Revolut mobile finance - not supported on devices with custom firmware problem

If anybody's in the Netherlands, this is what I got when complaining to the consumer agency here in the Netherlands about Revolut pulling the same shit:

Translated

Thank you for your message. In it, you write that with an Android phone, you can only use Revolut through Google. You want to know if this is allowed. Your question unfortunately falls outside our area of expertise. As a result, we do not have the right knowledge to help you further. We expect you to contact the Dutch Central Bank or the Netherlands Authority for the Financial Markets.

About De Nederlandsche Bank (DNB)
DNB is the central bank of the Netherlands. It oversees a safe and reliable payment system. And is the only bank responsible for issuing banknotes. Go to DNB's website for more information and contact.

About the Netherlands Authority for the Financial Markets (AFM)
The AFM supervises the behaviour of financial institutions on behalf of the government. And on the products they offer. The AFM makes sure they give you clear and honest information about their products and services. If companies do not comply with the law, the AFM can fine companies. Go to the AFM's website for more information and contact.

Translated with DeepL.com (free version)

Original

Dank voor uw bericht. Hierin schrijft u dat u met een Android telefoon alleen gebruik kan maken van Revolut via Google. U wilt weten of dit mag. Uw vraag valt helaas buiten ons werkgebied. Wij hebben daardoor niet de juiste kennis in huis om u verder te helpen. Wij verwachten dat u bij de Nederlandsche Bank of de Autoriteit Financiële Markten terechtkunt.

Over De Nederlandsche Bank (DNB)
DNB is de centrale bank van Nederland. Zij ziet toe op een veilig en betrouwbaar betalingsverkeer. En is als enige bank verantwoordelijk voor het uitgeven van bankbiljetten. Ga naar de website van DNB voor meer informatie en contact.

Over de Autoriteit Financiële Markten (AFM)
De AFM houdt voor de overheid toezicht op het gedrag van financiële instellingen. En op de producten die zij aanbieden. De AFM let er op dat zij u duidelijke en eerlijke informatie geven over hun producten en diensten. Als bedrijven zich niet houden aan de wet, dan kan de AFM bedrijven een boete geven. Ga naar de website van de AFM voor meer informatie en contact.

I will be writing to those agencies linked there and if you're in the Netherlands, please do too. If you're in the EU, you can contact your European Consumer Center and they can help you find the right person/organisation to contact.

Let's not get steam-rolled by this.

GrapheneOS Is there any chance to push that temporary fix to Pixel 5a. At least I got the impression this is something I can't simply set by myself. The reason for this request is that I just don't wanna deal with their support in order to transfer out the money I still have on my account.

Strappazzon thank you but that's exactly the feature I was referring too (sorry that I didn't make it explicit). the app already worked except such feature.

Also the new OS release is not yet available so it's early to test

traveller

From Mastodon:

https://docs.seon.io/ is one of them. We don't know all of them or which one is directly responsible for specifically banning GrapheneOS but it's a high chance it's that one.

https://grapheneos.social/@GrapheneOS/113869616034352093

Also

It appears to be used to ban using any aftermarket OS in a very poorly done way but we think it's https://www.appsflyer.com/ that's specifically banning GrapheneOS since it's what's getting passed ro.build.user which they seem to check for it being grapheneos. We've worked around all of it for now but Revolut is likely going to adopt more of this nonsense including the Play Integrity API. [...]

https://grapheneos.social/@GrapheneOS/113874889796086832

Revolut doesn't run these checks in a userdebug build of the OS. That's potentially why people found it works on certain other operating systems.

GrapheneOS Revolut doesn't run these checks in a userdebug build of the OS.

That is definitely a novel security approach! 🤔🙃

MasterOne
You can use Wise for fx and international transactions, Trading 212 for stocks, tastytrade if you need options and other derivatives, and Kraken for crypto. Each better than Revolut's mediocre offering.

I was considering becoming client of Revolut, but I've discarded it after reading this info.

Our next release successfully works around their ban on using GrapheneOS.

We've changed ro.build.host and ro.build.user (the build hostname and username) from grapheneos to other values. Nearly any other values work for those fields. Likely the only ones that are banned are ones consistently used by other aftermarket operating systems at least if they set them to a constant value as we do for reproducible builds. We chose to set them to android-user and r-0123456789abcdef-0123 to match the format currently used for the stock Pixel OS builds, which is specific to Google's build syste, and has changed multiple times over the years. Other devices do it differently. We don't expect any more issues from those.

Revolt also bans having ro.boot.verifiedbootstate set to yellow indicating using an aftermarket OS with the device locked and verified boot enabled. For some reason, they do permit ro.boot.verifiedbootstate being orange which means an unlocked device likely running a modified or aftermarket OS without security intact since at the very least verified boot and attestation are disabled, but likely much more security is lost too. They also don't use their checks on a userdebug build. To handle this, we're using standard infrastructure for setting compatibility values for properties for apps, which we've limited to user installed apps. In the future, we can also use this to match the stock OS build number, build hostname and other values if it ever proves necessary. We could do that proactively before we find apps banning GrapheneOS based on it in case some exist, but they probably don't so we probably won't do it without a known app requiring it.

It's incredibly strange that Revolut does this kind of nonsense. It's not clear what they're trying to achieve beyond harming GrapheneOS users. They haven't banned having a highly insecure device with no patches for 10 years and haven't even banned having the device unlocked with any aftermarket OS on it. They specifically banned having the device locked with an aftermarket OS or specifically having GrapheneOS. They also specifically banned several other aftermarket operating systems including LineageOS but those don't preserve the standard security model or set an honest security patch level so at least that could be weakly justified. Even that doesn't hold up to scrutiny when they permit a stock OS with no patches for 10 years and clearly unlocked devices. It's a complete joke.

cdflasdkesalkjfkdfkjsdajfd Revolut doesn't have an understanding of what they're doing. It's the closed source third party libraries they use which are banning GrapheneOS. It's possible Revolut will start using the Play Integrity API device or strong integrity level which will end compatibility with GrapheneOS unless they implement https://grapheneos.org/articles/attestation-compatibility-guide. Don't stop leaving 1 star reviews and making support requests just because we ship a workaround. Keep doing it because their intention is still to ban GrapheneOS until this is removed.

You are wrong. In particular, I made a formal written complaint, which is a mandatory requirement for filing a complaint with the regulator, and the response was (explicitly) that GrapheneOS did not meet their security standards and that they had no intention of supporting it in the future ("no hay planes para introducir soporte para GrapheneOS, tanto como el hecho de que las decisiones sobre los sistemas operativos compatibles está relacionado con la seguridad.")

GrapheneOS If I have a Pixel 5, could I implement this part of the update on my own without affecting the security of my device?

cdflasdkesalkjfkdfkjsdajfd It doesn't make any sense and is a generic response they're giving about aftermarket operating systems to pretend they care about security. In reality, they permit devices with no security patches for 10 years. Forbidding GrapheneOS is forbidding using an OS far more secure than anything they permit. Their device checks this are done in an incredibly ridiculous way and we've solved the problem for our next release. They permit an unlocked device running a malicious OS as long as it doesn't have the build username set to grapheneos. It's a complete joke.

Franco They do not know what they're doing. Their response is a generic one they came up with about aftermarket operating systems. They do not really understand what GrapheneOS is and it's only being banned via closed source libraries they didn't write but just bundled into their app. They're super low quality libraries doing things in an incredibly insecure and ridiculous way. Revolut is not a secure or well written app.

AlphaElwedritsch If it was obvious people would understand at first glance and nobody would make any question...

thanks a lot for all the work here !
i've got revolut, now for 10 years and it's always a pain in the a**
and NO it's not the security they care about....proof here..because grapheneos is the most secure OS i know.
That's the problem for revolut (and other)..they want to track every movement and the way of life ...and with grapheneos, they can't...and less secure is the OS, better it is..(super for them, the10 years android without security patches :-))
sorry for my poor english..