Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
homebrewer 6 days ago

These "security checks" are a complete, total, absolute joke. Just a couple of weeks ago I had a friend ask me to downgrade firmware on a similar Xiaomi device from the latest LineageOS to stock to make two shitty banks work. Nothing I did on Lineage would make "security checks" pass, even though it was running the cleanest possible Android 15 with the latest security patches applied.

Now the phone is running stock firmware from 2020, with Android security patches from 2020, and with numerous publicly known vulnerabilities. The banks work fine, Google Pay works fine, every Play Integrity check passes, even the strongest one (device integrity).

The only reason I see for it being implemented this way is not to lock the bad guys out from your phone, but to prevent you from doing anything to the banking applications, even through it is still possible through said vulnerabilities.

One of said banks also refuses to run if it detects remote assistance clients on your phone (like TeamViewer), or even Discord, because apparently these were used in scams over the past few years, and we need to protect even the stupidest at the expense of everyone else. How did we come to this "future"? The worst days of desktop Windows weren't even remotely close to this nonsense.

riedel 6 days ago | parent | next [-]

The most stupid is the interplay with regulators: on one hand grapheneOS is far too secure if it comes to CSAM or organized crime on the other hand it is not secure enough for banking (most of the 2FA comes from the interpretation of the PSD regulations afaik).

spwa4 5 days ago | parent [-]

It's not stupid. It's governments being extremely cheap. Banks (large banks are part of the government everywhere, at least when it comes to policy) and governments are totally dependent on certification (meaning someone to check security patches on devices), effectively a group of people that have some budget to check a lot of software version of a lot of devices. This doesn't have to be many people.

Nobody's willing to pay for it, so only Google, who have to do this for a bunch of other reasons, actually does it.

On the contrary, governments are imposing other restrictions on OS'es (like EU Chat directive), as well as making more and more critical government functions (like eID, and the various equivalents, and the banks) that can never work without OS certification, are utterly dependent on the App stores (it requires the ability to replace apps on user's devices without being detected), and thereby driving people deeper into Google and Apple's arms. Despite the fact that this makes the EU totally dependent on yet another US company, making this stupid. And, of course, it makes securing anyone in the EU against US spying an exercise in futility.

But it saves a little bit of money now, and gives the US, ie. Trump, yet another loaded gun aimed at the head of the EU economy. What could possibly go wrong?

Sell your airbus stock.

subscribed 5 days ago | parent | prev | next [-]

Google still didn't block leaked Nexus 4 keys, meaning anything rooted with magisk can spoof the integrity check.

Rooted. Usually with unlocked bootloader. Safe.

Also phones on Android 9 unpatched since 2009. Etc.

:)

BlueTemplar 6 days ago | parent | prev [-]

Why would you care about this but still want to run Discord ??

matheusmoreira 5 days ago | parent | next [-]

Because that's where people are. The choice is to run Discord or be ostracized.

BlueTemplar 5 days ago | parent [-]

No, you can (and should) instead ostracise people that use Discord. As publicly as possible. That's how you change things.

matheusmoreira 4 days ago | parent [-]

That's not how it works. People like us don't ostracize anyone. We are a minority. We have no leverage at all against massive communities with thousands of members.

jamesnorden 5 days ago | parent | prev [-]

??? What's the correlation?

BlueTemplar 5 days ago | parent [-]

It's a platform, meaning you cannot run your own servers (as compared to "servers").

It's also Deep Web, not Open Web.

Furthermore, it's US-based, with an unknown amount of Tencent backing, going back to before even its creation.