tacobearman8 magic earth
[admin: misinformation about SafetyNet Attestation API deprecation]
I am trying Magic Earth now. So far, it is terrible and I hate it. I can not even figure out how to start using it. I'm sure it is ok but I definitely see why people love google or apple when their stuff just works. I hate spending time learning something that should be intuitive, but all the Open Street Maps software I have tried so far has equally confusing user interface.
Thanks to Overture Maps, high quality map data is being developed outside Google.
It doesn't mean that we will have great Maps/Waze alternatives soon, but it is at least a huge step towards this goal.
Resurr no this doesnt work like that.
@matchboxbananasynergy @Carlos-Anso thanks for the clarification.
Google sucks, I hope the EU acts quick. For that we need to get loud!
This is just ridiculous, controlling what devices and OS' the app can run on. For now call banks or maybe website.
soupslurpr It makes sense for bank apps NGL, they are held responsible if something happens. Even if it's user error
They shouldn't be using an anti competitive technology and it doesn't really result in a security benefit
- Edited
soupslurpr The attestation is a form of insurance I imagine, similar to why a lot of DRM won't work on certain operating systems.
Is this a good system? No, but I understand why a bank specifically would do it. Otherwise they are risking themselves to a lot of issues
This isn't to say GOS isn't secure, but rather banks want to verify what operating system the application is running on and sadly GOS isn't on their list of acceptable OSes. Mostly because of play store integrity
Same reason google pay won't work in the states, Google wants a controlled env. or else they might be held responsible if something goes wrong
Again, i'm kind of guessing here
Are there plans (if technically possible) to spoof any software-based Play Integrity checks? Otherwise, banking apps might stop working soon, now that Safetynet is finally dead.
Elk9877 I'd suggest reading this comment by the project account: https://discuss.grapheneos.org/d/10650-drm-provisioning-and-internet-access-pinning-why-choose-gos-servers/14
It's not possible to spoof the strong checks for a Google certified OS. The non-strong checks can be spoofed by pretending to be an obsolete device without hardware attestation, but they're cracking down on this spoofing in different ways and it's eventually going to be entirely ruled out by requiring hardware attestation across the board. It's pointless for a production OS to mess around with this. GrapheneOS needs to be something people can depend on rather than knowingly hacking around something we know is guaranteed to stop working.
In the words of Michael Scott, explain this to me like I'm five: what becomes the next best way to have a secure phone if massive amounts of apps stop working in the future?
I know I can get by just on FOSS apps. Banking would be a pain and I'd likely end up having to return to actually making physical deposits, but there's nothing I NEED that can't be replicated on F-Droid or GitHub. The problem is other people. Ticketmaster will not issue tickets that aren't tied to Google Wallet or Apple Pay. People look at me like i have 3 heads when I suggest Signal/Wire/etc instead of WhatsApp/Discord etc. Work and my graduate program expect me to have certain apps on my phone and they don't care that I have objections to certain software.
I'm starting to wonder if iPhone is the best bad option
5rlyn I'm starting to wonder if iPhone is the best bad option
Yeah when the bankocalypse comes I'm seriously considering buying the cheapest used iPhone with cracked screen I can find just to use it for that. Basically treat the iPhone like one of those physical TAN generators (that you put your debit card into) that most banks used to give you though nowadays most banks here have replaced them with mandatory apps.
- Edited
5rlyn You are assuming every single application is going to stop working, or at least a lot of them
Banking may become an issue, but you can still login through the website, Ticketmaster has its website as well.
"Work and my graduate program expect me to have certain apps on my phone", some people don't have a cellphone (or a dumbphone), I would recommend asking what to do in a situation like that
Discord/WhatsApp also works, I don't think they use any integrity checks anyways
The main issue is going to be apps that want a controlled env, like banking and DRM content (Netflix)
Hmm...is that the way? GrapheneOS becomes a phone and hot spot, which an iPhone SE connects to for non FOSS apps?
raccoondad Banking may become an issue, but you can still login through the website
In the EU and UK this is increasingly becoming impossible. Specific types of 2FA are legally mandated (look up PSD2) for logging in and making transactions. Some banks still offer SMS-TANs or physical TAN generators, but many others require an Android/iOS app. I have (or had recently) accounts with 10 banks and my experience was:
- 2 give you a choice of SMS, physical card reader, and app
- 5 give you a choice of physical card reader and app
- 3 require the app with no opt-out
Note that the majority of the banks require you to pay for the physical TAN generator.
So if you're unlucky you have to either change your bank or revert back to stock Android or get a second phone just for banking.
Elk9877 It's possible the application for the TAN generator won't use integrity checks, its hard to know for certain.
Regardless, many, many people simply don't own a cellphone. I imagine there is a work around of some kind for those people.
Elk9877 similar in the US...it wasn't impossible for me to log in to my old bank's website, but I had to go through a lot of security checks because my bank felt it was "suspicions" that I was logging in on my browser using a VPN. I actually got locked out once, which was why I ultimately switched to an app that, for now, works on GOS.
Elk9877 Specific types of 2FA are legally mandated (look up PSD2) for logging in and making transactions.
I'm seeing that 2FA is mandated by PSD2, but in my very quick surface level overview, it doesn't seem to specify any particular implementation. As far as I can tell, TOTP, SMS, and email verification should be permissible.
I've seen tons of services pushing the use of a "custom authenticator" application that is just run of the mill TOTP under the hood, easily replaced with something like andOTP.
5rlyn you are assuming that apple stuff is better than Android.
I am not sure, this is comparing apples to bananas. On Android you can still use ADB to disable apps. I dont know but maybe you could have a seperate profile where you disable the play stuff as well.
You have the entire FOSS ecosystem, its just way better than iOS.
For me I have one really shitty TAN generator that wants native code debugging and doesnt accept a VPN. I can imagine they would also use Play integrity but never be too sure.
I would just switch banks if they suck. Not easy, but mail account switching is also not easy.
bookreader it doesn't seem to specify any particular implementation
I think (from memory) that for approving transactions you cannot have a generic 2FA code but you need to somehow reference the transfer amount and recipient.
So for example if you want to use online banking in the browser to send €125.00 to someone with an account no. ending in xxxx9876, you'd go to your app, go to "generate transaction code", enter something like 987612500, enter your password or fingerprint, then you get a 2FA code back that you enter in the online banking (and if you made a mistake when entering 987612500 your code from the app won't work). This is how it works for HSBC for example.
Some banks have made it a bit simpler and you basically just need to open your app where you get a pop-up saying: "Please approve online payment of £125.00 to xxxx9876, enter password/fingerprint".
But just normal TOTP is not enough, unfortunately.