Asking banking application developers to support GrapheneOS

[deleted]

There is a banking app that only supports stock OS and doesn't work on GrapheneOS.
So I want to contact them and leave a review for their app and encourage them to make the app work on GrapheneOS. But I'm not sure how should I approach them so I want to ask for some ideas here. Should I just link them to this guide by GrapheneOS?

[deleted]

I wrote an email to them. Here is what I wrote:

Hello, I want to request Smart-ID compatibility with GrapheneOS. GrapheneOS is a private and secure mobile operating system. Developed as a non-profit open-source project.

Smart-ID doesn't work on GrapheneOS because it's not Google certified even tho it has superior security and privacy over stock operating systems that come with most Android devices.

Devices launched with Android 8 or later have hardware attestation support which cannot be bypassed without leaked keys or serious vulnerabilities.

The hardware attestation feature is part of the Android Open Source Project and is fully supported by GrapheneOS. SafetyNet attestation chooses to use it to enforce using Google-certified operating systems. However, app developers can use it directly and permit other properly signed operating systems upholding the security model. GrapheneOS has a detailed guide for app developers on how to support GrapheneOS with the hardware attestation API. Direct use of the hardware attestation API provides much higher assurance than using SafetyNet so these apps have nothing to lose by using a more meaningful API and supporting a more secure OS.

Apps should support GrapheneOS rather than locking users into the stock OS without a valid security reason. GrapheneOS not only upholds the app security model but substantially reinforces it, so it cannot be justified with reasoning based on security, anti-fraud, etc. The guide on how to do so can be found here: https://grapheneos.org/articles/attestation-compatibility-guide

meiklmue

Some sort of template would be a really nice thing to have in order to contact banks and other app-developers with all needed information packed into a small mail.
Best case in different languages as well...

katemason

I was thinking to write to my bank. Thanks for the template.

[deleted]

If someone sees how this template can be improved, please do it and share it here so we can make a good template that could be used to pressure these companies to make their apps compatible with GrapheneOS.

de0u

[deleted] If someone sees how this template can be improved, please do it and share it here [...]

One thing that might help is including a list of bank apps that do work on GrapheneOS.

Eirikr70

One of my banking apps also doesn't work with GrapheneOS but their site is perfectly adapted to a mobile use, so a link on the launcher is sufficient.

[deleted]

Eirikr70 Security is a lot worse than an app, and you trust your bank a lot more.

[deleted]

[deleted] I bank with Barclays through PWA and 99% of the time it works just fine. At least I don't have to rely on an app that is available only in Play Store or the Play Store itself. What's wrong with that? Defo more secure doing it via Vanadium than running an app, let alone running it on stock OS.

[deleted]

[deleted] Every time you visit a site, you trust that it is not compromised, and there is no way for you to check that. The attacker, or even the bank itself, can literally serve you some malicious JavaScript, and if it were a bank, they could say that this was an attacker that scammed you, not them. Meanwhile, apps are signed, and you don't need to trust JavaScript or the site that you're visiting.

pdagenius

[deleted] my bank uses security codes that need to be generated from their banking app, both to login via a website on a pc and via a pwa on a phone. The same app is needed to authorise large transactions and transfers. The days of a standalone digital code generator are gone.

spiral

[deleted]

PWAs don't push transaction info in real-time which is crucial for lots of people. You are apparently fine with simply logging on and checking your balance - yeah, PWA is fine for that, but banking apps do much more than that.

[deleted]

They can even serve you some malicious JavaScript that could infect your whole phone with malware.

[deleted]

With an app, you're just trusting your bank not to have malware in their app, and if they do and get caught, they will be in big trouble.

[deleted]

[deleted] sorry, I didn't know I was chatting with expert security researcher. I will try to take your advice to heart. Over and out.

[deleted]

spiral I don't know what poo banks are you guys with, but I can do way more than just view my balance. Can transfer between accounts, make payments, edit direct debits and standing orders, I think there is one thing I can't do which is adding new payee but for that I have another device with stock OS that has the app and never leaves my abode. Works for me, you do what you like to your heart's content. Just saying. Maybe look into banking with someone else.

spiral

[deleted]

"poo banks"

Ok are you 12 years old? You have a super immature way of expressing yourself.

"What's wrong with that?"

Well, several people told you several things that are wrong with it, most importantly how it's not as secure as you are posting it is.

[deleted]

spiral "PWAs don't push transaction info in real-time which is crucial for lots of people."
What exactly do you base this on? I have just amended two standing orders and transferred money between two of my accounts and watched it happening real time (like immediately, with update upon automatic reload). I don't think I am the 12 year old here, but of course you and I have a right to an opinion. I'm going to rest my case here. I don't require any replies.

csis01

spiral "poo banks"

Ok are you 12 years old? You have a super immature way of expressing yourself.

IMO, shows greater maturity to be cognizant of the possibility that there could be 12 year olds reading this forum by replacing certain words with less impactful versions. An actual 12 year old, I'm sure, wouldn't hesitate to use the word that you and I both know he was thinking.

It especially seems immature to me for you to call someone out on that.

spiral

csis01

Puhlease. SgtSurehand is ANYTHING but "cognizant that there could be 12 years olds reading this forum," that's an utterly absurd statement.

csis01

spiral In any event, you are the one giving the impression of immaturity.