Are security concerns with banking apps and GrapheneOS unjustified?

CAD

Dear community,

I am new to the forum and the GrapheneOS world, and I am definitely NOT a technical expert (software/hardware)—so I apologize in advance for what may seem like a stupid question :)

I want to gradually move away from Google Android and other operating systems from big tech companies, and I place a lot of importance on privacy, security, and data protection.

This is where I'm at: I've already installed GrapheneOS on an old Pixel 6a and have been looking into the conditions a bit over the last few days.

There is one point I am still a little unsure about, and that is the banking apps on GrapheneOS, which have already been discussed at length. In my opinion, banking applications and access data are extremely sensitive – especially when you generate TANs and do your banking on one device. I assume that the major app stores, such as the Apple Store and Google Play Store, check the apps of banks as publishers before users can download them. This ensures that no malware is contained in the applications.

Now I understand that GrapheneOS can also integrate the Google Play Store (mirror) & Services.
But how is the authenticity (integrity) of the apps from the mirrored PlayStore technically ensured? Or is it the real/authentic Google PlayStore? (Explain it to me like I'm 5 :) )
Does it make more sense to obtain sensitive apps via a sandboxed Play Store or via store alternatives such as AuroraStore?
Side question: How useful is TAN generation and banking on separate sandboxes within Graphene? Does this result in a security-related advantage or is it just more cumbersome?

ryrona

CAD Or is it the real/authentic Google PlayStore? (Explain it to me like I'm 5 :) )

Yes, it is. If you install Google Play Store from the App Store app preinstalled on GrapheneOS, it is the official version of Google Play as released by Google, signed by Google.

So, if you install a banking app from it, you have the same assurances as if you installed the same banking app from Google Play on any other phone.

CAD Does it make more sense to obtain sensitive apps via a sandboxed Play Store or via store alternatives such as AuroraStore?

Definitely from Google Play. That is the authoritative source for these apps.

If you download them from somewhere else, you are on your own.

Delaney

CAD I assume that the major app stores, such as the Apple Store and Google Play Store, check the apps of banks as publishers before users can download them.

There are checks in place to ensure the app is genuine. This is true for any app hosted on the Play Store.

CAD But how is the authenticity (integrity) of the apps from the mirrored PlayStore technically ensured? Or is it the real/authentic Google PlayStore?

It's the real/authentic Play Store.

CAD Does it make more sense to obtain sensitive apps via a sandboxed Play Store or via store alternatives such as AuroraStore?

If security is your top concern, you should use Sandboxed Google Play and avoid using the Aurora store.

CAD Side question: How useful is TAN generation and banking on separate sandboxes within Graphene?

There's only one sandbox. You seem to be confusing the purpose of profiles with sandboxing. They achieve different goals.

CAD Does this result in a security-related advantage or is it just more cumbersome?

Probably more cumbersome for your use case.

secrec

CAD I assume that the major app stores, such as the Apple Store and Google Play Store, check the apps of banks as publishers before users can download them.

Nope.

Tandara

Hi there!
What do you mean by Play Store mirror? The Play Store on GOS is just a sandboxed version of the original Play Store.

Regarding banking apps, the majority of them check the installation source and won't allow you to log in unless downloaded directly from Play Store. If say you downloaded it from Aurora, it would ask you to download the official version from Play Store.

For profiles, it's recommended to separate them by identities and levels of privacy. It's for you to decide how to approach profile feature (most just go with owner and put sensitive apps in Private Space)

Delaney

Tandara What do you mean by Play Store mirror? The Play Store on GOS is just a sandboxed version of the original Play Store.

I think they confused the term as described on the app store, which lists the apps as "Google (mirror)".

CAD

Tandara
Hi and thanks for the quick reply...

If I open the (GOS) App Store from a fresh installes Phone I can scroll until I can choose "Google Play Store"... in the 2nd line it says Google (mirror) - so I (wrongly?) assumed it is not the Google-official Store but rather a duplicate, maintained and provided by a 3rd party...

To your 2nd comment on banking apps checking the installation source: Do you know how this check is performed? Are information of the installation transmitted to the bank to check that the app is not compromised?
Is there a way to check if my specific bank does this safety check other than trying to install it from aurora and see if there is a error msg? :)

Kind regards :)

Tandara

CAD No problem!
Don't worry about the 'mirror'. It implies that it's mirrored (provided) from Google.

The only way is to install via Aurora and check if it works. From my understanding, the OS flags the installation source for each app to track their updates, versioning, and other stuff. App developers simply check that string. You can find it in Settings under specific app.

Installing via Play Store is a recommended way, though I use Aurora (don't use G account). If using Aurora, make sure to check app fingerprints with App Verifier.

gta3

Ofc they are unjustified, banks and the big corps are a racket and in it together, They ary trying to protect each other interests, so they try hard to block grapeheneOS anti survrillance efforts.

Curious

What arguments and proves to give to a person who is actually scared to go full GOS due to the fact that they are concerned about sensitivity of those apps and GOS not being "official" OS in mainstream sense?

DeletedUser495

Curious from what I read you just want your app to work, I have no remorse for you. It takes me roughly one minute to sign in into my web banking. It works just fine!

Lucario1829

Curious graphene is more secure than whatever mobile os theyre currently using, and if you download the app from the play store youre getting the same app as anyone else

MetropleX

secrec Yes they are unjustified, yes they're absolving themselves of security responsibilities by enabling anything Google claims is a security feature.

The fact that a GMS licensed device running years old Android versions can be considered to be passing Play Integrity at the highest level while locking out GrapheneOS from using these apps and services where we are up to date, maintain the current security patch level as a minimum as well as providing advance protection from future bulletins delayed on GMS licensed devices because OEMs pay them to do so placating OEMs who focus more on aesthetics than security. These banking services also play along because they need to ensure broadest use of their services.

There is already a preexisting open alternative to Play Integrity API in the Hardware Attestation API however, all of these banks could just as easily add this to their apps to whitelist actually secure OS like GrapheneOS. This though would require some actual developer attention not just simply toggling on a feature in the SDK and environment they build their app.

Play Integrity is nothing more than a market protection mechanic being sold under the guise of security. The only thing it secures is Googles control on the ecosystem.