Are security concerns with banking apps and GrapheneOS unjustified?

nologo

airmedic but you don't modify any software when installing GOS. You buy a Google Pixel phone, which has an unlockable bootloader and allows the installation of other AOSP based operating systems, and you install such a system. You install your banking app as is, without modifying it.
Your interpretations are way too alarmist. If people were modifying the banking app itself, then it would be a different story.

airmedic

nologo

Suppose you install sandboxed Google Play Services. From GrapheneOS's description "...Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox and receiving a massive amount of highly privileged access" ...
I would construe this as a modification since it is clearly Google's intent that Play Services will have privileged access and to use it otherwise is circumventing the intended usage. I certainly would not want to argue the opposite as it is my belief that the laws usually rely on intent, not semantics.

nologo

airmedic the laws usually rely on intent, not semantics.

That's not how legal or any language works. Interpretation of written law is constantly necessary (and always changing).. Figuring out how a certain written rule is best explained in a certain situation and time is basically what any judge in any court case is doing. How the law was intented may be a factor, but just one amongst many. Judges may in fact go completely against the intent a law at one point had.

Nobody can know for certain if 'Sandboxed Google Play' would be considered a 'modification', but I don't find your reasoning strong. What is modified while this was not allowed? GrapheneOS does NOT modify the Play Store and Google Play Services apps. They created a compatibility layer, as a part of an OS we are allowed to install on our unlockable Pixel phones. As users, we are not rooting and messing with a system thereby undermining its security or something, which would be the kind of thing a judge might possibly have a problem with in the rather hypothetical case we are talking about. Quite the contrary.

pacmyc

EverettHitch
No, I am not saying it like it could not happen on a regular device. BUT, if it happens on a regular device there is no chance that the bank can try to blame it on me. And therefore I the bank must refund me.

nologo

pacmyc in the EU, banks know better than to try and blame 'it' on you. Consumer protection is very strong.
I think you're overthinking this. However, if banking using a banking app on a GOS phone does not feel safe to you, perhaps you should stick with Pixel OS, or use a pc/laptop for banking. But using GOS would be safer, ironically.

EverettHitch

pacmyc bank will refund you either way, obviously you haven't been in similar situation yet.

pacmyc

Thanks for all the replies. Your thoughts on this also tend to go in different directions.
As so many replied I want to clarify the terms for using the bank identification app. Below they are (G)-translated into english;

Undertakings to protect BankID BankID may only be used by the customer and shall be stored in a safe manner and under supervision, taking into account the circumstances. It shall be handled in the same way as money and other valuable documents. The customer shall take the necessary measures to protect himself against unauthorized use of BankID. For example, a mobile device, computer, card with BankID or notes on codes may not be left unattended in a hotel room, other temporary accommodation or in a vehicle, bag, jacket pocket or similar that is not under supervision. If the mobile device has a biometric function (for example, fingerprint reading) for identification and/or signing, the customer may only activate the biometric function on a device that is used exclusively by the customer himself. The customer may not use the biometric function in a mobile device where another user has downloaded his mobile BankID or registered his biometric data. If the customer suspects that BankID has been used without authorization, the customer must block BankID in accordance with section 8.1 and file a police report. The customer undertakes to: • Choose codes/passwords with care that are difficult for others to reveal. The chosen code must therefore have no connection with the customer's personal identification number, card number, telephone number or the like,
• If the customer needs to write down or store a code, do so in such a way that no one can understand that the note relates to a code for BankID,
• Do not reveal the code/password to anyone,
• Do not write down the code on, in, or near a mobile device, computer, card with BankID or other equipment used for communication with the bank,
• Keep the document with the PUK code for the card received from the bank in a safe manner,
• Destroy the document with the PIN code for the card received from the bank,
• Change the code immediately if the customer suspects that someone has been able to access it,
• Delete BankID that has been downloaded and stored in an unprotected location
(for example, a public computer or a borrowed mobile device),
• Do not transfer/expose BankID on unprotected media or through unprotected communication (for example, by e-mail),
• Only use software approved by the bank when confirming identity and signing using BankID,
• Use available security devices, such as the mobile device's lock code,
• Immediately turn off the biometric function if the mobile device can or is to be used by a person other than the customer for identification and/or signing and
• Immediately request blocking of BankID if there is the slightest suspicion that someone else has become aware of your security information (password, codes or biometric data).
If the customer fails to comply with any of the above obligations,
there is a risk that an unauthorized person will identify themselves as the customer or
use the customer's BankID for signing.

The things I wrote in my original post regarding "not rooting the device" etc. I took from the "security and recommendations", and is not in the actual terms that you'll have to accept when applying. The only point in this text that I feel could be risky is "• Only use software approved by the bank when confirming identity and signing using BankID", but I guess they are talking about the bankID app intself, as the bank does not provide a list of accepted OS:es / devices etc.).

de0u

pacmyc It is probably better to get legal advice from an attorney licensed/admitted to practice in the relevant jurisdiction than from people with unknown qualifications.

nologo

EverettHitch exactly. This whole court case scenario would never happen.

pacmyc

de0u
Yes. However I am taking peoples arguments in order to make the best possible decision on my own..

« Previous Page