de0u They're deliberately trying to break support for using browsers other than Chrome, Safari or other browsers they support by checking assorted things to see if they match. This isn't a compatibility issue but rather a company trying to disallow people from using other browsers. They should be pressured to either stop doing this security theater or to add Vanadium to the list of what they hard-wire as permitted.
Mobilepay (Danish) not working.
lbschenkel It doesn't make sense and isn't being added. This app needs to stop people disallowing using alternate browsers for alternate browsers to work with it consistently. They're going out of the way to try to detect and disallow using alternate browsers. Adding toggles for this isn't a solution. They could detect it based on anything that's changed which is visible to sites, not only this. They need to stop deliberately breaking their app and site.
MitID has repeatedly deliberately broken their app with alternate operating systems and then fixed it. This is the same nonsense. We've never done anything to work around it and never will. It's on them to stop doing this. They know they're causing the problem and need to stop causing it. Users need to put pressure on them, not us.
If we worked around what they're doing, it would only encourage them to keep doing nonsense like this, and would be counterproductive. It would lead to them blaming us for their problems and refusing to fix them in the future. Therefore, we have a hard rule against working around the issues this app / app ecosystem are deliberately causing. They've previously wrongly tried to blame GrapheneOS and would leverage us working around their nonsense as an excuse to not fix it.
This could also be viable. The potential problem is that another browser will not be GOS' WebView component. Depending on what the app is doing, it might rely on WebView instead of opening a custom tab of the default browser.
If an app uses the WebView, changing the default browser or disabling the Vanadium browser won't make any difference.
sup3rior MitID needs to stop deliberately disallowing alternate operating systems and browsers. It will be consistently problematic until they stop, and we have a hard rule to avoid working around it due to their dishonest behavior trying to blame GrapheneOS for them deliberately trying to break alternate operating systems. You must pressure them to fix this, not us. They've broken it deliberately, not by accident. It's not an accident that they're trying to detect and disallow alternate browsers.
sup3rior You're incorrect. It's not possible to use another WebView implementation, and disabling the Vanadium browser will not disable the Vanadium WebView. Disabling the Vanadium WebView would leave you with no WebView and would cause many apps to crash. That is not what's happening.
I agree, and my apologies if it came off as anything else. It is not on your end and I know very well that the ones making these choices at MitID are to blame. Unfortunately for us that has to interact with Danish authorities, they have a monopoly and can do as they please, just as their predecessors did with NemID.
Well, then I have no explanation. Just installing Chrome and setting it as default didn't do the trick, but once I disabled Vanadium it did. But again, not your headache, this is on us to chase the responsible politicians for them to put pressure on MitID.
No, GrapheneOS is not breaking compatibility by removing optional new headers providing OS and device model information.
I never wrote that. I'm aware that the blame is not with GrapheneOS but with them. Wasn't that clear enough?
It's not reasonable for a site to break compatibility because the browser isn't giving it that info or fake information about it.
Yes, that is well established. What I suggested was that Vanadium could be the one making a compromise for the sake of the users, because the companies involved don't care and it's hard to convince them to change their ways.
I know that implementing such a compromise wasn't really fair, because it puts the burden in the wrong party.
We will not add OS and device model info back to the headers. It's not reasonable for a site to break compatibility because the browser isn't giving it that info or fake information about it.
Fair enough. I just wanted to throw the idea out there to see what you had to say. I was expecting this response, but it's good to make that crystal clear nonetheless.
But do we have any idea on what the problem here actually is then? Is it a problem with the app (where we should complain to the app publisher) or MitID so we should direct our complaints to Digitaliseringsstyrelsen?
We know changing the browser used to Chrome makes it work, so it somehow must be related to the security hardening in Vanadium, but from my perspective, I'm still not completely sure who to actually go shout at (figuratively speaking).
- Edited
sup3rior I want to help with the shouting. I know some people in Digitaliseringsstyrelsen.
I think it is the implementation of MitID in MobilePay that is the problem.
I don't have any problems with any other of my MitID or banking apps.
But It would be great with a draft letter we could use for inspiration for our complaints.
I can see that MobilePay are merging with Vipps! https://vippsmobilepay.com/about
Current target: MobilePay (developer@mobilepay.dk) and Vippsmobilepay (developer@vippsmobilepay.com)
AFAIK Vipps/MobilePay don't/wont make any "major" changes as they're currently merging (me & aguyfromdenamrk on github emailed them and got that answer)
Only current workarounds is the one I found (that apparently does not work anymore? post 9 in this thread) or just uninstalling Vanadium, installing brave or chrome then registering on MobilePay.
And yes, its 100% an issue with MobilePay/Vipps' implementation of MitID that is to blame here. I have 7+ other MitID apps that did not require me to download and older version to be able to login with MitID.
Luckily once you've registered on MobilePay you can always go back to Vanadium and, for now, not worry about future updates to the app.
- Edited
I had issues with both E-boks and Lunar Bank on my device, those where solved at the same time I got Mobilepay working. Which is what made the path of "hey, maybe this is not app-specific" seem like a possible route.
EDIT: Just did a test with my Lunar Bank app, it now launches Chrome when it needs MitID validation even though Vanadium is the default browser. Guessing, as @GrapheneOS suggested, that this is specifically coded this way. I'll have to do some more testing to verify that it's not the OS that's confused over having had Vanadium disabled, although I really don't expect it to be.
I think, regardless, we need to pile on to Digitaliseringsstyrelsen and the speakers responsible for this area from each political party to push them on whether they can be happy that their citizen are forced into the hands of a monopoly (meaning Google) to use governmental services.
JensAPedersen I can see that MobilePay are merging with Vipps! https://vippsmobilepay.com/about
This might be either good or bad news. I see two possible futures. First, the potentially bad:
a) Vipps and Mobilepay decides to merge their codebase, inheriting the nonsense that is Mobilepay, and by that creating trouble also for Norwegian users of GrapheneOS.
or
b) They go with the current Vipps app, just making some cosmetic changes to symbolize the merge with Mobilepay. This will be good news for Danish users, as Vipps works absolutely fine on GrapheneOS. (The only hard requirement Vipps makes is the presence of Play Services; it refuses to load without it).
I think B is the most likely: if one judges by the Play Store ratings, where Vipps has a rating of 4.7 and Mobilepay rates 3.0, Vipps is the more preferred choice with users. It's also my experience that Vipps "just works", and I never hear any of my peers complain about the app.
The webpage also contains this sentence: "We are now migrating intro the Vipps Technology platform, which will contain all our payment solutions, users and business customers."
Let's see.
The reason Vipps works is that BankID is different from MitID. The authentication flow is such that in BankID, the app calls the idp and obtains verification through the app back-end where as with MitID, authentication is performed in the app itself relying on session cookies and whatnot, thus having a large reliance on the browser on the device. I'm guessing that's some of the reasoning behind MitID device requirements stating only two browser being supported and thus also actively blocking others, since they've only verified it to work on Chrome and Samsung Browser.
I wish the Danish authorities had gone with a design more similar to BankID or the Swedish Freja eID, then we wouldn't be having this conversation.
Took a dig at Digitaliseringsstyrelsen and the individual speakers from each party responsible for digitisation on X if anyone wants to chime in: https://twitter.com/libach81/status/1741405324668481638
@JensAPedersen Be happy to collaborate on a letter template, to the others in this thread, feel free to chime in with input on what we should include in this.
- Edited
I know some people in Digitaliseringsstyrelsen.
That is great. It would be amazing if you could bring the problem to their attention. The problem being that MitID is an essential service and they're locking out people who don't use Chrome or Firefox. Firefox actually didn't work in the past either, but that has changed months ago. Other Chromium-based browsers are working so far, but who knows if that's deliberate or by accident. There's no good reason for why they're locking out Vanadium, but they're doing it anyway.
I've wrote to MitID support many many times. Sometimes I got answers saying "a future version may fix it" from their support and sometimes I get no answers. (In this case it doesn't even make sense since the problem isn't with the Android app, but the way their web form works.) I wasn't able to get a direct line of communication with the developers, nor I know if any of my messages were actually brought to their attention. It's all very opaque.
I think it is the implementation of MitID in MobilePay that is the problem.
Unless I missed something, it looks like the problem with MobilePay is actually entirely due to MitID, not really related to MobilePay. You can reproduce it by simply trying to login to mitid.dk with Vanadium. What is going to happen:
- login form shows up
- you press the button to authenticate
- the button launches the MitID app, and you can authenticate there
- however, when control gets back to Vanadium you'll notice that the login form closed itself, and the post-authentication flow that actually logs you in doesn't happen
The same will happen with any app that opens an in-app browser (which will use the default browser). I can replicate that with my bank app, for example. If you switch to Chrome (or a Chromium-based browser), or Firefox, it works because in step 4 the form didn't close, and then it redirects to the URL that actually logs you in.
The problem is that the login form in mitid.dk (or one of the subdomains which is used by third parties) is programmed in such a way that it doesn't like Vanadium, and then the moment you press the button to launch the MitID app then the form just closes itself instead of staying open and waiting for the outcome of the authentication. As it is closed, when the app is done authenticating and you get back to where you were, nothing happens and you're just stuck.
I wish the Danish authorities had gone with a design more similar to BankID or the Swedish Freja eID, then we wouldn't be having this conversation.
I'm familiarized with the Danish and Swedish systems. I feel that neither country has a truly "best" approach.
What's better in the Danish system:
- MitID has an option to use a code display, so you can authenticate with something else that is not a mobile phone and being forced to submit to the Apple/Google ecosystem.
Swedish BankID only exists as a phone app (well, there is the bank card version and computer program version but they seem to be phased out as less and less banks issue it). If it doesn't like your phone or your Apple/Google account is ever banned, you're out of luck. - MitID is not controlled by the banks, so you have multiple avenues for enrollment including paying a visit to your Citizen Centre. If you're a legal resident you can get one.
Swedish BankID is controlled by the banks and you need to be a customer of one, which for persons that just arrived in the country is a challenge: most banks require having a Swedish-issued ID with a personnummer, which takes time to get, and you need to satisfy whatever other criteria from the banks: you may be a legal resident but be prevented from having a BankID due to banks' requirements.
What's better in the Swedish system:
- BankID is not a monopoly in the sense that there are goverment-approved competing services, such as Freja and using the ID card from Skatteverket. That said, apart from government websites, most private ones only support BankID. The incumbents are good for backup but they're not really usable as the primary authentication mechanism. To me it is not enough that the government approves competing services, but also enforces that companies must support at least two of them for authentication.
- BankID differentiates between identification/authenticating and signing, which is very nice. For example, I configured mine to allow my biometrics to authenticate but not to sign. In this way it's harder for me to actually do something (which requires signing) while distracted, as I can't simply put my finger and I'm forced to enter my password.
- BankID app seems to be way less finicky than MitID. I've never had any problem with BankID in any phone.
To me what would be ideal:
- Government defines the requirements and certifies authentication providers. They should not grant a monopoly to a single provider, but let multiple players compete in this space. (Sweden is doing this right.)
- There should be a mandated open API similar in spirit to OpenID so any of the government-certified authentication providers should work with any service, to avoid that any player becomes the de facto sole provider. (Nobody is doing this.)
- There should be at least one authentication provider that is universal, allowing any legal resident to be enrolled, without mandating any other extra requirements. You should always have the option to visit a government office and show ID and get enrolled into one. (Denmark is doing this right.)
- Providers must offer an option to use some device or mechanism that is not a mobile phone or something that requires you to have an account with Google/Apple/whoever. Something offline like a dongle, OTP codes on paper, whatever. (Denmark is doing this right, but the old and now retired NemID did even better by offering paper codes.)
- Authentication should be differentiated from authorization/signing. These two operations should be visually distinct and you should be able to configure them differently. (Swedish BankID is doing this right.)
- There must be a government agency acting as a regulator in this space that the users should be able to complain to. (Does it exist in practice in either country in this form?)
- Implementation should not be exclusionary. The burden of proof should be on the authentication provider side to justify to the government regulator why they need to lock users out if they use specific browsers/operating systems/etc.
I'll try and give that a go tomorrow. I bought a Pixel 7 about a week or so ago and couldn't get MP to work at all, so I ended up installing the stock OS again. Had no significant issues with Lunar Bank, MitID or anything else. Only issue was MP.
Fingers crossed.
14 days later
The next version of Vanadium will set placeholder client hints based on the standard reduced Chrome user agent to provide a frozen form factor (Mobile or Desktop), model (K), platform version (10.0.0) and reduced browser version number (such as 121.0.0.0) without the full details instead of removing the high entropy client hints. It's possible this will improve compatibility with this broken app unless it depends on leaking the precise browser version, and it seems very unlikely that they hard-wire each Chrome version. We can do a new release soon for people to test.