'd argue it's more of a pain in the arse to have them all jumbled together causing even more notifications, frustrations, and distractions from whatever one should actually be concentrating on in the present moment.
I recommend dividing per persona rather than per app category.
> I can use my bank on some linux distro,
Yes, I've been doing that since 2009 on Ubuntu and Debian but there are several caveats.
One of those banks has its own TOTP device and they won't replace it when the battery dies. It's almost 20 years old now. Then it's the fingerprint sensor on my phone.
The other banks authenticate accesses and many operations with either their app + fingerprint (all of them) or SMS (some of them). So basically I would still need a phone with a blessed OS. I could buy the cheapest one and store it in a drawer, but it's still a dependency on Google or Apple.
GrapheneOS requirement of Pixel devices is a dependency on Google too.
GrapheneOS requirement of Pixel devices is a dependency on Google too.
They are currently working with an OEM to release a non-Pixel GrapheneOS phone in the future.
I hope and pray that is a Samsung S Ultra device. The built-in stylus transforms the whole user experience, I would not go back to a device that I must swipe my dirty fingers across.
I’m just imagining myself pulling out the stylus on the train/plane, dropping it, and watching it roll away forever.
They thought of that! The cutaway of the stylus is a rounded rectangle, comfortable in the fingers but does not roll.
In any case, replacement stylii are very cheap online. Less than a screen protector.
The Palm Pilot experience. But that stylus was required for operation. Fortunately, just a plastic stick, so 3-pack replacement were cheap.
Millions of owners of Samsung devices somehow manage to not do that every day.
as long as it is not fairphone. I am out. I don't want to have to choose between privacy and sustainability.
About BankID: There was a regression in the app back in june that broke the app entirely. Back then I emailed the developers complaining about it, and their response indicated that there was no deliberate attempt at breaking BankID on GrapheneOS, and the specific developer who replied to me said he was a fan of the OS.
Biometric login was also confirmed to work around the same time. I can however confirm that it doesn't work on the latest app version. It complains that the webview isn't Google Chrome.
This is probably just an oversight. I will email them again; good chance they'll push a fix to recognise Vanadium webview.
> when you can just open the thing in a website anyway. I can use my bank on some linux distro
Unfortunately not.
I'm in the UK. Two of my personal banks, all four business banks that I need to use, and several credit cards, require authentication using their phone app to confirm login on their website.
None of those I've seen are using TOTP or SMS, for which I could use a general security service. All use their own phone or tablet app. One does something interesting where the website shows a unique QR code on each login, the phone app reads it with the phone camera, and then website login proceeds instantly without clicking anything.
Oh, and some of them also require phone app confirmation for card purchase transactions.
When my last phone's screen stopped working, I called one bank's "phone banking" line (using another phone of course) to make an urgent transaction, and they told me they can't do that, as only service they offer by phone is registering a new phone or tablet. They told me explicitly that it's not possible to login to their web-based banking service without using their app for authentication, and on a registered device.
It's the reason I have my current phone. I had to buy a cheap-ish Android in a hurry from a local shop, in order to proceed with my bank transaction.
Back to the main topic: I love the idea of a properly open source phone, I used to own not one but two Nokia N900s, and I once toyed with the idea of building my own Linux phone from scratch, big project though that is.
But the security ecosystem around logins has changed, and so have the services I depend on. These days I use many bank and other financial-service related apps, and I'm not, in practice, free to switch providers. So I couldn't use a Nokia N900 or modern equivalent any more as my only mobile device. I'd have to carry a second phone as well.
(Banking and other service authentications are also the only reason I have my current passport. I resented having to pay to renew my expired passport, given I had no plans to travel (small children) and the expired passport used to be accepted, but I found some banks, credit cards and even government services increasingly requiring to see a non-expired passport from time to time. When I asked one of them what do they do for the large number of people who don't have one, they simply told me they close those people's accounts and that's ok, they don't need to serve everyone. But that's another story.)
> require authentication using their phone app
And banks often have their apps region locked, so if you live abroad or have accounts in more than one country, you’re fucked.
Cough cough, Nationwide UK. I emailed them, they said they had no plans to make the Nationwide UK app available globally on the iOS App Store.
I was the one that submitted the DNB Bedrift app report to the sec dev repo! I contacted DNB but they never responded to my email. I wonder if we can find a dev? I believe that's how the private app got fixed.
Want to use Vipps tæpp so much but I have Nordea for private and they don't allow it on their cards, for whatever godforsaken reason.
Ah. Where did you send this in?
I wouldn't mind sending in a complaint to both BankID (allow biometric login) and of course DnB corpo edition.
Oh! Sorry, you described the current state of things so well I assumed you were close to the project.
Here is the github repo where banking app compatibilities are tracked: https://github.com/PrivSec-dev/banking-apps-compat-report
And it's rendered to a page here: https://privsec.dev/posts/android/banking-applications-compa...
Hah - both were in my browser history, yes I know them :) I misunderstood and thought you had sent direct emails to relevant parties arguing for why they should be allowed on grapheneos.
Thanks anyway!
Oh I also misunderstood! I did send an email to DNB Bedrift customer service about Graphene support, citing the private app fix. They technically gave me a response that it would be looked into, but it felt very handwavy, and that was 3 months ago. It was via the bedrift portal, there is a "Send E-Post" button.
I don't know how to contact the engineering team. IIRC that is how the private app got fixed, someone got word to someone on the inside.
Does the Nordea app work on Graphene? I am curious because I have been itching to switch my main phone to an alternate OS.
Yep! Perfectly, I use it daily. (The private customer one, not sure about business.)
Thanks for the Norwegian perspective.
I agree that the locking down is truly stupid. For what it’s worth, the reasoning for locking down mobile apps is allegedly that mobile users are a less technologically competent demographic than desktop users. I do not think so myself, given the difficulty in trying Graphene vs. Desktop Linux.
Those people who root their phone and install alternate OSes sure are less technologically competent than someone with a browser and a laptop
“Installing alternate OSs” is juicy bait for “tech enthusiasts” who know just enough to be effectively worse off than someone with a browser, yes, and at its core is this holier than thou attitude.
I agree that the locking down is truly stupid.
I don't agree that it is stupid. Both banking on a Windows PC or on an unlocked + rooted phone is potentially catastrophic. Windows because of the prevalence of malware, unlocked phones with custom AOSP forks because people download 'ROMs' (as they call them) from the most shady sites.
Once 10,000s of Euros are siphoned from a bank account, it's usually the bank that has to deal with the mess. Especially if they cannot prove the transactions were done in on an insecure platform.
Phones are generally safer (though there is a huge variance between the safety of different Android phones) because they use verified boot and strong application sandboxing.
I think it is possible to believe the following two things a the same time:
- Banking apps should only run on locked phones with secure boot.
- Banking apps should not be limited to the Apple/Google duopoly.
The solution is that there is some validation of alternative OS vendors, e.g. in the form of an audit, and that banks are required to approve apps on their platforms after the audit. This would be fairly straightforward tech-wise, because e.g. GrapheneOS supports remote attestation, but banking apps need to add/allow the hashes of the official boot keys: https://grapheneos.org/articles/attestation-compatibility-gu...
Needing to use a verified boot chain with keys that the bank trusts is essentially the same as using the authenticator device from said bank, except this one costs 100€ or more, has a microphone and camera built in, and you use it for private messages as well. That's not a future I want to live in
We have secure hardware already, it's called a smartcard and is what you find in all bank cards, SIM cards, authenticator devices... my phone is my phone, not a second factor, or at least I (as a hacker/tinkerer) don't want it to be that way, just like with my desktop which is also not the bank's to mandate whatever from
Somehow they got the memo for devices where it is normal to have admin permissions, but for mobile devices the two big tech companies successfully scaremongered non-techies
Needing to use a verified boot chain with keys that the bank trusts is essentially the same as using the authenticator device from said bank,
It's not, because even though the authenticator is secure, you are entering the auth codes in a browser in general purpose desktop OS with (if you use Windows or desktop Linux) little to no sandboxing outside the browser. You are one malware app (or NodeJS package for tech users who claim they'll never download malware) for your session getting hijacked.
The sad reality is that phones (and some tablets) are the only relatively secure computing environments that we have. Thanks to Windows with it decades of piled up legacy and Linux with large sandbox and secure boot-hating parts of its community, we cannot have nice things.
(The part about the Linux community, which I'm also part of is a generalization, but the hostility against Flatpak, secure boot, etc. is pretty big.)
That seems wrong. If malware can fake what the authenticator shows me, the authenticator is broken!
It doesn't matter what device relays the code I typed over or otherwise transmits the approval through untrusted networks to the server
> The sad reality is that phones (and some tablets) are the only relatively secure computing environments that we have
My bank('s authenticator hardware) begs to differ
That seems wrong. If malware can fake what the authenticator shows me, the authenticator is broken!
That's not what I am saying. The authenticator is irrelavant to this attack. If your machine is compromised by malware, the malware could take over the browser session, regardless of how you log in.
Phones are better protected against persistent malware because every application is sandboxed (harder to escalate) and much more of the boot chain/OS is validated (harder to persist).
> It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro, crazy that they trust me since it is not Windows - the truly secure OS!
I'm worried the day will come when some sites will require, even on a computer, a full-chain verification from the bootloader to the OS, all the way down to the browser. By requiring that each of these elements be digitally signed so that if you're not on a "secure" platform, from the bootloader to the browser, sites such as home banking could restrict access. Imagine not being able to login to your home banking because your linux box is rooted.
Btw, the good old days of modding are gone...
> I can use my bank on some linux distro, crazy that they trust me
enjoy it while it lasts. hardware attestation requirement for (at least) banking apps is a question of 'when', not 'if'.
I hope this isn't going to be the case universally. If my bank cuts off my access from my browser-on-linux setup, then I'm finding an alternative bank (hopefully some will always exist), which I don't say lightly since I've been with my current bank since I was old enough to have a bank account.
You'll quickly find out - as people are finding out in EU nowadays - that *no* bank will go through the trouble of fighting checklist security auditors to keep your linuxes working.
Wait till you find out that your prefered Linux bank won't have the same mortgage terms as you'd like and you'll be running to buy a Google/Apple phone to get those % down.
My bank has always had hardware attestation, but it was their hardware that was being attested. Customers get it loaned when signing up
I have no problem with a device that they trust being used for transaction approval, but that device shouldn't also be the device I use for my daily life and do all sorts of private things on. We should want to be able to inspect that one
I agree completely, except looking at my 2fa app I'd need 20 physical tokens, so we actually need a super-duper-yubikey
Yeah, I should have pursued the idea ten years ago of making a usable 2fa hardware device (that confirms what you're authenticating and an attacker can't simply pull auth codes for whatever they want)
Still, I'm plenty okay with my phone as a second factor for my laptop and vice versa for nearly all services. The rest is about tying things to a government identity (bank cares only if it's me who's authorising the transaction; government cares only if it's me who's requesting a student loan) and can be done with the chip that's already in my identity document and a single 20€ nfc chip reader or by using a phone as nfc reader
- [deleted]
It sorely needs to break free from the lackluster Pixel hardware. The OEM announcement can't come soon enough (and I hope it's Motorola).
Same with Lineage OS, may daughter has an old Samsung with Lineage on it and the Wallet app doesn't work because the phone's been rooted.
You're doomed to this issue with old phones in general.
Even un-modified you'll then be stuck with an old version of Android that doesn't support the latest versions of apps and the old versions of apps won't work properly.
It's really a shame because a lot of old phones work perfectly fine otherwise.
Generally Lineage is the latest. Unfortunately, there are other issues (such as the blobs that Lineage needs drifting out of date, and it's usually suggested that you'll should backup and then wipe to upgrade to the next major release, etc.)
Wallet app is still impossible to get working, but there’s been some development recently: https://github.com/microg/GmsCore/issues/361
Some other apps are often willing to accept my current setup (Lineage for microG [0], plus Magisk, if you don’t need root – Magisk Hide does some magic I don’t really understand, but even without Play Integrity passing, apps just start working).
With more tweaks, you might be able to get Play Integrity to work to some extent, but it’s hit or miss. I’ve just stopped using apps that demand it.
> BankID works but not with biometric login
Do you use any authenticator apps such as Okta? My org requires biometrics when using Okta on my phone.
I use microsoft authenticator, in its own work profile for work. I also use fingerprint login for Nordea, the Proton Suite, my personal 2fa program. Biometric works great on the Pixel 9A, at least, and it was fine on the 8 Pro when I had it.
The BankID thing is a SW quirk on their end, but generic fingerprint seems works great across the ecosystem.
I have a few features that I need that I'm not sure if Graphene supports. If you could check that would help!
Can you record phone calls? Do third party voice recorders continue recording even when the screen is locked? Thank you!
Yes to both.
Thank you!
[flagged]