Revolut, McDonald's, and Authy have banned the use of GrapheneOS.
cross-posted from: slrpnk.net/post/15995282
Real unfortunate news for GrapheneOS users as Revolut has decided to ban the use of 'non-google' approved OSes. This is currently being posted about and updated by GrahpeneOS over at Bluesky for those who want to follow it more closely.
Edit: had to change the title, originally it said Uber too but I cannot find back to the source of ether that's true or not..
Questa voce è stata modificata (5 mesi fa)
like this
The 8232 Project
in reply to Sips' • • •m-p{3}
in reply to The 8232 Project • • •themurphy
in reply to m-p{3} • • •Also very obvious when an app or website have an US and an EU version. You just know they buttfuck the Americans because no rules.
Even Apple had to make two versions of iOS.
dutchkimble
in reply to The 8232 Project • • •Avid Amoeba
in reply to The 8232 Project • • •yoshisaur
in reply to Sips' • • •like this
granolabar likes this.
The 8232 Project
in reply to yoshisaur • • •like this
granolabar likes this.
yoshisaur
in reply to The 8232 Project • • •like this
granolabar likes this.
themurphy
in reply to yoshisaur • • •Sips'
in reply to yoshisaur • • •RobotToaster
in reply to Sips' • • •like this
granolabar likes this.
Im_old
in reply to yoshisaur • • •A_Union_of_Kobolds
in reply to Im_old • • •BearOfaTime
in reply to A_Union_of_Kobolds • • •If nothing else can you use the browser?
I've used Hermit for years to present websites like an app, and am using Native Alpha on my new phone.
A_Union_of_Kobolds
in reply to BearOfaTime • • •anti-idpol action
in reply to A_Union_of_Kobolds • • •Im_old
in reply to A_Union_of_Kobolds • • •BearOfaTime
in reply to yoshisaur • • •Use a browser like Native Alpha or Hermit, which present a website like an app.
And if you use Bitwarden/Vaultwarden for your passwords, it can be pretty seamless.
Sips'
in reply to BearOfaTime • • •NativeAlpha
- github.com/cylonid/NativeAlpha…
Hermit
- hermit.chimbori.com/
Hermit • Lite Apps Browser
hermit.chimbori.comLambdaRX
in reply to Sips' • • •tisktisk
in reply to Sips' • • •Is this not a sign of the true intentions on both sides of the dilemma here!?!?
Let us go to the end. We cannot afford to carry on in fear of these bans. Let the lines be neatly placed and the sides chosen wisely. If sustained profits are desired, the walled-gardens must come down.
Vote with your dollar and vote again with your data.
Wary, but never afraid is the motto privacy comrades!
like this
granolabar likes this.
vividspecter
in reply to tisktisk • • •Droggelbecher
in reply to Sips' • • •like this
Endymion_Mallorn likes this.
catloaf
in reply to Droggelbecher • • •like this
TVA likes this.
Droggelbecher
in reply to catloaf • • •killingspark
in reply to Droggelbecher • • •like this
TVA likes this.
granolabar
in reply to Droggelbecher • • •Most EVERYTHING works unless your app dev is PoS like these guys.
Another alternative is MicroG which might work better in light of recent development.
How zealous are you on dumping google?
RubberElectrons
in reply to Droggelbecher • • •anti-idpol action
in reply to Droggelbecher • • •Droggelbecher
in reply to anti-idpol action • • •anti-idpol action
in reply to Droggelbecher • • •Don't know and sadly my Pixel got stolen recently, but you can see if Offi or Transportr meet your needs, they're available on fdroid.
I guess I have bad news for you regarding the government app: discuss.grapheneos.org/d/253-c…
Anyway depending on your threat model keeping a normiephone as a decoy and mainlining something like graphene os can be a good opsec decision.
Compatibility for Austria e-Government app - GrapheneOS Discussion Forum
GrapheneOS Discussion ForumDroggelbecher
in reply to anti-idpol action • • •anti-idpol action
in reply to Droggelbecher • • •yonder
in reply to Droggelbecher • • •AtHeartEngineer
in reply to Sips' • • •granolabar
in reply to AtHeartEngineer • • •Wait until the next update.
I think we gonna start learning who actually can't handle not getting your data finally.
Also microg v sanboxed gps debate might get resolved
RubberElectrons
in reply to granolabar • • •anti-idpol action
in reply to granolabar • • •like this
granolabar likes this.
palitu
in reply to AtHeartEngineer • • •anti-idpol action
in reply to AtHeartEngineer • • •HiddenLayer555
in reply to Sips' • • •like this
originalucifer, granolabar e Endymion_Mallorn like this.
0x0
in reply to HiddenLayer555 • • •ryannathans
in reply to 0x0 • • •OrganicMustard
in reply to ryannathans • • •ryannathans
in reply to OrganicMustard • • •OrganicMustard
in reply to ryannathans • • •GrapheneOS web installer
GrapheneOSTXL
in reply to OrganicMustard • • •Anivia
in reply to TXL • • •Yes, this would only be a concern for targeted attacks by state actors, in which case not even buying new would be safe.
Thinking about it, in such a scenario buying used may even be safer
OrganicMustard
in reply to TXL • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to OrganicMustard • • •No, Auditor can be installed on any Android phone. It's even available on the Play Store: play.google.com/store/apps/det…
You can even perform a remote verification, which uses GrapheneOS servers and doesn't require a second device at all: attestation.app/tutorial#sched…
Auditor - Apps on Google Play
play.google.comVenia Silente
in reply to TXL • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to OrganicMustard • • •Device integrity monitoring
attestation.appAuli
in reply to ryannathans • • •50MYT
in reply to ryannathans • • •Your options are:
Apple phone
Bloated android phone like Samsung etc.
Chinese android phone (xiami etc)
Google phone with Android
Google phone with graphene. This still looks like the best of those options.
Or no phone? I guess people are hardcore enough that will be the option.
Edit: I stand corrected.
ryannathans
in reply to 50MYT • • •SeekPie
in reply to ryannathans • • •I don't think LOS has any privacy/security improvements over the stock android?
(IIRC) it's even worse than stock because you can't lock the bootloader after installation.
Though if your phone isn't getting official updates, it's probably safer with LOS.
211
in reply to SeekPie • • •There's also the Lineage-based DivestOS that attempts to keep up with more security updates, and relocking the bootloader in phones that support it.
divestos.org/
Home - DivestOS Mobile
divestos.orgSeekPie
in reply to 211 • • •211
in reply to SeekPie • • •Calyx also comes with MicroG, right? So mitigates many problems with a bit more Google.
And Fairphone 4 here, partly for Divest (had it on Oneplus 6 before this and just used to it), partly because of a good deal for a barely used one.
SeekPie
in reply to 211 • • •211
in reply to SeekPie • • •SeekPie
in reply to 211 • • •Forgot to say that yes, CalyxOS does have microG, though you don't need to log into Google to download apps from Aurora. Login is only required for apps from Google (like maps, gmail etc).
I also got the Fairphone 5 because of the used price! Mine was 300€ with a slightly burned in screen (it was used as a store display model), though I only notice it when on a completely white screen and looking for it.
ryannathans
in reply to SeekPie • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to ryannathans • • •GrapheneOS Frequently Asked Questions
GrapheneOSryannathans
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to ryannathans • • •Google is a tiny player in the smartphone market, compared to vendors like Apple, Samsung, Huawei, Xiaomi, and others (statista.com/chart/25463/popul…). They also serve a much smaller geographical region than most other manufacturers. The Pixel 9 lineup, for example, is only sold in 32 countries. Most of those are wealthy industrial nations. Google doesn't even try to assume market share in developing countries in Africa and Asia. It can also be assumed that over 97% of Google Pixel users keep the Stock Pixel OS, where Google doesn't need a hardware backdoor since they can just implement it in software. So that leaves only a tiny fraction of all users: people in some wealthy industrial nation who specifically buy a Pixel to install a custom ROM. GrapheneOS for example has about 300K users. Do you really think Google would put in the effort to create a hardware backdoor and take all the risk associated with it (negative PR, loss of sales, etc.) just to collect some data about this tiny amount of users? Google already controls EVERY Android phone on the market by forcing vendors to include Google Play Services as a system application through their contracts, licensing and monopolistic market position. Be realistic for a second, and you will realize that your backdoor theories make absolutely no sense and that no business in the world would ever take such a huge risk with such little reward.
Google Remains a Niche Player in the Smartphone Market
Felix Richter (Statista)ryannathans
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to ryannathans • • •Neither do we know this about any other CPU on the market. All chipsets on the market are proprietary. All of them. And no, despite many people (who don't know anything about what they are talking about) claiming this, RISC-V won't actually solve any of these issues. Sure, the ISA is open source, but the ISA would be the worst place for malicious actors to introduce a backdoor. I can guarantee you that despite using the RISC-V ISA, the chips themselves will still be fully proprietary and the IP will be highly protected as trade secrets. You can build a fully RISC-V conformant chip with a backdoor, there's absolutely nothing in place that could stop this, and it surely won't change for the forseeable future.
ryannathans
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •Venia Silente
in reply to SeekPie • • •That's a problem with the phone manufacturer, not with Lineage.
Andromxda 🇺🇦🇵🇸🇹🇼
in reply to Venia Silente • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to SeekPie • • •Android | Madaidan's Insecurities
madaidans-insecurities.github.ioSamsy
in reply to 50MYT • • •Killercat103
in reply to Samsy • • •Samsy
in reply to Killercat103 • • •brisk
in reply to Killercat103 • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to Samsy • • •All of these are insecure as hell. Linux phones especially madaidans-insecurities.github.…
Fairphone also really fucked up: They signed their own OS with the publicly available (!) AOSP test signing keys. These guys really don't know that they're doing, and I would trust their hardware or software whatsoever. And no, installing a custom ROM doesn't solve this. Considering how bad their security practices are, we genuinely have to assume that there are security issues with the device firmware as well.
/e/OS is based on the already insecure LineageOS, and it weakens the security further, so it's not a good option either.
None of the options you mentioned can be compared to GrapheneOS. It's currently the best option if you value your privacy and security. You don't have to give Google money either, since you can just buy a used device, which is also cheaper and more environmentally friendly. Google also makes repairing their devices pretty easy for consumers and even works with iFixit. Here's a Mastodon post I recently saw about that: social.linux.pizza/@midtsveen/…
Erik L. Midtsveen (@midtsveen@social.linux.pizza)
Linux.PizzaVenia Silente
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •An used Pixel, assuming I can find one in my country, still costs four (4) times what I need to shell out for a in-market Lineage compatible phone.
Theoretical security is cute, but it has to be adjusted to practical feasibility. The most secure computer in the world is useless to you if you can't boot it up.
Andromxda 🇺🇦🇵🇸🇹🇼
in reply to Venia Silente • • •Venia Silente
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •So, Android 9 / 10?
I'm sure not as heck going to spend zillions on a new phone (or a hard-to-find used one) when the one I have still works perfectly.
Andromxda 🇺🇦🇵🇸🇹🇼
in reply to Venia Silente • • •In that case, no. I assumed we were talking about up-to-date devices.
Venia Silente
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •Well, on my phone that back in stock could only do up to Android 10, Lineage gives me Android 11 (maybe 12, haven't checked) so it's still a serious win.
Now, if you insist that I shall have an up-to-date device from the official manufacturer with all the bloatware, same planned obsolescence and zero control, or even worse a 4× overpriced Pixel, maybe you are so assured of this superiority that you'd be willing to fund it?
zerozaku
in reply to 50MYT • • •irelephant [he/him]🍭
in reply to zerozaku • • •bootloader-unlock-wall-of-shame/brands/xiaomi/README.md at main · melontini/bootloader-unlock-wall-of-shame
GitHubRealitätsverlust
in reply to 0x0 • • •It's only officially supported on google phones because sadly those are the only ones that are not modified to fuck which makes installing and supporting other OS'es way too much work.
Giving google money once for a device is not a problem from a privacy or security standpoint.
Samsy
in reply to Realitätsverlust • • •TXL
in reply to Samsy • • •orange
in reply to TXL • • •For GrapheneOS, it's primarily that it's re-lockable. That's why other unlockable phones aren't supported.
The GrapheneOS install process sets new OS signing keys so you can lock the phone again and get full verified boot. However, most manufacturers haven't implemented this feature.
TXL
in reply to orange • • •fuzzzerd
in reply to orange • • •lad
in reply to fuzzzerd • • •orange
in reply to fuzzzerd • • •No, Play Integrity intentionally checks if it's a Google-approved key. Android itself has an API to check verified boot and gives info on the signing key - most devs just want to know verified boot is working.
I feel Play Integrity has a short life ahead of if competition authorities realise how exactly it works. "Anti-competitive" is the first thing policy-minded folks think when I explain the API to them.
fuzzzerd
in reply to orange • • •MTK
in reply to Realitätsverlust • • •irelephant [he/him]🍭
in reply to Realitätsverlust • • •HiddenLayer555
in reply to Realitätsverlust • • •Wish they'd at least support Fairphone.
If Graphene reached out to them I bet Fairphone would even actively work with them to make it an official OS option.
porous_grey_matter
in reply to HiddenLayer555 • • •AstralPath
in reply to Sips' • • •like this
Endymion_Mallorn e TVA like this.
3 dogs in a trenchcoat
in reply to AstralPath • • •like this
TVA likes this.
AstralPath
in reply to 3 dogs in a trenchcoat • • •AstralPath
in reply to AstralPath • • •stink
in reply to AstralPath • • •Can you share with the class? (Shit service where I'm at D:)
I dont buy mcdogwater anymore but im interested
Danitos
in reply to stink • • •mashed.com/1432093/mcdonalds-n…
They gave away free chips in exchange of you downloading their app and accepting their shitty conditions.
McDonald's New Terms And Conditions Have People Deleting The App
Hannah Beach (Mashed)/home/pineapplelover
in reply to AstralPath • • •Funny that news nowadays is citing tik tok and reddit comments
thedailymeal.com/1431937/mcdon…
The New McDonald's App Terms And Conditions Are Ruffling Some Feathers Online
Stacie Adams (The Daily Meal)acetanilide
in reply to /home/pineapplelover • • •I can't tell you how frustrating it is to not only be subjected to Fox ~~Entertainment~~ News by my family, but to be subjected to their social media segments every 5 minutes (not exaggerating).
It feels like when I find those ancient newspaper articles about how so-and-so moved in with her boyfriend before their wedding night or whatever.
Some things never change I guess.
Churbleyimyam
in reply to Sips' • • •like this
Endymion_Mallorn e TVA like this.
jagged_circle
in reply to Churbleyimyam • • •JaggedRobotPubes
in reply to Sips' • • •like this
Endymion_Mallorn likes this.
VeganCheesecake
in reply to Sips' • • •Banks seem to be hit or miss, happy that mine works. Would rather switch Banks than use a stock Rom, though.
All the Uber stuff works in Browser, both eats and their fake taxi stuff.
Not having a subtle reminder to eat at McDonald's is probably better for you.
Honestly, if your app could be a website, and includes services not on your website, fuck you, I'm gonna go to the competition.
like this
Endymion_Mallorn e TVA like this.
AnEilifintChorcra
in reply to Sips' • • •Lol I spent a week going back and forth with Revolut support in august. I could sign into the app but it would always ask me for a "selfie" verification and every time support would say its a super dark selfie.
Eventually I decided to try a stock ROM and it just worked and I realised what was happening so I transferred all of my money out and deleted my account.
Most local banks here are terrible at making apps, some even require a separate device that looks like a calculator to use online banking, so hopefully they wont follow suit anytime soon
like this
TVA likes this.
kevincox
in reply to AnEilifintChorcra • • •To be fair this actually provides a very high level of security? At least in my experience with AIB (in Ireland) you needed to enter the amount of the transactions and some other core details (maybe part of the recipient's account number? can't quite recall). Then you entered your PIN. This signed the transaction which provides very strong verification that you (via the PIN) authorize the specific transaction via a trusted device that is very unlikely to be compromised (unless you give someone physical access to it).
It is obviously quite inconvenient. But provides a huge level of security. Unlike this Safety Net crap which is currently quite easy to bypass.
Aceticon
in reply to kevincox • • •Those little boxes are just a bit of hardware to let the smartchip on the smartcard do what's called challenge-response authentication (in simple terms: get big long number, encode it with the key inside the smartchip, send encoded number out).
(Note that there are variants of the process were things like the amount of a transfer is added by the user to the input "big long number").
That mechanism is the safest authentication method of all because the authentication key inside the smartchip in the bank card never leaves it and even the user PIN never gets provided to anything but that smartchip.
That means it can't be eavesdropped over the network, nor can it be captured in the user's PC (for example by a keylogger), so even people who execute files received on their e-mails or install any random software from the Internet on their PCs are safe from having their bank account authentication data captured by an attacker.
The far more common ~~two-way-authentication~~ edit: two-channel-authentication, aka two-factor-autentication (log in with a password, then get a number via SMS and enter it on the website to finalize authentication), whilst more secure that just username+password isn't anywhere as safe as the method described above since GSM has security weaknesses and there are ways to redirected SMS messages to other devices.
(Source: amongst other things I worked in Smart Card Issuance software some years ago).
It's funny that the original poster of this thread actually refuses to work with some banks because of them having the best and most secure bank access authentication in the industry, as it's slightly inconvenient. Just another example of how, as it's said in that domain, "users are the weakest link in IT Security".
jagged_circle
in reply to Aceticon • • •You had me until banks are secure. Most banks use 2FA over SMS. All banks in the EU require a phone number for PSD2 requirements.
With GPG and TOTP support, its been easier to secure s Facebook or google account better than 99% of bank accounts
Aceticon
in reply to jagged_circle • • •I literally said 2FA over SMS is not secure because of weaknesses in the GSM protocol.
It's still more secure than username + password alone, but that's it.
jagged_circle
in reply to Aceticon • • •Sure, but afaik all EU banks require a phone number so they can send OTPs using your phone for transaction auth. This is a mandate of PSD2.
My disagreement is with your last paragraph. Because of this regulation, banks are horrendously insecure. If I refuse to enter a phone number when signing up for a bank account, I literally cannot get a bank account in Europe. That's insecure despite the user, not because of the user.
Aceticon
in reply to jagged_circle • • •It think you're confusing security (in terms of how easy it is to impersonate you to access your bank account) with privacy and the level of requirements on the user that go with it - the impact on banking security of the bank having your phone number is basically zero since generally lots individuals and companies who are far less security conscious than banks have that number.
That said, I think you make a good point (people shouldn't need a mobile phone to be able to use online banking and even if they do have one, they shouldn't need to provide it to the bank) and I agree with that point, though it's parallel to the point I'm making rather than going against it.
I certainly don't see how that collides with the last paragraph of my original post which is about how the original thread poster has problems working with banks which "require a separate device that looks like a calculator to use online banking" which is an element of the most secure method of all (which I described in my original post) and is not at all 2FA but something altogether different and hence does not require providing a person's phone to the bank. I mean, some banks might put 2FA on top of that challenge-response card authentication methods, but they're not required to do so in Europe (I know, because one of the banks in Europe with which I have an account uses that method and has no 2FA, whilst a different one has 2FA instead of that method) - as far as I know (not sure, though) banks in Europe are only forced to use 2FA if all they had before that for "security" was something even worse such as username + password authentication, because without those regulations plenty of banks would still be using said even worse method (certainly that was the case with my second bank, who back in the late 2010s still used ridiculously insecure online authentication and only started using 2FA because they were forced to)
jagged_circle
in reply to Aceticon • • •Transmitting an OTP to the user is a security risk.
Banks in the EU are, in fact, forced to implement 2FA using phone numbers as part of "dynamic linking" requirement of PSD2, which makes more secure methods of 2FA (like TOTP) not allowed
Aceticon
in reply to jagged_circle • • •Ah, I see.
Your point is that the use of a secondary channel for a One Time Pass is still an insecure method versus the use of a time-based one time password (for example as generated in a mobile phone app or, even more secure, a dedicated device). Well, I did point out all the way back in my first post that SMS over GSM is insecure and SMS over GSM seems to be the secondary channel that all banks out there chose for their 2FA implementation.
So yeah, I agree with that.
Still, as I pointed out, challenge-response with smartchip signature is even safer (way harder to derive the key and the process can actually require the user to input elements that get added to the input challenge, such as the amount being paid on a transfer, so that the smartchip signs the whole thing and it all gets validated on the other side, which you can't do with TOTP). Also as I said, from my experience with my bank in The Netherlands, a bank using that system doesn't require 2FA, so clearly there is a bit more to the Revised Payment Systems Directive than a blanked requirement for dynamic linking.
jagged_circle
in reply to Aceticon • • •Oh the smart chip is best, its just not an option for CNP or bank transfers online
If you send a large wire transfer from your Dutch bank to an acffount outside the EU, I guarantee your bank is going to demand a transaction confirmation. 99% of the time that's going to be a SMS, unleee you're using their (closed source) app on your (insecure) phone
Aceticon
in reply to jagged_circle • • •Well, I haven't really made any large wire transfers to accounts outside the EU from that bank in over a decade so can't really confirm or deny.
I do know that in past experience with banks in general, the people checking the validity of suspicious transations (and large transfers to accounts outside the EU tend to fall into that classification given the prevalence of online scams from countries were the Law is a bit of a joke) will actually call you, or at least they did in the UK some years ago (pre-Brexit) which was the last time I had experience with something like that.
(At one point I also worked in a company that made Fraud Detection software).
Maybe they switched to SMS to save money, I don't know.
jagged_circle
in reply to Aceticon • • •jagged_circle
in reply to kevincox • • •chicken
in reply to AnEilifintChorcra • • •jagged_circle
in reply to chicken • • •shortwavesurfer
in reply to Sips' • • •Sips'
in reply to shortwavesurfer • • •x00z
in reply to Sips' • • •JubilantJaguar
in reply to Sips' • • •Correct. This is the reason not to use Revolut.
Choose Wise instead.
LiveLM
in reply to shortwavesurfer • • •lol, I've observed the same.
Fancy "Digital Wallet" thingy is absolutely decked out in Root detection, meanwhile my older, physical bank's app doesn't give a fuck.
I've never been too fond on the idea of a 100% digital bank so no loss for me!
HiramFromTheChi
in reply to Sips' • • •I can't prove it, but I'm 99% sure Lyft did the same thing. Had a perfect rating (and was even a driver at one point), and they banned me without explanation right after I switched to GrapheneOS.
Emailed them a few times asking for the reason, and they refused to tell me.
_"Legally, we cannot release any additional information except that we found your account to be violating our Terms of Service.
We will be in touch if we are able to reopen your account in the future."_
There's absolutely nothing else that they could've misconstrued as "violating the Terms of Service."
If Uber's going down the same path, no more ride-sharing for me I guess. ¯_(ツ)_/¯
/home/pineapplelover
in reply to HiramFromTheChi • • •UntitledQuitting
in reply to HiramFromTheChi • • •HiramFromTheChi
in reply to UntitledQuitting • • •kalpol
in reply to HiramFromTheChi • • •HiramFromTheChi
in reply to kalpol • • •Anivia
in reply to kalpol • • •NotMyOldRedditName
in reply to HiramFromTheChi • • •There's no reason a company couldn't release the info legally unless it was under something like AML (anti money laundering) laws and you were flagged as a criminal. They legally can't disclose why in that case.
Using a different OS isn't reason enough, if they were telling the truth about the legal restrictions.
jagged_circle
in reply to HiramFromTheChi • • •Its machine learning fingerprinting. They lost the ability to fingerprint you, a flag was raised, and you're b&
When this happens to half your accounts, that's when you know you're winning at not being tracked
zako
in reply to Sips' • • •kevincox
in reply to zako • • •The point of the Google Play Integrity API is to ensure that the user is not in control of their phone, but that one of a small number of megacorps are in control.
Can the user pull their data out of apps? Not acceptable. Can the user access the app file itself? Not acceptable. Can the user modify apps? Not acceptable.
Basically it ensures that the user has no control over their own computing.
umami_wasabi
in reply to kevincox • • •NotMyOldRedditName
in reply to umami_wasabi • • •zako
in reply to kevincox • • •If you install GrapheneOS, you do not need root, so GrapheneOS is in control of the phone not the user. The key here is if GrapheneOS is secure enough to be certified by Google Play Integrity API. is it security or other issue? perhaps Google is not supporter of FOSS ROMs, perhaps it is not fun of how GrapheneOS removes permissions to Google Apps, ...
If it is not security, this is a kind of monopoly to control which ROMs are allowed to run apps.
Anivia
in reply to kevincox • • •This is possible on any Android phone, no root or custom rom required
ryannathans
in reply to zako • • •zako
in reply to ryannathans • • •ryannathans
in reply to zako • • •zako
in reply to ryannathans • • •There are only problems with a bunch of applications that recently decided to use Play Integrity API not with every banking app nor Netflix.
This is the list: grapheneos.org/articles/attest…
In fact those applications should not work with Lineage unless Play Integrity API is patched/cracked someway in Lineage.
GrapheneOS attestation compatibility guide
GrapheneOSryannathans
in reply to zako • • •jagged_circle
in reply to zako • • •Oh, the banks and regulators are to blame. Especially in Europe.
Find me a PSD2 bank bank that doesn't require a phone number
zako
in reply to jagged_circle • • •fosstodon.org/@GrapheneOS@grap… and the only hope is a movement of the regulator against this policy of Google.
boonhet
in reply to zako • • •So the Play Integrity API is literally why I moved to iOS. My bank apps didn't work with Lineage and the stock OnePlus ROM just sucked ass after the ColorOS or whatever update. I figured I might as well go iOS if I can't have a custom ROM anyway, and so far it has indeed been a much nicer experience than stock Android. If you can't TRULY customize everything, might as well at least get stability and consistency out of it, right? Plus at the time, there wasn't a single Android OEM out there with truly long OS update support.
Anyway, if this succeeds and custom ROMs are considered to have sound integrity, I might just move back to Android. Graphene seems cool, I haven't tried it yet because I've never owned a Pixel.
jagged_circle
in reply to boonhet • • •boonhet
in reply to jagged_circle • • •jagged_circle
in reply to boonhet • • •boonhet
in reply to jagged_circle • • •jagged_circle
in reply to boonhet • • •Nah, you dont need MacDonalds and you dont need shitty banks that require apps.
Apple has a terrible security record lol
boonhet
in reply to jagged_circle • • •jagged_circle
in reply to boonhet • • •I'm saying use another bank that doesn't block security hardened phones. Or one that doesn't require a phone at all.
More than half of the world sends money without bank accounts. How varies by region, but its usually a local company (usually mobile telecom companies) or an international remittances company, or cryptocurrencies
EngineerGaming
in reply to jagged_circle • • •boonhet
in reply to EngineerGaming • • •I can't imagine using either of those solutions every day, sometimes several times per day.
I made 3 transfers yesterday, but there have been days of 10-20 transfers and I don't always have them planned, often it's pretty spontaneous when we buy used things from other people, particularly strangers.
EngineerGaming
in reply to boonhet • • •boonhet
in reply to EngineerGaming • • •JoeKrogan
in reply to Sips' • • •jagged_circle
in reply to JoeKrogan • • •eleitl
in reply to Sips' • • •Madis
in reply to Sips' • • •bitwolf
in reply to Sips' • • •McDonalds? Uber?
They both have fully functioning webapps btw.
Wilmo Bones
in reply to bitwolf • • •HereIAm
in reply to Wilmo Bones • • •dipcart
in reply to HereIAm • • •Auli
in reply to dipcart • • •porous_grey_matter
in reply to HereIAm • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to porous_grey_matter • • •You can use this website to check if your banking app is supported: privsec.dev/posts/android/bank…
@HereIAm@lemmy.world
Banking Applications Compatibility with GrapheneOS
akc3n, Tommy, spring-onion (PrivSec - A practical approach to Privacy and Security)jagged_circle
in reply to bitwolf • • •kreskin
in reply to jagged_circle • • •jagged_circle
in reply to kreskin • • •bitwolf
in reply to jagged_circle • • •Yes both are PWA capable.
However I stand corrected. The McDonalds webapp now redirects you to the play store when you try to order.
Guess they don't want me as a customer. (Not that I'd eat McDonalds anyway).
riders.uber.com is fully functional though, I use it often
jagged_circle
in reply to bitwolf • • •kreskin
in reply to jagged_circle • • •Sips'
in reply to bitwolf • • •bitwolf
in reply to Sips' • • •It happens! And that list surely isn't comprehensive.
I've been nagging my bank's support to add the Graphene's signatures, for example, no luck so far 😞
Andromxda 🇺🇦🇵🇸🇹🇼
in reply to bitwolf • • •bitwolf
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •jinwk00
in reply to Sips' • • •0x0
in reply to jinwk00 • • •The others sure, i guess, but i don't see the user overlap.
Sips'
in reply to jinwk00 • • •lacaio da inquisição
in reply to Sips' • • •Jyek
in reply to lacaio da inquisição • • •This has very little to do with Google. Custom OS's in general are being restricted by these apps, not Graphene in particular. All custom OS's and root access devices are inherently less secure, even if they are privacy focused OS's.
In IT this is called a zero trust. You don't trust anything you cannot verify yourself. And a user installed OS is not something anyone can verify other than the installing user. Obviously for your own security you have your own zero trust policy if you are using something like Graphene, but these companies aren't making it more secure for you as a user, they're covering their asses in case there are holes in security they cannot account for.
lacaio da inquisição
in reply to Jyek • • •Jyek
in reply to lacaio da inquisição • • •lacaio da inquisição
in reply to Jyek • • •Got it. So it's something similar to latest security proposals like not letting me download files on Windows because they are not normally downloaded. Or visiting a website with self signed certificates. So it's more secure.
The apps complain: "You need Google Play services to use this app".
So it's about security. Right. What kind of security does McDonaldss need? Does it need security for their coupons?
Besides that, I thought payment gateway provided very good security by themselves.
But let's steer from what happens on mainstream apps a little.
Isn't Google Wallet or Online payments insecure too? Don't they have tons security failures also? Human security failures, like if someone robs my phone and my info they would have access to my money?
Google and the smartphone industry employ accelerometers and other methods to make sure robbers can't get to the system. They admit themselves that the systems aren't safe and they're working on AI and electronic methods to avoid access to sensitive information.
Is this the security you're talking about? Maybe we should just steer the industry another way, like those Custom OSs do. Alternatives aren't security potential threats. They're the solution for the problem.
Making a monopoly based on making it "safe" isn't secure at all.
Jyek
in reply to lacaio da inquisição • • •It's not for your security. It's for the company's security. You're really dense you know that. This is not about you and it's not about Google. What I'm saying is, people suck ass. So to protect themselves from people sucking ass, they restrict access to their system to their terms. Completely fair if you ask me.
You can go cry Google bad all you want. I might even agree Google is bad. But this is not a Google thing. It's an IT security thing. The banks and MFA providers are security first businesses. They will make the decision that protect them first and it makes sense for them to do so. If you owned a bank, there is a high likelihood you would make similar decisions that end users don't quite understand.
As far as McDonald's is concerned, who the fuck knows what their developers are doing. That app is trash anyways.
ganymede
in reply to Jyek • • •perhaps dial back the attitude a bit there? if you think you know better than someone (even if you're wrong), then you should have no trouble kindly educating instead of insulting them.
you may also wish to revisit your highly questionable claim that graphene properly configured on pixel is less secure than stock rom on some random android device.
Jyek
in reply to ganymede • • •ganymede
in reply to Jyek • • •that's great buddy. but while recapping basic IT facts might make you feel smart on facebook. this is lemmy where the average user ^1^ is perfectly familiar the principles. here it just telegraphs to us that you didn't read the fucking article (which would've taken less time than spamming the thread & insulting users btw).
^1^ before the influx of reddit api refugees - on that topic do you ever reflect on how corporate bootlicking might relate to the over-corporatisation of reddit which led to users fleeing? only to come here and do unpaid simping for the corporations, slowly ruining this place too?
Jyek
in reply to ganymede • • •stom
Unknown parent • • •Realitätsverlust
in reply to Sips' • • •Well that's bad. I've been using revolut for years now.
Does anyone have a suggestion for a new bank that's operating under european law?
Hanrahan
in reply to Realitätsverlust • • •jagged_circle
in reply to Hanrahan • • •boonhet
in reply to jagged_circle • • •Wise has a banking license in Belgium much like Revolut has one in Lithuania.
Wise is missing some cool things Revolut has like metal cards that require you to use an expensive plan, or the ability to buy stocks and crypto.
What Wise has instead, is the ability to have both a REAL American AND European bank account in the same app, which you can instantly transfer money between. Revolut doesn't give you an American bank account if you're in Europe, idk if they give you an European bank account if you're in the US. But Wise has both.
Why is this so important? Well let's say you're in Europe, you land a side gig doing a bit of work for a big US corporation you're connected to through your old job. You've got your rate negotiated, everything's sweet. And then they hit you with the question: "Are you able to take ACH payments?"
Now you have to google what an ACH payment is. Then you have to find out how to be able to receive them. Turns out these are internal to the US. Banks outside of the US just don't accept them, because they're not part of the system. But wait! Wise actually gives you an actual US bank account complete with routing numbers and everything. In your name, not in some proxy's name either.
Here's a list of currencies/banking systems you can get local payments in, without going international
Yes I sound like an advertisement at this point, but it's ridiculous how useful this gets if you need to move money internationally. I didn't get all the hype before I needed it, but when I did, it fit my use case like a glove.
Wise Bank Details | Wise Help Centre
wise.comjagged_circle
in reply to boonhet • • •I have wise accounts both as a US entity and a EU entity. They give you EU IBAN and US ACH accounts no matter which side of the Atlantic you're registering from.
They're the best bank ive found in the EU too, but I didn't think they were a bank. Its important because a US not-a-bank just collapsed and a lot of people lost their life savings. The not-a-bank assured customers that their money was safe because it was being stored in actual bank's bank accounts. This would have been true, but the not-a-bank misplaced almost all their funds and, turns out, they weren't in their partners' bank accounts. Whoops.
boonhet
in reply to jagged_circle • • •Turns out it's not an actual bank in the EU either, they just give you an IBAN number and everything.
However, funds in EU are still insured at 20k per account and since they're not a bank, they can't be giving out subprime mortgages using your money like banks do, they have to keep it as safe as possible.
jagged_circle
in reply to boonhet • • •childOfMagenta
in reply to Realitätsverlust • • •Jyek
in reply to Realitätsverlust • • •Most banks restrict custom ROM and root access devices for security purposes. Same with MFA apps. I get it. From an IT security perspective, restrictions on software compatibility limit the number of failure points. Even if you find a custom OS that is more secure as an OS, it is installed through opening up your device to security risk and there is no real requirement for you to close up that security risk afterward. My company has made the same choice to restrict supported platforms for our services.
McDonald's app restricting the OS is probably some security decision they made because it's more secure even when they probably don't need it though.
Realitätsverlust
in reply to Jyek • • •Jyek
in reply to Realitätsverlust • • •butsbutts
in reply to Sips' • • •Sips'
in reply to butsbutts • • •butsbutts
in reply to Sips' • • •AlecSadler
in reply to Sips' • • •This surprises me because McDonald's app is hands down the worst app I've ever encountered in the history of all Android apps.
It's is sluggish, ignores touches/taps half the time, doesn't adhere to Android best practices for flow, crashes a lot, errors a lot, etc.
But OK McDonald's. Fuck off.
ililiililiililiilili
in reply to AlecSadler • • •HiddenLayer555
in reply to AlecSadler • • •kate
in reply to stom • • •iturnedintoanewt
in reply to Sips' • • •granolabar
in reply to iturnedintoanewt • • •Sips'
in reply to iturnedintoanewt • • •like this
granolabar likes this.
BigDanishGuy
in reply to Sips' • • •bountygiver [any]
in reply to BigDanishGuy • • •Woht24
in reply to bountygiver [any] • • •This viewpoint is so stupid.
The cashier is paid to take orders, whether they take 1 long obnoxious order or 3 small orders, it's the same shit.
People are so swept up in 'kindness and support' (internet circlejerking), they think that the fact you inconvenienced some 17 year old, representing a massive corporation, as a fuck you to the company that employs them, you've committed some moral sin against your fellow man.
neomachino
in reply to Woht24 • • •That worker doesn't want to be there, that's likely one of 3 jobs they need to barely scrape by.
You holding them up from doing other tasks they need to do to keep a job that barely feeds them is doing nothing but making their day a little harder. It affects the company 0%. The company is faceless and doesn't care how much you abuse the worker bees as long as they get your money.
I don't know what the answer is aside from not patronizing the company at all, but I know that's not it.
Lag
in reply to neomachino • • •neomachino
in reply to Lag • • •I highly doubt it, if the store is too busy they'll likely either do nothing because why would they or if it's really bad add some robots who can handle the workload so they can get rid of those pesky employees.
In the past few years almost all of the fast food places in the closest plaza to me have been working on a skeleton crew. Lines wrapped around the building, 2 miserable employees, upset customers, but the money is still coming in.
Most people can't just leave their job, even a days wage can crush a lot of people.
UnderpantsWeevil
in reply to neomachino • • •Hey now, sometimes the company employs security that's extremely bored, incredibly racist, and looking for a low income punching bag to hassle.
neomachino
in reply to UnderpantsWeevil • • •GHiLA
in reply to Woht24 • • •the cashier
Who is also the manager, making drinks, doing the fries because that bitch called in sick...
Takios
in reply to GHiLA • • •GHiLA
in reply to Takios • • •PrettyFlyForAFatGuy
in reply to Takios • • •depends on the situation. otherwise good employee who rarely if ever is sick and works hard calls in about being unable to work? absolutely fine
Person who i know knows exactly how many days a year over how many periods of absence it will take before HR get involved using it as a second pool of paid holiday days and leaving us high and dry to deal with the things she's paid to help the team with then yeah, bitch
her name was karen too...
Dragon Rider (drag)
in reply to PrettyFlyForAFatGuy • • •This is a dick move if you don't tell your coworkers how to exploit the loophole too, and a heroic act if you do.
PrettyFlyForAFatGuy
in reply to Dragon Rider (drag) • • •Well i dont think it worked out for her.
a year or so after i left that company i heard she was sacked
purplemonkeymad
in reply to BigDanishGuy • • •boonhet
in reply to purplemonkeymad • • •Railcar8095
in reply to BigDanishGuy • • •As a former employee... That does nothing. Crazies that spend 15 min to order some fries were common.
If you go at rush hour it can be annoying to the employee and other customers, but at the end of the day nobody will remember and you would have spent 20 min and 10 dollars (which is 9 dollars material profit for MacDonald).
Just. Don't. Go. To. Macdonald's.
UnderpantsWeevil
in reply to Railcar8095 • • •Best advice on the menu
like this
granolabar likes this.
granolabar
Unknown parent • • •Agent641
Unknown parent • • •jagged_circle
Unknown parent • • •Ogygus
Unknown parent • • •Sips'
Unknown parent • • •Samsy
in reply to Sips' • • •FYI, grapheneOS devs added a list of apps to their wiki:
grapheneos.org/articles/attest…
GrapheneOS attestation compatibility guide
GrapheneOSRailcar8095
in reply to Sips' • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to Railcar8095 • • •GrapheneOS features overview
GrapheneOSfar_university190
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •Source?
theroff
in reply to far_university190 • • •4lan
in reply to Railcar8095 • • •It's crazy how they can just do illegal things because they have so much money...
Do I own my phone or not??
GHiLA
in reply to Sips' • • •Anivia
in reply to Sips' • • •Sips'
in reply to Anivia • • •Highly highly recommend Ente Auth!
- ente.io/auth/
Also featured on Privacy Guides
Ente Auth - Open source 2FA authenticator, with E2EE backups
enteInternetCitizen2
in reply to Sips' • • •HiddenLayer555
in reply to InternetCitizen2 • • •kazerniel
in reply to Sips' • • •Cris16228
in reply to Sips' • • •Infomatics90
in reply to Anivia • • •dantheclamman
in reply to Anivia • • •filister
in reply to Anivia • • •Uriel238 [all pronouns]
in reply to Sips' • • •Mike
in reply to Uriel238 [all pronouns] • • •- you can fake an older device that didn't support hardware attestation yet, or had a broken implementation
- or you can try getting leaked vendor keys and emulate the crypto with those until they get revoked
Caveman
in reply to Sips' • • •granolabar
in reply to Caveman • • •Numenor
in reply to granolabar • • •like this
granolabar likes this.
dragonlobster
Unknown parent • • •FreshLight
in reply to Sips' • • •SnotBubble
in reply to Sips' • • •Would not updating Revolut keep the app compatible as long as you don't sign out?
If so, don't update the app and write down the build number of the last app version which worked on GrapheneOS. That way you would have a bit more time to sort things out.
Andrew
in reply to SnotBubble • • •Phoenixz
in reply to Andrew • • •Sips'
in reply to Andrew • • •Reddfugee42
in reply to dragonlobster • • •Gloomy
in reply to Reddfugee42 • • •Raiderkev
in reply to dragonlobster • • •Infomatics90
in reply to Sips' • • •egonallanon
in reply to Agent641 • • •Reddfugee42
in reply to Gloomy • • •steal_your_face
in reply to Sips' • • •Luca
in reply to steal_your_face • • •FutileRecipe
in reply to steal_your_face • • •steal_your_face
in reply to FutileRecipe • • •Sips'
in reply to steal_your_face • • •I'd bare careful with logging out.
FutileRecipe
in reply to Reddfugee42 • • •rottingleaf
in reply to Sips' • • •geography082
in reply to Sips' • • •Sips'
in reply to geography082 • • •blind3rdeye
in reply to Sips' • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to blind3rdeye • • •GrapheneOS (@GrapheneOS@grapheneos.social)
GrapheneOS MastodonRoopappy
in reply to Sips' • • •Why would anyone load an app from McDonalds? You want to give them elevated access to your most personal data for a few dollars of coupons?
What are they taking from you that's worth more than the discounts they are giving you? Because they are definitely making a profit, or they wouldn't be doing it.
Sips'
in reply to Roopappy • • •dharmik
in reply to Sips' • • •Sips'
in reply to dharmik • • •pound_heap
in reply to dharmik • • •Apple does extensive audit of mobile apps, including limitations of tracking. So the app cannot spy on something you are not letting it to know. But you are giving it a bunch of info voluntarily.
I'd say using that app on iOS is similar to making a food delivery order using a loyalty member ID. Basically, you are letting the company (McDonald's) know who you are, what is your phone number, where do you live, and what do you like to eat. And if they wish to, they could use all that to purchase your profile from a data brocker. Or they can sell that info for a few cents to make up on that discount.
dharmik
in reply to Sips' • • •Sips'
in reply to dharmik • • •FriendBesto
in reply to Roopappy • • •ReversalHatchery
Unknown parent • • •- facebook: nags you to use the facebook app with popups and large banners
- facebook messenger: does not even let you to log in
Dr. Moose
in reply to Sips' • • •monotremata
in reply to Dr. Moose • • •Cris16228
in reply to monotremata • • •Aegis Authenticator | F-Droid - Free and Open Source Android App Repository
f-droid.orgZeroOne
in reply to monotremata • • •ouch
in reply to ZeroOne • • •Don't use 'click here' as link text
the QA TeamAndromxda 🇺🇦🇵🇸🇹🇼
in reply to monotremata • • •Ente Auth - Open source 2FA authenticator, with E2EE backups
enteEngineerGaming
in reply to monotremata • • •monotremata
in reply to EngineerGaming • • •Dr. Moose
in reply to Sips' • • •Andromxda 🇺🇦🇵🇸🇹🇼
in reply to Sips' • • •I don't think it's a coincidence that the shittiest companies are those, who enforce Google's broken and monopolistic "Play Integrity" API. Revolut has connections to Russia, McDonalds supports the Israeli genocide in Palestine and Authy has always just been a massive piece of shit, not even allowing users to export their TOTP seeds. These are three companies I would NEVER even consider using anyway.
And "Play Integrity" API actually does NOTHING, absolutely NOTHING for your security as an end user.
You use an outdated, unpatched Android version with multiple severe, publicly known exploits on an insecure device?
Google doesn't give a single fuck.
You use the newest version of Android with all the patches applied on Google's own hardware, with a locked boot loader and a hardened operating system?
That's not allowed by the "Play Integrity" API.
It's only purpose is to serve Google's monopolistic business interests.
Sips'
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •Mer
in reply to Andromxda 🇺🇦🇵🇸🇹🇼 • • •qaz
in reply to Sips' • • •kata_ton_daimona
in reply to Sips' • • •like this
granolabar likes this.
granolabar
in reply to kata_ton_daimona • • •modern fascism in action... state and corporate fusion. however, WHY DA FAQ would Italian state do this for the benefit of a foreign corporation....
I get US part of NATO but wtf
kata_ton_daimona
in reply to granolabar • • •granolabar likes this.
utopiah
in reply to Sips' • • •jawsua
in reply to utopiah • • •GitHub - Bubka/2FAuth: A Web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes
GitHubSips'
in reply to utopiah • • •Highly highly recommend Ente Auth!
- ente.io/auth/
Also featured on Privacy Guides
Ente Auth - Open source 2FA authenticator, with E2EE backups
entemlg
in reply to Sips' • • •I swear I am so close to jumping into the void of mainline linux on phones.
The only main issue is device drivers, but I would be fine happily extracting them from android or making new ones. Modern Android is a complete full stack POS.
Lychee
in reply to Sips' • • •This is actually good, see it as an enrichment of your life. The only sad thing is Revolut though.
As an alternative to Authy I recommend Stratum (previously known as Authenticator Pro) apt.izzysoft.de/fdroid/index/a…
This due to its compatibility with Android wear (companion)
„Stratum“ – IzzyOnDroid F-Droid Repository
IzzyOnDroid App Repoouch
in reply to Lychee • • •ouch
in reply to Sips' • • •Google has ruined Android by closing it up.
EU needs to step in and force Google to open it up.
While at it, go for Apple's monopoly as well.
floreana
in reply to Sips' • •@Sips'
Gatekeeprs of wealth sticking together against the ambition for freedom of poorer people?
Oh, color me surprised. 🙄
(I want to de-Google step by step, thanks for the heads up).
Privacy reshared this.
ReversalHatchery
Unknown parent • • •Brad Boimler
in reply to Sips' • • •