Revolut mobile finance - not supported on devices with custom firmware problem

jem

I was considering becoming client of Revolut, but I've discarded it after reading this info.

GrapheneOS

Our next release successfully works around their ban on using GrapheneOS.

We've changed ro.build.host and ro.build.user (the build hostname and username) from grapheneos to other values. Nearly any other values work for those fields. Likely the only ones that are banned are ones consistently used by other aftermarket operating systems at least if they set them to a constant value as we do for reproducible builds. We chose to set them to android-user and r-0123456789abcdef-0123 to match the format currently used for the stock Pixel OS builds, which is specific to Google's build syste, and has changed multiple times over the years. Other devices do it differently. We don't expect any more issues from those.

Revolt also bans having ro.boot.verifiedbootstate set to yellow indicating using an aftermarket OS with the device locked and verified boot enabled. For some reason, they do permit ro.boot.verifiedbootstate being orange which means an unlocked device likely running a modified or aftermarket OS without security intact since at the very least verified boot and attestation are disabled, but likely much more security is lost too. They also don't use their checks on a userdebug build. To handle this, we're using standard infrastructure for setting compatibility values for properties for apps, which we've limited to user installed apps. In the future, we can also use this to match the stock OS build number, build hostname and other values if it ever proves necessary. We could do that proactively before we find apps banning GrapheneOS based on it in case some exist, but they probably don't so we probably won't do it without a known app requiring it.

It's incredibly strange that Revolut does this kind of nonsense. It's not clear what they're trying to achieve beyond harming GrapheneOS users. They haven't banned having a highly insecure device with no patches for 10 years and haven't even banned having the device unlocked with any aftermarket OS on it. They specifically banned having the device locked with an aftermarket OS or specifically having GrapheneOS. They also specifically banned several other aftermarket operating systems including LineageOS but those don't preserve the standard security model or set an honest security patch level so at least that could be weakly justified. Even that doesn't hold up to scrutiny when they permit a stock OS with no patches for 10 years and clearly unlocked devices. It's a complete joke.

cdflasdkesalkjfkdfkjsdajfd

GrapheneOS Do you think this will be a solution in the medium term or will it be a cat and dog game from now with Revolut?

Magic

GrapheneOS If I have a Pixel 5, could I implement this part of the update on my own without affecting the security of my device?

Alessandro876

GrapheneOS hi, can this solution also apply to other roms other than grapheneos?

Satrustegui

GrapheneOS

What are the chances of getting this workaround releases to older devices? I got a Pixel 4a screwed by the whole battery fiasco they organized.

Thank you!

GrapheneOS

cdflasdkesalkjfkdfkjsdajfd Revolut doesn't have an understanding of what they're doing. It's the closed source third party libraries they use which are banning GrapheneOS. It's possible Revolut will start using the Play Integrity API device or strong integrity level which will end compatibility with GrapheneOS unless they implement https://grapheneos.org/articles/attestation-compatibility-guide. Don't stop leaving 1 star reviews and making support requests just because we ship a workaround. Keep doing it because their intention is still to ban GrapheneOS until this is removed.

Franco

Just assumptions, but I suspect that Revolut isn't purposely ignoring the complaints from GrapheneOS users; rather, they seem to be deferring these issues to avoid addressing them. They likely need someone within the company to take a broader look at the situation and grasp what’s really going on, but they may be reluctant to invest the time needed for that, so they just push back the easy way by ignoring or saying that they don't support GrapheneOS.

cdflasdkesalkjfkdfkjsdajfd

You are wrong. In particular, I made a formal written complaint, which is a mandatory requirement for filing a complaint with the regulator, and the response was (explicitly) that GrapheneOS did not meet their security standards and that they had no intention of supporting it in the future ("no hay planes para introducir soporte para GrapheneOS, tanto como el hecho de que las decisiones sobre los sistemas operativos compatibles está relacionado con la seguridad.")

Franco

cdflasdkesalkjfkdfkjsdajfd
In that case, indeed that's even worst.
I was having this assumption because I had the impression that they don't really know what they are doing

GrapheneOS

cdflasdkesalkjfkdfkjsdajfd It doesn't make any sense and is a generic response they're giving about aftermarket operating systems to pretend they care about security. In reality, they permit devices with no security patches for 10 years. Forbidding GrapheneOS is forbidding using an OS far more secure than anything they permit. Their device checks this are done in an incredibly ridiculous way and we've solved the problem for our next release. They permit an unlocked device running a malicious OS as long as it doesn't have the build username set to grapheneos. It's a complete joke.

GrapheneOS

Franco They do not know what they're doing. Their response is a generic one they came up with about aftermarket operating systems. They do not really understand what GrapheneOS is and it's only being banned via closed source libraries they didn't write but just bundled into their app. They're super low quality libraries doing things in an incredibly insecure and ridiculous way. Revolut is not a secure or well written app.

grapheneos-enthusiast

AlphaElwedritsch If it was obvious people would understand at first glance and nobody would make any question...

pommede

thanks a lot for all the work here !
i've got revolut, now for 10 years and it's always a pain in the a**
and NO it's not the security they care about....proof here..because grapheneos is the most secure OS i know.
That's the problem for revolut (and other)..they want to track every movement and the way of life ...and with grapheneos, they can't...and less secure is the OS, better it is..(super for them, the10 years android without security patches :-))
sorry for my poor english..

fid02

AlphaElwedritsch How many times do you want to go around in circles with the same old statements? It doesn't get better just because you keep repeating it...,😂🤣

Not all users read every post, tweet, toot, etc. of the GrapheneOS project. That's clear from reading recent posts on this thread. (Completely understandable that not many people want to read through 350 posts).
Makes sense to clarify the subject in case users are not up to date.

golbinex

@GrapheneOS Did you consider organizing a campaign to stop discriminating custom OS users similar to https://www.stopkillinggames.com/ ?
In EU it could get attention and in case of it getting successfully implemented in EU law it would force banks and other app developers to tolerate GrapheneOS.

GrapheneOS

golbinex It's not the same situation as operating systems which do greatly roll back security and don't offer a way to verify through hardware attestation. They still shouldn't be banning people using an aftermarket OS rolling back security compared to AOSP if they're going to be allowing an OS with no security patches for 10 years. They wrongly believe licensing Google Play at some point in the past somehow makes it secure even without security patches. It doesn't make sense.

Magic

Alessandro876 I think so, I saw the same fix in lineageOS and other one that I don't remember. so I suppose that will work for most of them.

Alessandro876

Magic ok thanks, im on risingos

GrapheneOS

AlphaElwedritsch Why are you being nasty towards us?

Magic

I have a Pixel 5, so my phone no longer receives updates. But I’m wondering if I can do it myself. I’ve been researching, and it seems I need to unlock the bootloader and get root access. My question is: Can I unlock and relock the bootloader without losing my phone’s data safely? And can I root and unroot my phone without compromising security?

Thank you very much!

AlphaElwedritsch

Magic Can I unlock and relock the bootloader without losing my phone’s data

Definitely not

fid02

Magic I’ve been researching, and it seems I need to unlock the bootloader and get root access.

Which research? This sounds strange. Doesn't sound like the research knows what it's talking about.

If the fix isn't released for the Pixel 5, you will need to modify the GrapheneOS code and build it yourself.

Magic Can I unlock and relock the bootloader without losing my phone’s data safely?

https://discuss.grapheneos.org/d/19396-need-to-root-temporarily-for-data-recovery/11

« Previous Page Next Page »