• GeneralSolved
  • [admin: misinformation about SafetyNet Attestation API deprecation]

5rlyn You are assuming every single application is going to stop working, or at least a lot of them

Banking may become an issue, but you can still login through the website, Ticketmaster has its website as well.

"Work and my graduate program expect me to have certain apps on my phone", some people don't have a cellphone (or a dumbphone), I would recommend asking what to do in a situation like that

Discord/WhatsApp also works, I don't think they use any integrity checks anyways

The main issue is going to be apps that want a controlled env, like banking and DRM content (Netflix)

    Hmm...is that the way? GrapheneOS becomes a phone and hot spot, which an iPhone SE connects to for non FOSS apps?

    raccoondad Banking may become an issue, but you can still login through the website

    In the EU and UK this is increasingly becoming impossible. Specific types of 2FA are legally mandated (look up PSD2) for logging in and making transactions. Some banks still offer SMS-TANs or physical TAN generators, but many others require an Android/iOS app. I have (or had recently) accounts with 10 banks and my experience was:

    • 2 give you a choice of SMS, physical card reader, and app
    • 5 give you a choice of physical card reader and app
    • 3 require the app with no opt-out
      Note that the majority of the banks require you to pay for the physical TAN generator.

    So if you're unlucky you have to either change your bank or revert back to stock Android or get a second phone just for banking.

      Elk9877 It's possible the application for the TAN generator won't use integrity checks, its hard to know for certain.

      Regardless, many, many people simply don't own a cellphone. I imagine there is a work around of some kind for those people.

        Elk9877 similar in the US...it wasn't impossible for me to log in to my old bank's website, but I had to go through a lot of security checks because my bank felt it was "suspicions" that I was logging in on my browser using a VPN. I actually got locked out once, which was why I ultimately switched to an app that, for now, works on GOS.

        Elk9877 Specific types of 2FA are legally mandated (look up PSD2) for logging in and making transactions.

        I'm seeing that 2FA is mandated by PSD2, but in my very quick surface level overview, it doesn't seem to specify any particular implementation. As far as I can tell, TOTP, SMS, and email verification should be permissible.

        I've seen tons of services pushing the use of a "custom authenticator" application that is just run of the mill TOTP under the hood, easily replaced with something like andOTP.

          5rlyn you are assuming that apple stuff is better than Android.

          I am not sure, this is comparing apples to bananas. On Android you can still use ADB to disable apps. I dont know but maybe you could have a seperate profile where you disable the play stuff as well.

          You have the entire FOSS ecosystem, its just way better than iOS.

          raccoondad

          For me I have one really shitty TAN generator that wants native code debugging and doesnt accept a VPN. I can imagine they would also use Play integrity but never be too sure.

          I would just switch banks if they suck. Not easy, but mail account switching is also not easy.

            bookreader it doesn't seem to specify any particular implementation

            I think (from memory) that for approving transactions you cannot have a generic 2FA code but you need to somehow reference the transfer amount and recipient.

            So for example if you want to use online banking in the browser to send €125.00 to someone with an account no. ending in xxxx9876, you'd go to your app, go to "generate transaction code", enter something like 987612500, enter your password or fingerprint, then you get a 2FA code back that you enter in the online banking (and if you made a mistake when entering 987612500 your code from the app won't work). This is how it works for HSBC for example.

            Some banks have made it a bit simpler and you basically just need to open your app where you get a pop-up saying: "Please approve online payment of £125.00 to xxxx9876, enter password/fingerprint".

            But just normal TOTP is not enough, unfortunately.

            missing-root I don't know either...what I'm understanding from this though is that some apps that I need to utilize may stop working on my phone unless it runs The Real Deal Android...if that's the case, and Apple may be better from a data protection standpoint, it has to be an option on the table it feels like.
            Again, I'd prefer all FOSS...but it may not be feasible

            Elk9877 That's interesting about the EU and requirement for Android/IOS app. I know quite a few people that use a flip phone, either because they tried a smartphone and said nope or never wanted a smartphone. Some are older, but some are 30s and 40s, too. Do you or anyone else know if those EU has any plans to allow people without a smart phone to bank, and if GrapheneOS users could get into that group if so?

            I'm in the States, but to me, the app requirement may be worth changing banks over, but I know that's not the case, reality, or possibility for everyone.

              andrewteg Do you or anyone else know if those EU has any plans to allow people without a smart phone to bank, and if GrapheneOS users could get into that group if so?

              I mean, it's not a legal requirement to use Android/iOS. There's no law saying banking apps can't run on Windows or GNU/Linux, I guess. And you still have the option of a physical TAN generator, just that this is something not all banks offer and often you have to pay for. If you bank with any of the new mobile-first banks like Starling, Revolut, Monzo or N26, I don't think there's a way to use them without smartphone.

                You are considering a worst-case scenario : your bank app is still compatible with GrapheneOS. So let's wait and see. When many banking apps are no longer compatible, then time comes to consider other options.

                Elk9877 The problem is that the PSD2 requires

                two or more of the following elements: (i) knowledge (something only the user knows, e.g. a password or a PIN); (ii) possession (something only the user possesses, e.g. the card or an authentication code generating device) and (iii) inherence (something the user is, e.g. the use of a fingerprint or voice recognition). These elements are independent (the breach of one element does not compromise the reliability of the others) and designed in such a way as to protect the confidentiality of the authentication data.

                The phone is very convenient as a proof of possession.

                Fortunately in Germany all banking apps work fine. I would never ever even think abiut giving up GrapheneOS because of wrong behaviour of developers..In the EU at least integrity checks might get obsolote anyway.

                  gustl In the EU at least integrity checks might get obsolote anyway.

                  What makes you so confident ? Are you sure that your banking apps don't use SafetyNet ?

                  Because EU will shut down step by step anti competitive behaviour..especially from the gate keepers...just watch what what will happen to Apple if they do not really comply...app store rules will show next..fines of up to 10% of global turnover will even hurt the big guys...

                  In worst case i will use the browser and hardware for tans..never i will give up GrapheneOS becausevof a few unnecessary apps and stupid so called convenience...the people should rewire their hardwired brainwashed brains..sorry only my opinion..do not want to offend anyone...

                  They should, but how's it going convincing others to think that way? I've been pleasantly surprised by how easy it is to get by without Google, and I'm thankful to Lineage, /e/, and Graphene for showing me I can. Doesn't change the fact that if I'm the only one in my friend circle using Signal, its futile. Doesn't change the fact that banks will not make massive changes to their app for the minority.
                  I agree with you that FOSS is better but you do get to a point that your phone is a brick when you make no compromises.

                  I think you can not convince people..especially not fircing anything on them..if someone is ready to wake up and change it will happen..we all know ourselves, that real changd in life in many situations happens sudden due to a certain level of pain or enlightment...

                    gustl I agree with you on the principles of the EU fighting the californian monopolistic behaviours. Anyway I have been quite disappointed noticing that such a major public french digital ID app as L'Identité numérique de La Poste relies on Play integrity checks.
                    On the other hand, the french taxes, who also relied on Play integrity, switched to another GrapheneOS compatible protocol, which I am grateful for !