I’m lucky my banking app works (GrapheneOS), as it’s now requiring 2FA with the app anytime I login on the browser. Can’t use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).
This post is against Rule 6, but I’ll leave it up this time since there are a decent amount of discussion here now.
lseif@sopuli.xyz, please remove the image when you can. You can post it in the comments.
This is actually something I have spent a lot of time thinking about. In Sweden, where my boyfriend lives, their BankID app is ubiquitous, and there is very little cash handling going on, additionally the fees for actually going to the bank or subsidiary to pay your bills are exorbitant.
Everybody pays their bills online using “BankID”, which is kinda nifty and works well enough if a single point of failure is your thingaling, but what if people simply choose not to get a phone, or don’t want a computer, just basic like that, what if?
It feels kind of creepy to me, I don’t know…
thats scary
Sweden has gone about 80% fascist, in case you didn’t know. By popular vote, even! We have literal Nazis in government right now, they’re the second largest party, and while “not all Swedes” agree that they are Nazis, their heritage and lineage stems directly from the neo-Nazi movement in Sweden in the 80’s and 90’s, supported financially by Putin. <- this is not a joke, btw
All SIM cards have to be registered with your personal identification number (more or less “social security number”, but with your 100% full identifiable personal information), by law, and by law it is illegal not to state where you live (like a census law, you must report to authorities at all times where you reside. If you don’t have a home, well, your last address is where you officially live).
The right wing extremists have pumped money into police, and they now have the right to effect stop-and-frisk zones, and wiretapping anyone they please without probable cause or even suspicion of criminal activity.
Don’t you have a code generator?
In Norway we gave 3 options. BankID by code generator, BankID by simcard, and BankID by app.
The code generator isn’t even connected to the internet, and is the oldest type of bankid
All our local banks closed their branches. We’re lucking if we can get a human to talk to.
I hate this so much!
My bank is like that and another horrible thing is that after you choose your password (which can be long and complex) you need to choose a 6 DIGIT restore code incase you forgot your password…
Why is is my BANK so bad at security??
And they all develop their own shitty app for 2FA (the lazy ones just rebrand SecureGo as their own - you still have to install all of them separately) instead of using the 15 year old TOTP standard. The latter is good enough for tiny companies like Google and Amazon but what do they know about itsec, right?
genius
Wait
You have a second password that’s (opens calculator) 20 bits of entropy???
Banks do this because most people don’t know how to use technology and it’s a lot easier to get remote access and malware on your computer than your phone.
Google and the banks can eat my whole asshole.
My former bank launched a sub-bank that was 100% outsourced. App and website only, no branches, no ATM’S, no phone number, just some software and a card. I dumped them for a competent bank after 25 years with them
I’m actually ok if they passed on the saving of not having to operate branches to their customers in the form of lower fees, a higher interest rate for saving accounts, better credit card rewards, etc.
That’s not how outsourcing works. They save 75% on costs but only decrease prices 10%. Just enough to undercut the competition.
Magisk plus DenyList luckily works for my banks. Couldn’t imagine not having a rooted phone.
Beat the main purpose of GrapheneOS. Open the phone to a broad lot of security issues.
GrapheneOS is made by diva developers who frankly should not be trusted. “We only allow Google phones to run our OS!” as if they don’t have a backroom deal with Google.
genuinely curious; can u elaborate on the deal with google?
Pure wild speculation if I’m honest, however I’d be more surprised if I was completely wrong. It’s always seemed sketchy the way Google have basically said “Use our phone, it’s more secure!” with their Nexus and Pixel phones - this was long after the time Google stopped not being evil. At best, the security problems have simply changed manufacturer. Also, Google have a history of undermining development of circumvention, eg hiring the developer of MicroG and forcing him to stop development as a term in his contract.
The diva part is widely known, GrapheneOS developers don’t play nice with the rest of the custom development community. So, while I can’t substantiate any actual deal between them and Google, it’s the perfect recipe.
i see. i bought my phone second hand, so google isnt getting money from the sale, but i can see the problem with every user relying on the same phone manufacturer
Proove us that you can get better security while remaining able to be fully modified with other phones and brands. https://www.privacyguides.org/en/android/#divestos
Privacy Guides has a bit of a sordid history of their own diva behaviour.
Just higher standards.
@TWeaK @PoorPocketsMcNewHold @android
Bullshit
Graphene only works for Pixel phones, and I don’t want a Google device.
thats fair. device support is a major downside of GOS. but, remember: its not really the fault of the OS, as it requires a lockable/unlockable bootloader, which only pixel phones provide (at least in terms of mainstream phones). blame the OEMs like samsung
which only pixel phones provide (at least in terms of mainstream phones)
Mainstream phones? Pixel is a smaller market share than Motorola, and Motorola has unlockable bootloaders, and lineage supports a fair number of them.
I thought Google owned Motorola, but I missed the sale to Lenovo ten years ago.
Lenovo owns Motorola. Lenovo being chinese is somewhat a security risk.
There are a ton of unlockable bootloaders. On my OnePlus that’s a matter of flipping a switch in the settings.
can it be re-locked? i may be wrong, btw. this is just what ive heard.
I don’t know, never tried that.
@viking @PoorPocketsMcNewHold @android
Then don’t bother, there’s no GrapheneOS for you!
Yeah, that was their point.
What are the security issues? Rooted just means the potential to give trusted apps root access. Of course, if you give an app root access that you trust but is then abusing that trust and being malicious, yes it’s a security issue. But if you don’t do that, the simple fact of having a rooted phone should have no security change in any way. (Ok, except for potential bugs in Magisk/su or whatever)
The whole issue revolves around the fact Google is presuming a device is compromised or being used for illicit shit simply because root access is possible. If they put in effort to detect/prevent the actual problems they’re concerned about, this wouldn’t be as big a deal. This broad punishment for simply having root access is lazy and ridiculous.
It’s like if Windows apps just stopped working if they detected a local admin account. It’s patently absurd to assume the ability to access anything means the device is inherently “unsafe”.
But the previous commenter talked about security issues, you’re only talking about usability issues.
If you have the UI layer able to grant root access, it has root access itself and is not sandboxed. If the UI layer can grant it, an attacker gaining slight control over it has root access. An accessibility service trivially has root access. A keyboard can probably get root access, and so on. Instead of a tiny little portion of the OS having root access, a massive portion of it does.
In the verified boot threat model, an attacker controls persistent state. If you have persistent root access as a possibility then verified boot doesn’t work since persistent state is entirely trusted.
A userdebug build of AOSP or GrapheneOS has a su binary and an adb root command providing root access via the Android Debug Bridge via physical access using USB. This does still significantly reduce security, particularly since ADB has a network mode that can be enabled. Most of the security model is still intact. This is not what people are referring to when they talk about rooting on Android, they are referring to granting root access to apps via the UI not using it via a shell.
I’m pretty sure whoever wrote that was talking out their ass. The fuck is “UI layer” on Android, or rather, what does it have to do with it xD
The actual Magisk prompt that ask you if you want to give root to such app. This UI layer.
Although, i suppose it could be countered by explicitly refusing all requests or enabling a biometric confirmation
But granting root is not done by “the UI layer”, “the UI layer” is not running with root. There is no such thing as “the UI layer” as a separate entity, an app can have a UI layer as part of its architecture, but the UI is not running on its own. Just because Magisk shows you a UI for you to grant/deny a root request, that doesn’t make it insecure. Nothing is able to interact with this prompt except the Android kernel/libraries itself and Magisk.
Only if you added an application as accessibility tool (or give it root) can it interact with anything within the UI. An app with a UI is generally not much different than an app on the command line.
don’t give root to any app duh
Non-rooted phones are just like iPhones. Ewww…
Can you compile your own OS from source for an iPhone and install it yourself? I don’t think so.
I have done that with my non-rooted android, and I can do anything I want with my phones through the powers of open source software.
Rooting is unnecessary now and that’s a good thing.
Who cares if it’s necessary? If people want to do it, they should be able to, without punishment.
Well you can, and there is no punishment, so you should be happy.
I imagine you probably think “punishment” is that some bank won’t let you use their app on a rooted phone. That is not a punishment, that’s the bank implementing the security that they deem necessary for access to their software, and is likely part of a license agreement that you agreed to by using it. You have no default entitlement to have free use of the software that anyone else produces unless the software developer’s license states that you do.
Actual punishment would be if your phone gets bricked by the OEM for rooting it, or government authorities fine or arrest you for rooting.
You can’t do that without unlocking the bootloader, and that alone will trip “root detection” (Play Integrity).
Some apps take it further and won’t run if you enable Developer Options! (Or have any number of “hacking apps” installed, such as autotap apps that don’t even need root.)
Yes, I am aware of how it works. Unlocking the bootloader is not the same as rooting, and all my apps work just fine.
If they work with an unlocked bootloader then they would almost certainly also work fully rooted, with the advantages that brings (such as actual working app+data backups, limiting max battery charge, better automation possibilities with apps like Tasker, etc)
I’d much rather switch banks than give up rooting my phone.
Like bicycles with training wheels.
Agree, don’t get why you are being downvoted.
Butt hurt iSheeps? Who cares about (down)votes? I have disabled “show score” anyway.
You are being downvoted because you’re factually wrong. While Android (especially on Samsung devices) had been getting more locked down over the years, even unrooted it has way more freedom than an iPhone. For instance, you can install any number of APKs, without jumping through any hoops.
For now. Google’s recent patterns would seem to indicate the future trajectory of Android to become even more hobbled.
I doubt it will ever be as closed as iPhone but there’s a point where the door is technically still open, just not in a way that really means much.
As a I said before, I don’t care about downvotes. Be my guest.
That’s ok an all, but I assumed that you do care about making a false statement, which was the point of my response, to let you know.
Magisk Hide + app rename works most of the time, for those with rooted phones
Funnily enough I had issues with Wallet working on my phone since I have unlocked bootloader but no root. Banking and everything else afaik worked. So I installed all that stuff, Magisk, Magisk Hide, I don’t even remember all the things I tried and what it resulted in was now since I was actually rooted all the banking apps and other stuff stopped working.
When you root, you’re creating more flags for apps to detect, so you have to put in more effort to hide them all. That means a greater likelihood of something being detected if you missed it. It’s a trade off. You do have to learn a bit about what you’re doing and do some trial and error.
But the greater point is, if banking apps and wallet are important to you on that specific phone, you can either root and put in the effort to make it work, root and just do all that stuff from a browser, or not root at all.
Yeah, it’s annoying, but it isn’t the fault of Magisk or the rooting community, it’s Google and your banks fault for actively punishing you for using your own device the way you like.
Personally, I have two phones now. My main one is rooted, and if I need an app that breaks on root, I pull out the “clean” one (my old phone after factory reset). Use a hotspot if mobile.
I didn’t try a rooted phone, but thankfully my banking app did work on my phone with custom ROM without SafetyNet.
But they do block some VPNs. I know it temporarily didn’t work with ProtonVPN, though now it does again. They only told me that they allow VPNs which they consider secure, but for security purposes they won’t reveal how those considerations are done.
How would that make it insecure, if they aren’t just using pre-made IP blocklists?
Anyway, that was a painful experience.
Getting it to work after being to connected to VPN required de-activation and re-activation of the app. That’s a fairly painful process since it uses OTP tokens generated by a card reader:
It does have a digital version, but that’s less secure.
I moved to a bank that allows non google phones and let my previous bank know why I left.
Why are you licensing your comments
at least its CC :)
Because they think it matters. Same as people posting on Facebook some legalese saying “Facebook doesn’t have the rights to my stuff.”. They think that by slapping a copyright “claim” on their stuff that they supercede the agreements of the platform and somehow protect their comments from being scrapped by bots/advertisers, etc. All it really does is add a little “this guy is probably a sovereign citizen type” sign to every post they make.
There is no such platform agreement on lemmy, so they might have at least a little bit of a chance
Thanks.
My dyslexic ass read that as “Baking apps” and i was genuenly confused.
With the PNC bank I use, about 12 years ago, passwords used to be case insensitive, and they would allow ridiculously insecure passwords without complaining, like one123. I had a ridiculous password like that for a while because it was funny, then realized I’d be the one to pay for it.
Doesn’t work because of Play Integrity API but there are ways to bypass it. At least for now. Look up PlayIntegrityFork.