| ▲ | randunel a day ago |
| My banking app, my city hall's app and my kids' school app for parents wouldn't work on non-google OS for "security" reasons. Many more national services require an original OS to function, even if I don't personally use them yet https://github.com/eu-digital-identity-wallet/av-app-android... |
|
| ▲ | uallo a day ago | parent | next [-] |
| Complain to them, give them a bad rating in the Play Store. This is likely caused by using the obsolete SafetyNet Attestation API as outlined here: https://grapheneos.org/articles/attestation-compatibility-gu... |
|
| ▲ | codedokode a day ago | parent | prev | next [-] |
| I never install banking apps (not secure - no second factor, spyware risks) so I don't think it is important to have them. What is important is a phone that no other party can remotely control. |
| |
| ▲ | conradfr a day ago | parent | next [-] | | Because your bank doesn't force you to verify yourself on the mobile app to log in on desktop ... yet. | |
| ▲ | speckx a day ago | parent | prev [-] | | Curious. Do you use the bank's website via a browser from a computer? What about in-person banking? Do you go to the bank? | | |
| ▲ | codedokode a day ago | parent [-] | | Website from desktop + SMS code is used as a second factor for login and for confirmation of operations. So the attacker would need to hack a desktop to read information and both devices to actually steal money. Or they would need a phone and a card number to login without password. I am surprised why so many people use banking apps on phones. The apps often use SMS or even push notification (because it's cheaper) for confirmation and once you got access to the phone you can do whatever you want. Also banking apps tend to spam users with distracting notifications, and they often require extended rights, for example to scan other apps, to access contact list etc. For example, one of Russian banking apps includes an antivirus. > What about in-person banking? Rarely. Last time I went in-person, I found that the bank switched to a model (don't remember how it's called) where the office looks like a cafe with tables and employees come between them with laptops and there was really long waiting time so I got an impression that they don't want people to come in-person. Although I had some fun overhearing an angry customer complaining that his card was blocked for receiving transfers and immediately withdrawing large sums of money. He wasn't able to explain the source of the money or provide any documents but got a promise that his card would be unblocked. Luckily there are still banks with traditional offices. |
|
|
|
| ▲ | ipaddr a day ago | parent | prev | next [-] |
| Use your banks website. Installing a banking app is asking for trouble. City hall should have information on its website why do you need an app? Kids school app sounds like the worst idea. What information are you missing by not downloading it? |
| |
| ▲ | randunel 15 hours ago | parent | next [-] | | > Use your banks website. Installing a banking app is asking for trouble. My bank enforces 2fa and the app must be used to log in their website. SMS is an alternative for logging in, but NOT for 3dsecure. > City hall should have information on its website why do you need an app? Certain functionality, such as reporting city hall relevant violations (parking on pavement being an example), absolutely requires using their app to submit the photos. > Kids school app sounds like the worst idea. What information are you missing by not downloading it? All announcements are exclusive to the app. Trips, injuries, etc. | |
| ▲ | jbstack a day ago | parent | prev [-] | | > Use your banks website. Installing a banking app is asking for trouble. If you can. In order to be able to login to my bank's website I need a OTP which is generated by... can you guess? Yes, their app. Which I can now only run if my Android settings meet their standards. The other day it took me half an hour to access my banking because the app kept complaining that my device wasn't "secure", until I figured out the magic combination of settings to undo to make it work (including for third party apps that should be none of the bank's business). | | |
| ▲ | const_cast a day ago | parent [-] | | There are numerous TOTP services that we know are perfectly secure. They should just use one of those. These banks are assholes. They're trying to get you to download the app for advertising, marketing, and data collection purposes. Not security. | | |
| ▲ | tomatocracy a day ago | parent [-] | | This is in part driven in turn by regulations like PSD2 in the EU requiring "Strong Customer Authentication". Most banks seem to have decided that a TOTP-style challenge does not meet the requirements of the regulation (this may even be an explicit ruling, I don't know). |
|
|
|
|
| ▲ | lawn a day ago | parent | prev [-] |
| That's very unfortunate. Most apps work fine though, including all Swedish banking and authentication apps I've tried. |
| |
| ▲ | worldsayshi a day ago | parent [-] | | Oh, really, Swish and BankID works on Graphene OS? | | |
| ▲ | lawn a day ago | parent [-] | | Yes. I only had to enable some permissions when I copied BankID to the new phone but otherwise everything seems to work. |
|
|
