What is the best way to install and use a banking app on Graphene OS?

Flipper

I'm a bit confused what to do when it comes to installing and using banking apps. I prefer to not use anything from Google if I can help it. Which of the following should I do?
1) Use Aurora Store. It doesn't use Google Play services but instead Micro-G as far as I know.
2) Use another Graphene OS profile and download the app from the Google Play Store.
3) Manually install an apk file and update every now and then by manually installing an apk of a newer version when released.
4) Something else.

Regarding option #2. Will you get notifications an your main Graphene OS profile if you installed a banking app on another profile via the play store? For instance, a notification that you've just received some funds. Or do you have to switch to the other (secondary) profile for that?

P.S.
I don't actually have Graphene OS just yet but I'm planning on getting it this week.
I did check if the banking app I plan on using should work to begin with here:
https://github.com/PrivSec-dev/banking-apps-compat-report/issues/182
https://github.com/PrivSec-dev/banking-apps-compat-report/issues/812

Thanks in advance for your replies .

NoahRaketic

Flipper You should use the official Play Store to install the app. Aurora has severe security issues and should not be used, and all APK hosting sites are very unsafe.

Flipper Regarding option #2. Will you get notifications an your main Graphene OS profile if you installed a banking app on another profile via the play store?

You can--only if the profile is unlocked, running in the background, and you have notification forwarding enabled.

In all honesty, your best option will likely be to simply install the Play Store in your owner profile. The only difference between that and running it in the background in a secondary user profile is that it can see a list of installed apps and can communicate with mutually-consenting apps. You can use a profile, but it significantly complicates your setup for very little privacy benefit.

Chipper

Flipper why not just do your banking in the browser?

maybefunke

Flipper Have you considered using a browser for online banking and avoiding an app altogether?

schwim

NoahRaketic Aurora has severe security issues and should not be used

Without derailing his thread too terribly, could you expand a bit on this statement?

userofgos

NoahRaketic In all honesty, your best option will likely be to simply install the Play Store in your owner profile.

Or Private Space, that's what I do for banking apps, works great.

Flipper

NoahRaketic
What if I'm prepared to give up on notifications for bank apps? Would it then be better to use these apps on another profile? I don't use any other apps that I can normally get through F-Droid or Accrescent. I really would like to avoid the Google Play Store if I can help it.

NoahRaketic

schwim Sure. Aurora does not verify Play Store apps' signatures, so you're using Trust On First Use (TOFU) installation. There is no guarantee whatsoever that the APK hasn't been tampered with. App stores like Accrescent and the Play Store avoid TOFU by verifying certificates on install. This issue can be avoided if you verify the app's certificate hash using AppVerifier, but you still run into the issue of getting that hash from a trustworthy source (the official Play Store itself).

Additionally, most users will use an "anonymous" account, which is shared between many users. The issue here is that Google often rate-limits and blocks these accounts. This means you won't be able to consistently get background updates, even if you do configure them in Aurora.

Aurora can also grab outdated versions of apps, as well as incorrect builds.

It also does not avoid Google tracking. Apps that include proprietary Google libraries can give Google exactly the same access that Play Services would have, regardless of whether Play Services are installed. Aurora itself sends a large amount of data to Google, including a full list of apps unless the user manually blacklists the non- Play Store apps that are installed.

schweizer

NoahRaketic It also does not avoid Google tracking. Apps that include proprietary Google libraries can give Google exactly the same access that Play Services would have, regardless of whether Play Services are installed.

This is not true. Yes, apps can contain google libraries. But this code is only executed when the app is running. And not all google libraries are privacy nightmares. Play Services on the other hand are running constantly and they are a tracking feature by design. I think this is a huge difference.

I'd vote for 4). You can install your banking app with Aurora in the main profile. Then you create a secondary account with Playstore. You install/update the app again in secondary profile from Playstore. This way you also get certificate pinning and Playprotect. Only then start using the banking app in owner. Future updates run through PlayStore. But you decide how often you check for updates by logging in to secondary profile. You can disable or uninstall Aurora thereafter.

Johnnyloans

Flipper

Private space is convenient for google apps. (Private space is a separate profile)

you could test your app's functionality with google play store and google services disabled--no more google.

Flipper

Johnnyloans

you could test your app's functionality with google play store and google services disabled--no more google.

On some cheap samsung device that I no longer have I tried it with Aurora Store a couple months ago and both of my banking apps worked fine and also updated properly. However Google Play Services were enabled.
If apps are installed through the Aurora Store does that mean that the apps will use MicroG or may they still use Google Play Services when the app runs?

edent

I use several banking apps (albeit from Google Play). There are three main things to be aware of:

Bank apps often require updates. I've opened my banking app and it has demanded to be updated before I can use it. Make sure you can reliably and quickly get updates.
If you rely on notifications (for example, transactions, MFA, fraud alerts) you need the app on your main profile. Private spaces won't run apps in the background. Secondary profiles will - but the profile can be shut down without you being notified.
Some apps will rely on Google services. Not just for attestation / integrity. But for push notifications etc. You can usually log in to their mobile website just fine - but you won't get push notifications or biometric login.

I wrote about the issues in more details at https://shkspr.mobi/blog/2024/12/whats-the-best-way-to-protect-banking-apps-on-android/

userofgos

edent Private spaces won't run apps in the background.

Not entirely true, you can allow Private Space apps to run in the background by going to Settings > Security and privacy > Private Space > Lock private space automatically >

Set to 5 minutes after screen timeout
Only after device restarts

Flipper

edent
Thanks for sharing the article. It's definitely informative for someone like me who doesn't know that much about Android.
Still, like the title of the article suggests, I believe it focusses more on security rather than privacy which is my biggest concern here. I suppose I could've been more clear on that.

I've read the part: "Which is right for me?" but I miss the motivation for privacy purposes.
So... for the sake of privacy. Which kind of profile would be best for me?
I guess I can leave the convenience of having notifications on the main profile if that would make the entire device more private.
At the moment I'm leaning towards this setup:

Either using a work profile or private profile, installing bank apps over there and nothing else.
Disable Google Play Services on the profile where I would like to use banking apps.
Installing and updating banking apps using Aurora Store.
If that doesn't work then delete everything on that profile, have Google Play Services enabled on that profile and try again.

I don't keep much money on these accounts so I can live with certain security risks but I do worry about the restrictions on sideloading that seems to be coming which could undermine the use the Aurora Store.

Johnnyloans

edent If you rely on notifications (for example, transactions, MFA, fraud alerts) you need the app on your main profile. Private spaces won't run apps in the background.

@Flipper

This quote above is incorrect. I have messaging apps in my private space with google play services. I won't look at any private space apps for hours and still get notifications.

Flipper but I miss the motivation for privacy purposes.
So... for the sake of privacy. Which kind of profile would be best for me?

Check this out:
https://www.privacyguides.org/en/basics/threat-modeling/

It'll ask you questions like: is the government after you? Do you just want the big tech giants to have a bit less info on you?

It sounds like you have a low threat model:

Flipper I don't keep much money on these accounts so I can live with certain security risks

If your apps run fine with aurora store--and no google play services--okay. I prefer the owner profile + private space approach. Switching between profiles is slow (adds 10s or so when performing a task and then going back to owner)

Use 2fa (2 factor authentication) where possible for account security

Johnnyloans

Flipper If apps are installed through the Aurora Store does that mean that the apps will use MicroG or may they still use Google Play Services when the app runs?

The app will attempt to use either, whatever you have installed. Don't install microg and google play services onto the same phone

schklom

You can always install and update all apps from a Play Store-enabled profile (2^ndary / Work / Private), and actually use banking apps in your main profile. That way, you get app updates without having Play Store on your main account.

But you won't get notifications for most (likely all) banking apps without Play Services with battery optimisation disabled.

edent

Flipper Private from who?

Your bank has already done KYC and knows who you are. They know what, where, and when you spend money.

Google will know that you have XYZ bank app installed, but won't know your balance. Is that too privacy invasive for you? What harm are you trying to prevent?

Flipper

edent
You should actually see it this way. Some people like to give their house key to the neighbors out of convenience, but not everyone. By default, I prefer security over convenience. I don't trust big companies, as they have an insatiable appetite for data, while at the same time there is no real legitimate interest in collecting that data. In fact, they can write all kinds of nonsense in a privacy policy or conveniently omit things and deliberately use vague terms.

Datasapiens

banking app's NFC doesn't work if app is in private space. Phone settings just won't allow to select the banking app

dabvi6e1

Datasapiens

Maybe not in private space, but NFC works in the work profile (using Shelter).

Though, your banking app will need to have its own NFC payment system and not rely on Google Pay (which isn't supported on GrapheneOS). I have heard that CurvePay should work on GrapheneOS, and will eventually look into it.

Datasapiens

dabvi6e1 I'll try installing shelter and island or other special profile to test out.
on private space, I go to bank app, go to settings to turn nfc payment and through there I access the phone nfc setting where is to select my bank as a nfc 'operator'. I select it. Then I go back one step and see it is not being selected. It gives me selection and everything, but it won't keep my selection.

Datasapiens

Datasapiens update.

Work profile won't allow to toggle the nfc as well.
So, now I have two same banking apps - one in owner profile for nfc payments, one in private space with playservices for notifications.
😆
Phuckin circus

dabvi6e1

Datasapiens I just realized something - if you used Shelter to set up your work profile, there is an option there specifically for the purpose of enabling NFC payments in the work profile. That's why I thought it would work, but I forgot it was a Shelter feature and not a default one :)

I know you have already found a setup that works for you, but this may help other Google searchers :)