Why does a gas station need an app?

It’s likely incompetence than malice. Chances are they’ve had a lot of customer complaints because some popular free VPN interferes with their app, and adding a blanket warning about VPNs is easier than trying to figure out why it’s not working and fix it.

Precisely. Google pixel, Garmin watches, even Samsung watches.

Or using a bank that supports NFC payments (not using Google Wallet).

GrapheneOS Foundation raised this practice with European Commission because it unfairly penalises secure and safe competition giving instead a lie to the developers and banks that ancient, unsafe, vulnerable platforms are more secure.

These are the same banks that very often have no app-based MFA login, and refuse to do anything other than send me an SMS TOTP.

The irony is that they'd rather suffer losses from fraud if the fraud is less than the cost of setting up App-based TOTP and a campaign to get customers to use the app. Yet they suddenly get all in a huff about PCI compliance as CYA so they don't have to pay an app developer to figure out how to check "is phone rooted? Yes. Which OS?"

Well, to add insult to the injury, this bank does not allow website login without the mobile app. Which is absolutely infuriating. I did mention that on my comment :-)

Unfortunately, I can say with 100% confident, the customer service of my bank will not freaking understand what is a rooted phone, or LineageOS ...

And my bank's web app developer couldn't even fix their log in bug for several months. I realize, now, it's because they want to sunset their web portal.

Which is extremely annoying ... what if I don't have my mobile!!

Lazy, and greedy corporates, just trying to save their costing with shortcuts, never realizing security is never achieved by taking shortcuts.

> I giggled and said no, their developers don't understand security.

Their developers usually understand security well enough.

The problem, especially for banks, is that they're zero-risk driven, their ideal world is the one where risk doesn't exist. So instead of mitigating it they chase risk elimination (!= reduction) at any cost, while middle management needs to report that they improved something for the quarter. This results in all these kinds of stupid policies, where a 6 year old mobile, unmaintained for 4, is considered more secure than the weekly build of the community-based custom ROM running with locked bootloader signed with user-managed keys with strong protection (these days it's almost infeasible).

EDIT: to be clear, it's normally not the developers thinking up these policies, I have worked in a bank.

It's their security and not your security, don't mix up

Unfortunately, not an option right now. Setting up foreign currency payout is difficult in my country, a lot of paperworks needed, we don't even have PayPal. Also, the previous autocratic government, that was forcefully expelled after a bloody movement, left most of the banks in ruin. So not a lot of options left.

That sounds like it's a hard requirement for checking your bank balance/etc over the internet. Can't you just not do that and phone them up or go in person or read the monthly sent paper balances? Or just keep track yourself... A bank without a physical location is something I'd steer well clear of.

I barely use my bank's website and could easily not use it at all and still have all the functionality that a bank provides.

It is quite possible that you still may be able to obtain it by annoying them - in some cases provisions related to supporting disabled peoples can prevent them from fully getting rid of it.

On the last change my bank made me call to their hotline (even though everything else is possible to be done online) to keep using a separate hardware device - which ended up being just "so, you don't want to do it on a phone?" - "yep" - "ok, should be with you in a week or so".

I nowadays consider my phones pretty much throwaway devices - I don't have full control, I can't fully trust them. Plus they could be stolen, break when I drop it into water outside, ... - so I think it's ridiculously stupid to tie anything important to a phone as main authenticator.

Overall the usefuleness of a phone has been declining steadily - the selling point of a smart phone originally was that I have an app, and because it's a reasonably trusted device it'll store credentials, and I can use the app without logging in every time. By now most of the apps are just repackaged websites, and because of that - and because they don't trust their backends - we now have quickly expiring tokens in use in the apps as well. Most of the apps I don't use every day - and over the last few months every single one wanted me to log in again next time I used it.

Adding to that the nonsense of "there's a new app available, download that first before using" which typically doesn't add anything of value to me, and we're now at a state that not only does the typical smart phone app not offer a benefit over just using a website - it now often is even worse than just using a website.

BankID works great on GrapheneOS fortunately.

If you install the app then you are complicit in normalizing the requirement of signing terms of service and data sharing agreements to US technology companies in order to do banking.

Feel free to say you are a member of the Church of Cryptography and that installing proprietary corporate controlled apps is against your religion.

Never been asked to install an app for banking, but a health care clinic dropped me as a patient for not buying a phone that can install their app. I was the first case where a patient refused to conform. Found a new clinic who was willing to earn my business with phone and email correspondence. The original clinic escalated the case to corporate HQ when I filed a public medical malpractice complaint, and they ultimately responded by adding a webapp.

DEMAND the right to live your life without corpotech in your pocket. I am now 5 years without a smartphone working as an engineer and founder with an active social life who frequently travels and it can absolutely be done.