| ▲ | Fiveplus a day ago |
| So, if you cannot cryptographically prove to a remote server that your device is running essentially unmodified, vendor-signed software, you are locked out of the economy? The irrefutable part here is that the security model works. Locking down the bootloader and enforcing TEE signatures does stop malware. But it also kills user agency. We are moving to a model where the user is considered the adversary on their own hardware. The genius of the modders in that XDA thread is undeniable, but they are fighting a war against the fundamental architecture of modern trust and the architecture is winning. |
|
| ▲ | Helmut10001 a day ago | parent | next [-] |
| As I mentioned in another post: By 2026, you'll need two phones. My current setup: 1) An unmodified iPhone SE (2022 model) with OS support until 2032. This runs all my authentication, banking, health, etc. It is in airplane mode 99% of the time unless I need it.
2) The second is a Pixel 9a with Graphene OS for daily use, routing and internet access.
This is expensive, but I found it to be the only viable solution to this problem. |
| |
| ▲ | schmuckonwheels a day ago | parent | next [-] | | Do you guys wear cargo pants to carry all these extra devices or are belt clips coming back into style? If I could get away with carrying a tiny device again instead of lugging around a brick I would, but the world has made it as inconvenient as possible not to. A BlackBerry from 15 years ago weighed just over 100g and did 80% of what your modern-day pocket computer can. | | |
| ▲ | emporas a day ago | parent | next [-] | | When a bank eventually requires a more recent phone to work, they will carry three phones, one for that one bank, one more for the rest of the banks, and a personal one. Then they might move somewhere else with different banks and different hardware requirements, they will carry 5 phones. | |
| ▲ | squibonpig a day ago | parent | prev [-] | | I mean, did it do 80% of the stuff? Devices have changed a lot. | | |
| ▲ | grishka a day ago | parent | next [-] | | I've never used a Blackberry but it was much more efficient for me to input text (an essential task for a communication device!) on non-iPhone-style phones with physical buttons. | | |
| ▲ | danparsonson a day ago | parent [-] | | Nothing useful to add except, god I miss my Bold 9700. Every time I slip on this stupid touchscreen keyboard and make a stupid typo on this stupid phone I howl inwardly and wish pain and endless torment upon everyone who took us down this path away from light and goodness. Grumble grumble | | |
| ▲ | grishka a day ago | parent [-] | | The fun part for me is that an old dumb phone could replace, like, 50% of my smartphone usage, if I could use Telegram on it. We even still have 2G networks with no plans to shut them down. So, a J2ME Telegram client has been on my list of potential future projects for quite some time. |
|
| |
| ▲ | schmuckonwheels a day ago | parent | prev [-] | | It did, and some of the things it was more effective at. I remember BlackBerry OS 4.x (?) had a built-in password manager app and this was in the mid-2000s. By comparison this was added to iOS 18 in 2024. What it wasn't good at was things like games and toxic consumer rich media bullshit. The industry saw dollar signs with iOS and Android and never wrote apps for the ecosystem. Remember the days when Instagram was iOS-only? But here we are, resigned to typing on glass for the rest of our lives because some hippie burnout thought it was a good idea. | | |
|
| |
| ▲ | gruez a day ago | parent | prev | next [-] | | >An unmodified iPhone SE (2022 model) with OS support until 2032 What makes you think it'll be supported for a decade? Looking at the past models, the support period is around 5-7 years. If you count security updates that might get you to 10 years, but at the 7-9 year mark apps will eventually refuse to update because you're not on the latest ios. https://en.wikipedia.org/wiki/IPhone#Models | | |
| ▲ | zozbot234 a day ago | parent | next [-] | | By the time that iPhone SE 3 finally goes unsupported (even the iPhone SE 2 from 2020 has yet to lose support) you'll just buy a cheap refurbished iPhone 16e. Old-gen iPhones are widely available and quite cheap. | | |
| ▲ | luqtas a day ago | parent [-] | | i think most here if not all, people complaining by predatory practices of not supporting or liberating your device to whatever you want, are not worried or effected by monetary reasons for my smartphone usage, i could still use my iphone se (1° gen) perfectly fine and that would include writing some pieces with garageband; which got deprecated and non-download-able because newer versions weren't aimed to my iOS version. heck the vast majority of smartphones aren't compilling software with local hardware (nor i know why someone would do)... guess we could stop with processing power advancement of 2015 just fine to run Whataspp and Instagram. producing hardware is costly, not everyone has a decent job nor minerals are infinite and have no ecological impact |
| |
| ▲ | jama211 a day ago | parent | prev | next [-] | | To be fair my 2016 iPad Pro is up to date and can still run any app I throw at it | |
| ▲ | kennywinker a day ago | parent | prev [-] | | If you’re not using it regularly, why would you need anything except security updates? | | |
| ▲ | sorokod a day ago | parent [-] | | You will also need to accommodate the banking apps updates, banks will not support very old versions of their apps( very old varies but probably about a few months ). Beyond that the new versions may require hardware support that may not be available in a decade old phone. | | |
| ▲ | fn-mote a day ago | parent [-] | | History here is they will require a recent OS version even if it is unnecessary. |
|
|
| |
| ▲ | miloignis a day ago | parent | prev | next [-] | | I'm also a big GrapheneOS user, but I'm lucky enough that my banking and authentication apps run fine on GrapheneOS, so no need for a second phone. If they stopped, I think I would seriously consider swapping banks and whatever else instead of using a different OS. | | |
| ▲ | ryandrake a day ago | parent [-] | | There are enough non-shitty banks and credit unions, at least in the US, that you should be able to easily switch banks to a better one. They have no moat. | | |
| ▲ | fn-mote a day ago | parent [-] | | The most is ATM access if you want that. | | |
| ▲ | craftkiller a day ago | parent | next [-] | | FWIW my US bank works on GrapheneOS and they refund all ATM fees, so you can use any ATM you want. The only issue I've run into with them is they have a Zelle integration which is only available on the phone, and on GrapheneOS it just loads to a blank white screen. But that seems to be Zelle's fault. The bank is Charles Schwab if anyone is looking for a currently-compatible-with-GrapheneOS bank in the US. | | |
| ▲ | JCattheATM a day ago | parent [-] | | Charles Schwab also supports the current administration for anyone that wants to bank morally. |
| |
| ▲ | jp191919 a day ago | parent | prev [-] | | Most credit unions use "shared branching" which mostly solves ATM access. |
|
|
| |
| ▲ | BeetleB a day ago | parent | prev | next [-] | | Funny - in some ways I have the opposite. In my version: The iPhone SE would be the one I use for calls, SMS, etc. It has the SIM card. The Pixel 9a would be used for everything I don't need a data plan/SIM card (browsing etc). My needs are a bit different from yours. I like to separate telephony and communication (i.e. WhatsApp, SMS) from everything else. This way, if I want quiet, I just turn that phone to airplane mode. I really don't want to get random pings while I'm doing "real" stuff on my phone. | | |
| ▲ | raw_anon_1111 a day ago | parent [-] | | Or you could just turn on Do Not Disturb… | | |
| ▲ | BeetleB a day ago | parent [-] | | More painful to manage turning it on/off than to simply leave it in my car. Over the years, I've spent far too much time with different solutions for managing notifications, etc. Turns out simply keeping the older phone after buying a newer one was the easiest approach. No downsides so far. The old phone has the SIM card. The new one doesn't. | | |
| ▲ | raw_anon_1111 a day ago | parent [-] | | Pulling down on control center and pressing “Do not disturb” is hard to manage? | | |
| ▲ | BeetleB a day ago | parent [-] | | Looking at the phone, disabling the lock, swiping down, and pressing "Do not disturb" is a lot more than just not looking at the phone. Also, that's only half of it. I have to move it out of "Do not disturb" at some point. Or set a timeline for it. Why should I when I just don't need to? Also, it's been years since I used "Do not disturb". Does it show notification icons in the drawer on top? That's a definite no-no. | | |
| ▲ | raw_anon_1111 a day ago | parent [-] | | No notifications don’t show anywhere. And with focus modes with location based triggers, you can set it to turn DND on when you get home and it automatically turns off when you leave home. |
|
|
|
|
| |
| ▲ | Flere-Imsaho a day ago | parent | prev | next [-] | | I take a different approach: I run a proxmox server on my home Lan with all the services and storage I want, including a wireguard server. My Android phone can then connect to my home LAN services from anywhere in the world (my ISP provides static public IP addresses). My Android device is then a simple terminal to all my "stuff". It can be locked down as much as they want it to be, as long as it can run WireGuard. I have no use for a rooted phone. In fact I want it to be as hardened as possible in case of theft. | |
| ▲ | zozbot234 a day ago | parent | prev | next [-] | | This is a sensible move. Plus you can just keep your "authentication" phone at home instead of having it on you when you're out for no good reason. | | |
| ▲ | derefr a day ago | parent [-] | | Not if you want to use tap-to-pay systems. | | |
| ▲ | gabrielhidasy a day ago | parent | next [-] | | Tap a bankcard? You can even tape it to the back of your phone | | |
| ▲ | sgc a day ago | parent | next [-] | | I might be paranoid, but I like that my bankcards are in a metal case (I got it because it's water/dustproof, but I like the bonus) and I like that Wallet only activates the rfid for a second, then I'm no longer broadcasting. | | |
| ▲ | JCattheATM a day ago | parent [-] | | Even if someone cloned your card info, they couldn't use it to do anything. |
| |
| ▲ | pests a day ago | parent | prev | next [-] | | Having cards on back of phone triggers the phones NFC reader for the cards ship, causing apps to launch or other messages to appear on screen. | |
| ▲ | mikae1 a day ago | parent | prev [-] | | Tape to pay, that is. |
| |
| ▲ | Larrikin a day ago | parent | prev | next [-] | | Just use your credit card | | |
| ▲ | craftkiller a day ago | parent [-] | | And adding to this: using the card gives me peace of mind because it never runs out of battery. If I only used my phone for payments and it died while I was out, I would be screwed. Can't call a friend, can't pay for transit, I guess I'm walking for hours to get home? Since I use the card to pay, if my phone dies, the worst thing that happens to me is I might need to look at a physical map to figure out which train to take home. | | |
| |
| ▲ | Spooky23 a day ago | parent | prev | next [-] | | If you have a lot of resources to protect against or known risk, you segment. For example, do most daily transactions at one bank, and keep the rest at another. This happens a lot in companies and government - you outsource payable operations to different division of government or a contractor. Hire one to do custody of money, another to process disbursements. | |
| ▲ | tadfisher a day ago | parent | prev | next [-] | | Smartwatches are great for this. | | |
| ▲ | derefr 11 hours ago | parent | next [-] | | In fact, a smartwatch might be the ideal "second personal portable computer that's just for auth and banking" that is being proposed by various commentors here. Requiring that everyone carry a smartwatch (or other smartwatch-based compute nugget) around to participate in civic life is a bit less onerous than requiring everyone carry around a smartphone; smartwatches are both cheaper and smaller. And, to me at least, smartwatches are much more of an appliance than a smartphone is. Nobody's really begging to sideload apps onto their smartwatch, or to install an alternate launcher onto them, etc. Smartwatches just kind of "do what they should obviously do given the hardware design and HCI affordances" — kind of like a calculator. As a bonus, unlike smartphones, most smartwatches to this day still aren't independently connected to cellular networks; so the average wiretapped smartwatch can't be used to surveil your location and activities in quite the same way that a wiretapped smartphone can. | |
| ▲ | LorenPechtel a day ago | parent | prev [-] | | Yeah, in low-fraud scenarios it's a very good idea. Otherwise, though, you have the problem of what happens when a robber takes it. I'm thinking a ring type device might be better--put a pulse oximeter into it, you unlock it with your phone, it remains unlocked only so long as it gets basically perfect data from the oximeter, locks if it fails for a second. Thus said robber can neither snatch your ring nor cut off your finger and use it. I like the metal mesh straps that can hold my device very snugly against my skin without being tight and that would be good enough, but a looser strap would not. | | |
| ▲ | tadfisher a day ago | parent [-] | | The smartwatches I've owned with payments support (Pixel Watch series) automatically lock when they are not worn, presumably using the heart-rate sensor. |
|
| |
| ▲ | ymyms a day ago | parent | prev [-] | | I wonder if this makes room in the market for some simpler device for payments. Something like a wearable that you can tap-to-pay and has the signed software attenuation but nothing else so you can't be tracked using GPS. | | |
| ▲ | zozbot234 a day ago | parent | next [-] | | > Something like a wearable that you can tap-to-pay and has the signed software attenuation but nothing else so you can't be tracked using GPS. That's a nice idea. You could have a simple card-shaped device with no screen or buttons, and call that a "credit card". | | | |
| ▲ | wolvoleo a day ago | parent | prev | next [-] | | Curve sell rings to use for this. https://www.curve.com/wearables/ | |
| ▲ | wrennes a day ago | parent | prev | next [-] | | This will be the answer as we move away from screens as phones. Smart watches have slowly edged in, but I foresee some 'no screen' being the answer to payments, access control, etc | |
| ▲ | mikae1 a day ago | parent | prev | next [-] | | > I wonder if this makes room in the market for some simpler device for payments. Like a credit card? They've been around for some time. | |
| ▲ | socalgal2 a day ago | parent | prev | next [-] | | that exists. It's called Felica, and it's used all over Japan. train passes, vending machine, convenience stores, many restaurants. Built into iphone and a few androids. Note that the payments are tied to a card/chip but you can (at the moment) buy new card no id/registration required | | |
| ▲ | wolvoleo a day ago | parent [-] | | Nice. We had this in the 90s in Holland. It was called chipknip. (Knip is old slang for wallet). It was really like digital cash, the money was loaded onto a chip. So if you lost it you lost all the money. There was no pin code either, just like a real wallet. Unfortunately it was not really anonymous because the Dutch government are really into surveillance. It didn't really last very long, it was only popular for parking machines. In those days 2G was expensive so validating transactions online was rare. |
| |
| ▲ | GreenVulpine a day ago | parent | prev | next [-] | | Perhaps an NFC smart card you can carry in your wallet or phone case :) | |
| ▲ | mystifyingpoi a day ago | parent | prev | next [-] | | Sounds like... a card? | |
| ▲ | kotaKat a day ago | parent | prev [-] | | Long ago we used to have ‘mini’ credit cards. You could get a two-thirds size magstripe card from some major banks that’d go right on your keychain. Discover had a cute little bean keychain with a flip-out magstripe card (the Discover2Go) as well. At the same time there was also the Exxon-Mobil Speedpass RFID fob, and I remember there being a huge discussion about “the battle of the keychain” and whose payment instrument would win being on your keys to be used the most alongside your loyalty cards. |
|
|
| |
| ▲ | seszett a day ago | parent | prev | next [-] | | That's what I do too (not iOS + GrapheneOS but the result is the same) as I was tired of fighting to make my bank apps and itsme (digital identity app in Belgium) work on my rooted phone. Everytime I have to use a stock phone I'm appalled at the ads and I have absolutely no trust in any US or Chinese manufacturer. So I use them only for banking and digital id because that's presumably not what they actually care about. It's not that expensive, I think many people have an old Android phone lying around, it doesn't have to be up to date. | | |
| ▲ | fph a day ago | parent | next [-] | | It is very ironic that the solution is using an old, insecure phone full of unpatched holes for all important banking and id business, because that one is vendor-allowed while your state-of-the-art GrapheneOS is not. | | |
| ▲ | StrLght a day ago | parent [-] | | If only banks cared about state-of-the-art security. In reality, banks couldn’t care less. They only care about checking boxes and don’t consider where these boxes come from; every unchecked box is a risk. Did the latest sham "security audit" say that root is bad? They'll block it. |
| |
| ▲ | tetris11 a day ago | parent | prev [-] | | My job's SSO moved to provider that either required an unrooted phone or a reliable Voice auth. For 2 years the voice authentication worked fine (they call me, I type in a number) on my regular rooted phone. Then one random morning I just stopped getting the phone calls. "Network said no". Complete lock out, nothing I could do except go out and panic-buy an unrooted phone not running Lineage and using a modern Android version. (I tried my older unofficial lineage phones without root, and no dice.) I opted for a good phone I could postmarket later, but gosh did it set me back almost 1/5 of my monthly salary. | | |
| ▲ | WhyNotHugo a day ago | parent [-] | | This does sounds like the situation where the employer should provide you with the phone. | | |
| ▲ | GreenVulpine a day ago | parent [-] | | Indeed. Never spend your own money on work related expenses. If your job requires a phone, they need to provide one. |
|
|
| |
| ▲ | Pfhortune a day ago | parent | prev | next [-] | | Pretty much the same setup here. Pixel 9 Pro GOS + iPhone 15 (USB-C everything!). The iPhone is a Canadian model that retains the SIM slot. Most of my banking apps work fine on GrapheneOS, but I've adopted this because I'm confident they'll eventually break. And access to Apple Pay is nice. Carrying two phones is annoying, but, agency over my main computing device is worth the price. | |
| ▲ | Helmut10001 a day ago | parent | prev | next [-] | | Wow, my comment has really taken off! In both directions! Let me clarify some things. - I bought the iPhone SE 2022 second-hand for 150 EUR. I think this is a fair price, but it's still expensive given that I leave it lying around 99% of the time, which I still feel is a waste of resources, regardless of my motivation. - My main reason for having two phones is pretty simple. I think browsing and daily internet use just don't go together anymore with authentication, banking and health. I also didn't want to carry a critical key to my digital infrastructure around with me every day, especially in bars (etc.). Having a separate phone helps me to treat different aspects of my life differently. No worries, I don't have to carry two phones with me all the time. - Yes, I do other things to generally reduce my digital footprint: I use different browsers for different things, such as admin work and social media (in those rare cases where I still use it). I also self-host behind VPN and have moved many apps to my internal stack, which gives me better control over what communicates with what. For example, I use WhatsApp Bridge so I don't have to use the app directly on phones anymore. I self-host Invidious with privacy-redirect for Fennec for YouTube, etc. Over time, all of this has slowly helped me regain my freedom, and it actually feels liberating. - My path may not be your path. | |
| ▲ | Roark66 a day ago | parent | prev | next [-] | | I have a similar setup, but no need for your "bank/govt app phone" to be an expensive device. A cheapest $120 smartphone money can buy is good enough. Then you choose the flagship device you're going to use 99% of the time on the basis of how easily you can unlock the bootloader/root. | | | |
| ▲ | itsamario a day ago | parent | prev | next [-] | | Phones are cheap, serivce isn't. If currency goes fully digital, not having two devices is irresponsible. | |
| ▲ | latentsea a day ago | parent | prev | next [-] | | This. I've had to run two phones for some time now, and have just accepted this is the new normal. | |
| ▲ | Retr0id a day ago | parent | prev | next [-] | | I do something similar but it's iPhone SE plus olympus camera plus laptop. The laptop is where all the libre software lives, and the camera is (of course) for taking pictures with. I don't use the phone for anything except boring essentials, for the most part. | |
| ▲ | zorked a day ago | parent | prev | next [-] | | I used to get a physical security key from my bank. Perhaps I should get a bank device with a touch screen for banking only and they could then stay the hell off of my personal phone. | |
| ▲ | wolvoleo a day ago | parent | prev | next [-] | | You'll still need to bring your iPhone out with you then and thus it will capture your location and more for the companies to data-mine. | | |
| ▲ | craftkiller a day ago | parent [-] | | Why? Do you have many unplanned urgent banking needs? Everything that needs an unmodified phone can wait until I get home. | | |
| ▲ | wolvoleo a day ago | parent [-] | | Yeah kinda. Because even paying something online now requires 2FA from that banking app :( Sometimes when party tickets come online I have to be really quick to buy them for early bird price. |
|
| |
| ▲ | jrms a day ago | parent | prev | next [-] | | Sounds expensive using that hardware, but we can achieve the same using cheaper phones, I like the idea, thanks. | | |
| ▲ | drnick1 a day ago | parent [-] | | Cheapest new Googled Android phone is < $100, Pixel 9a on sale <$400 and Graphene is free, still (much) cheaper than the latest gen spiPhone. |
| |
| ▲ | barbazoo a day ago | parent | prev | next [-] | | Many of us would need the unmodified one to have a working SIM because a lot of those providers require SMS in their auth flow. Expensive for many of us. For me it'll mean I have to do these things on a computer. Until they come for that one too of course. | | |
| ▲ | craftkiller a day ago | parent | next [-] | | Don't they usually SMS you a TOTP code that you could then just type into the unmodified one? I've seen some apps that snoop on your SMS to automatically grab the TOTP code but I've never come across one that wouldn't let you manually type it in. | |
| ▲ | Helmut10001 a day ago | parent | prev [-] | | I use the eSim feature in my iPhone, this worked well. | | |
| ▲ | barbazoo 10 hours ago | parent [-] | | Do you mean you have the same esim on both phones but normally activated on the burner phone except when you need it on the unmodified one w/o access to burner phone? |
|
| |
| ▲ | aspbee555 a day ago | parent | prev | next [-] | | the iPhone still does bluetooth transmissions/pings even in airplane mode (the find my device thing) and no way to disable the only way to disable any transmissions is to turn off the device | | |
| ▲ | Terretta a day ago | parent | next [-] | | > iPhone still does bluetooth transmissions/pings even in airplane mode ... the only way to disable any transmissions is to turn off the device I used to be under the impression that: - Airplane Mode via Control Center icon, true. - Cellular, WiFi, and Bluetooth off, via Settings, not true. Meaning, if you turn those off specifically, you are not talking to towers or access points or broadcasting a persistent bluetooth ID. Having Kagi'd a bit just now, maybe the thing that can't be turned off is NFC? https://www.simplymac.com/ios/can-you-turn-off-nfc-iphone If that's the case, then I'd hold this as a different threat model than not being able to turn off WiFi and Cellular. Very curious if an iPhone or iPad with all accessible settings off, including for NFC turning off Apple Pay, NFC tag reading, etc., leaving only this background NFC on, if there are still persistent identifiers being broadcast. | | |
| ▲ | wolvoleo a day ago | parent [-] | | Yes in settings it turns it completely off. I verified it once with a BT sniffer. |
| |
| ▲ | GreenVulpine a day ago | parent | prev | next [-] | | iPhones will transmit bluetooth beacons even if turned off. Fortunately the battery goes completely flat after a couple of weeks or so and then they no longer do. Unfortunately this is not very healthy for the battery. | |
| ▲ | NoMoreNicksLeft a day ago | parent | prev | next [-] | | Bluetooth's the same RF chip as wifi in new phones isn't it? Can't just exacto knife a trace on the board without murdering everything I take it? | | |
| ▲ | MobiusHorizons a day ago | parent [-] | | I could be wrong, but on a lot of mobile SOCs all of the modems are in the same chip as the CPU. I think you would have better luck removing the connection to the antenna |
| |
| ▲ | doublerabbit a day ago | parent | prev [-] | | I've turned off find my device on my device. Although, I am still using 17.7.2 that won't stop nagging me to upgrade to iOS 26.2. I don't want to because I know I'll hate it. | | |
| ▲ | hexagonwin a day ago | parent [-] | | you can kill the ota nagging very easily without any side effects, try searching for tvos profile | | |
| ▲ | MonkeyClub a day ago | parent [-] | | Wasn't aware of this, thanks! Also found out that the profiles also expire, so you need to update those in order to skip the update nagging. Apple's lolling all the way. |
|
|
| |
| ▲ | jjulius a day ago | parent | prev | next [-] | | > By 2026, you'll need two phones... Need? Unless and/or until the ability to log in and do your banking, healthcare, etc. via desktop/laptop goes away, then you don't need a phone to do any of that. Yes, 2FA may be required but in the tangential experience of myself, my partner and my two closest friends, we have multiple 2FA options available to us for our banking/healthcare apps that don't require a smartphone. I see this point all the time - "You can't bank or do important life stuff without a phone!!!" and it's just, largely, bullshit. I don't do any "important life stuff" on my phone. Beyond that, even if you had to have a phone to perform those tasks, I'd strongly argue that if you feel you need a second phone, then, and I know this will come off as reductive and unproductive, I think the idea of spending less time on your phone and on the internet, and more time "touching more grass" and interacting with the community and world immediately around you, might apply. | | |
| ▲ | notpushkin a day ago | parent | next [-] | | You don’t do any important stuff on your phone. Others might not have the luxury. Notably, in Vietnam people use QR payments a lot. If you want to interact with them by, say, paying at a small local restaurant, you’ll need a phone (or a stack of cash, and please do prepare change). | | |
| ▲ | jjulius a day ago | parent [-] | | >... or a stack of cash... So I don't, actually, need a phone in that instance... | | |
| ▲ | notpushkin a day ago | parent [-] | | Hmm, yeah, I guess you’re right. There are tradeoffs, but if they’re worth the benefits for you – yes, you can live without a smartphone. For this to work for me personally, I would need webapps for ride-hailing and preferably food delivery, and to learn how to navigate the city without a map. I think I might be able to pull it off for some of the places I live in. |
|
| |
| ▲ | jama211 a day ago | parent | prev | next [-] | | Just because you don’t need it doesn’t mean other people don’t. Heck, I have no need for a rooted phone so I only use a normal phone, but I respect that others might need a rooted phone. | |
| ▲ | a day ago | parent | prev | next [-] | | [deleted] | |
| ▲ | mantas a day ago | parent | prev [-] | | It depends on location. In my whereabouts banking and e-signing requires one of two 2FA solutions both are mobile-only. Theoretically there is a third option with USB ID card reader to use certificate stored in ID card. But I never saw one used in practice. It’s a PITA to get those devices to work on anything beyond Windows. And they’re accepted in relatively few places. |
| |
| ▲ | kelvinjps10 a day ago | parent | prev | next [-] | | At that point why not just use the bank's website? | | |
| ▲ | SoftTalker a day ago | parent | next [-] | | That's what I do. I don't install apps for stuff I can just do on the web. | |
| ▲ | mschild a day ago | parent | prev [-] | | Because that needs 2FA to login and guess what the only way to get the code is. | | |
| ▲ | bethekidyouwant a day ago | parent [-] | | Does the government ban getting SMS messages on your rooted phone? | | |
| ▲ | jolmg a day ago | parent | next [-] | | It's not considered secure enough. | |
| ▲ | mschild a day ago | parent | prev [-] | | Not that I'm aware of but if banks don't offer it, which most dont, good luck. |
|
|
| |
| ▲ | betaby a day ago | parent | prev | next [-] | | Is camera quality the same on rooted and locked Pixel? For example rooted Sony phones have terrible photo / video quality. | | | |
| ▲ | morshu9001 a day ago | parent | prev | next [-] | | I already willingly do this with browsers. Firefox gets maximum adblocking and other extensions, Safari gets to touch my bank. | |
| ▲ | ThePowerOfFuet a day ago | parent | prev | next [-] | | GrapheneOS is not rooted. Most banking apps work fine on it. https://privsec.dev/posts/android/banking-applications-compa... https://grapheneos.org/usage#banking-apps | | |
| ▲ | NoGravitas a day ago | parent [-] | | It's true that GrapheneOS is not rooted, and, unlike other non-rooted custom ROMs, allows re-locking the bootloader. But, whether a banking app will work depends on what level of Google Play attestation they require. While most banking apps work fine on it, a significant minority do not. | | |
| ▲ | TimeBearingDown a day ago | parent | next [-] | | There's a crowd-sourced dataset here: https://privsec.dev/posts/android/banking-applications-compa... | |
| ▲ | drnick1 a day ago | parent | prev [-] | | To be fair, this seems to be mostly a European problem. U.S. banks do not seem to enforce Play (dis)Integrity. | | |
| ▲ | Stagnant a day ago | parent | next [-] | | Not necessarily an european problem either. Maybe It varies by country but at least none of my 3 finnish banks check for play integrity. | | |
| ▲ | morjom a day ago | parent [-] | | I know OP checks for integrity/for third party apps. My guess for your ones would be Nordea, Danske and S? |
| |
| ▲ | wolvoleo a day ago | parent | prev [-] | | Yeah I wish we could do without a bank in modern life. When bitcoin first began I was really in support of it because I saw potential in freeing us from the dark stranglehold of the banking industry. Everyone just manages their own digital money. But nope the cryptobros just turned it into another pyramid speculation scheme and the governments ruined the customer independence with their KYC stuff. Now it's just an online version of the old system where the exchanges are the new banks. |
|
|
| |
| ▲ | firefax a day ago | parent | prev | next [-] | | Is there a resource for what phones are known good to run GrapheneOS? | | |
| ▲ | danparsonson a day ago | parent [-] | | It's Pixels only at the moment; the GOS team are apparently working with another hardware vendor to produce a suitable device, but that's still a long way off. |
| |
| ▲ | a day ago | parent | prev | next [-] | | [deleted] | |
| ▲ | karel-3d a day ago | parent | prev | next [-] | | meanwhile, I have a problem remembering to charge one phone. | |
| ▲ | iso1631 a day ago | parent | prev | next [-] | | > This is expensive, but I found it to be the only viable solution to this problem. Is it really? £150 on backmarket for a phone which will last 10 years doesn't feel expensive. Makes sense to me to run any banking on a secure device anyway. | | |
| ▲ | wolvoleo a day ago | parent | next [-] | | How is a pixel with grapheneos not a secure device? Ps no it's not rooted but it won't pass full play integrity so it will usually be treated as such. Also, a properly configured root is not a weakness just like having a computer where you don't log in as admin unless you really need to can be just fine. | |
| ▲ | StrLght a day ago | parent | prev [-] | | A £150 back market phone is not a secure device. It probably stopped receiving security patches a month after its release. | | |
| ▲ | Helmut10001 a day ago | parent [-] | | The iPhone SE 2022 I am speaking of above came 150 EUR used. It will receive updates till ~2032. |
|
| |
| ▲ | jacobthesnakob a day ago | parent | prev | next [-] | | Why though? What are you doing on your Pixel that wouldn’t be more secure doing on an iPhone with a double hop or dual-encapsulated VPN? | | |
| ▲ | Helmut10001 a day ago | parent [-] | | My main reason is that I wanted to separate browsing/daily use from auth/banking. These two things just don't belong together, from my perspective. |
| |
| ▲ | pessimizer a day ago | parent | prev | next [-] | | > As I mentioned in another post: By 2026, you'll need two phones. My current setup: Cheers, maybe by 2027 unattested devices won't be allowed on the internet. It's not a solution. The problem didn't exist a few years ago, the idea that it will not continue to its inevitable conclusion within a few years without real solutions is laughable. Wait until Graphene is classified as a hacking tool and Estonia convinces the EU to fine a million Euros a day any company providing services to host its website. Wait until, "in the spirit of reconciliation," the US goes along with it, too. Wait until unattested desktops aren't allowed on the internet. | | |
| ▲ | StrLght a day ago | parent [-] | | I understand that you’re using it as an example, but I still find it very misleading. Estonia is pro-privacy and has consistently voted against Chat Control. On the other hand, France has been undermining privacy for a few years now. They supported Chat Control, have attacked GrapheneOS, etc. |
| |
| ▲ | jama211 a day ago | parent | prev [-] | | With all due respect - I totally understand you may need a rooted phone, I’m just curious what you use it for? I’ve never had a modified or rooted phone so I don’t know of any of the reasons you might need one. | | |
| ▲ | pnw a day ago | parent | next [-] | | To stop third parties selling your location information. https://www.ftc.gov/news-events/news/press-releases/2024/12/... | | | |
| ▲ | spacebeer a day ago | parent | prev | next [-] | | You start to use it because you care about privacy and your data. But now it's just to avoid all the crap Google and OEMs put into the phone. Same story is with PC and Windows. To quote one smart guy: "I'm not in the mood to be treated as a chimp." And that's it. | | |
| ▲ | jama211 11 hours ago | parent [-] | | That’s fair! Doesn’t sound like something that’s likely to get the majority of users interested though unfortunately |
| |
| ▲ | cl0ckt0wer a day ago | parent | prev | next [-] | | Some people are really into security, some people are really into trains. | |
| ▲ | saidinesh5 a day ago | parent | prev | next [-] | | System wide adblocking, being able to backup any app are the top two reasons I'd still root my phones if i had any choice. You'd be amazed by the battery life improvement you'd get by just blocking ads.. I deliberately avoid all banking apps even though i didn't root my phone, but i have to use Google Pay a lot. So... That's the only reason this phone I'm typing on isn't rooted. | | |
| ▲ | jama211 11 hours ago | parent [-] | | I do have a VPN which blocks a lot of ads at the dns level but better Adblock would be nice |
| |
| ▲ | ZeWaren a day ago | parent | prev [-] | | I want to backup my entire phone on a local server I own. Apps, app data, settings, WiFi passwords, call logs, etc. Good luck without root. | | |
|
|
|
| ▲ | pwg a day ago | parent | prev | next [-] |
| Cory Doctorow predicted this outcome back in 2011: The Coming War on General Purpose Computation https://boingboing.net/2011/12/27/the-coming-war-on-general-... |
| |
|
| ▲ | dathinab a day ago | parent | prev | next [-] |
| > does stop malware. unrelated to phones a lot of (more professional) malware has moved to not persist itself in root space (or at all) as to not leaf traces (instead it will just rely on being able to regain root access as needed every time you reboot with all the juicy parts being in memory only (as in how often do you even roboot your phone)) I think (but am not fully sure) this also applies to phone malware. I.e. no it doesn't work. Not unless you - ban usage of all old phone (which don't get security updates) - ban usage of all cheap phones/phones with non reliable vendors - have CHERY like protections in all phones and in general somehow magically have no reliable root privilege escalations anymore Oh and advanced toolkits sometimes skip the root level persistence and directly go into firmware parts of all kinds. Furthermore proper 2FA is what is supposed to make online banking secure, not make pretend 2FA where both factors are on the same device (your phone). And even without proper 2FA, it is fully sufficient to e.g. classify rooted phones as higher risk and limit how much money can be transmitted/handled with it (the limit should ignoring ongoing long term automated repeated transactions, like rent). There really is no reason to ban it. |
| |
| ▲ | mike_hearn a day ago | parent [-] | | Yes that's what they are doing. Phones known to have live root exploits are detected and banned. | | |
| ▲ | StrLght a day ago | parent [-] | | Who exactly are "they" in this context? Shared documents don't mention anything like that. |
|
|
|
| ▲ | finaard a day ago | parent | prev | next [-] |
| I guess you can still do banking on your PC? I stopped using banking apps on my phones a few years ago - they got more and more annoying, and I don't buy into the "the device is secure and should be used as a trust token". So I'm now back to banking only on my computer, with a hardware token for TAN generation. |
| |
| ▲ | fph a day ago | parent | next [-] | | Hardware tokens are not allowed in Europe to authorize certain operations such as bank transfers: you need a device that can show the operation you are about to authorize ("enter 123456 to confirm your payment of 99.99 € to Pornhub"). And that essentially means using a phone. | | |
| ▲ | layer8 a day ago | parent | next [-] | | Maybe it’s country-specific, but most banks I know support a card reader or photoTAN device. You don’t need to use a phone. | | |
| ▲ | fph a day ago | parent [-] | | I don't think card readers can display payment information, can they? And I have no idea why, but no bank offers photoTAN devices in my country. They seem like an interesting concept, even though I imagine the underlying hardware isn't far from that of a phone, in the end. | | |
| |
| ▲ | WhyNotHugo a day ago | parent | prev | next [-] | | I’ve seen dedicated hardware devices which scan a QR-like code and show this in a little screen of their own. The bank provides them and does not require any app. I only know of a single bank using this. | | |
| ▲ | SkySkimmer a day ago | parent [-] | | >I only know of a single bank using this. If it's not Crédit Mutuel then you now know of a second bank using this method. | | |
| ▲ | rzr 5 hours ago | parent [-] | | I am interested too, my fallback bank trapped me (or my courage to resist), the fallback of fallback would be crypto but i am not sure i want to depend on this too... Meanwhile, the last hope is that people will use more cash (if the digital world is too hostile, oh wait it is!) |
|
| |
| ▲ | finaard a day ago | parent | prev | next [-] | | I'm in Europe, and some of my banks still operate with a token just showing numbers, while others use devices with QR code readers and a colour display which then can show transaction details. They don't really like you using that and keep annoying you to stop doing that, but I don't think they'll fully get rid of that - those are filling some accessibility niches as well. | |
| ▲ | rsync a day ago | parent | prev | next [-] | | Is this true? The old, standard RSA number generator token key ring device is not permitted in Europe for authorizing bank actions ? | | |
| ▲ | fph a day ago | parent [-] | | Precisely. You can use and old-style hardware token that only generates numbers to log in, but not to authorize an operation such as a money transfer. The requirement is called "dynamic linking" (the 2FA code must be tied to the specific transaction) and the relevant regulation is PSD2. | | |
| ▲ | miahi a day ago | parent [-] | | There are "simple" hardware tokens that allow for that - you have to enter the amount and part of the destination IBAN and they generate a 2FA number based on that + probably the same number generator it uses for logins. |
|
| |
| ▲ | guax a day ago | parent | prev [-] | | I am in europe and my bank issued me a hardware token I still need to use from time to time. |
| |
| ▲ | phantom784 a day ago | parent | prev | next [-] | | That probably means giving up the ability to mobile deposit checks - every bank I've ever had only allows that through their app. | | |
| ▲ | MarsIronPI a day ago | parent | next [-] | | Personally, I'm OK with that tradeoff. I live close to my bank, so going to deposit in person isn't a problem for me. | |
| ▲ | ErroneousBosh a day ago | parent | prev [-] | | What's a mobile deposit and why do you need an app to check it? | | |
| ▲ | phantom784 a day ago | parent [-] | | It's the ability to take a picture of a check and deposit it into your account that way, vs having to take the check to an actual branch of a bank. Here in the US, I still get checks frequently enough that it's nice to have. | | |
| ▲ | gabrielhidasy a day ago | parent | next [-] | | I'll bet the confusion stems from the rest of the world having essentially forgotten what is a check/cheque almost a generation ago. I only used them twice in my life, last one was in 2012 and I had to get a supervisor at the bank to find the procedure to get a checkbook at the time. | | |
| ▲ | SoftTalker a day ago | parent [-] | | In the US, a lot of small employers still issue paper payroll checks. | | |
| ▲ | finaard a day ago | parent | next [-] | | The last time I (EU) touched a check was in 2006 - my elderly landlord used that to refund overpaid utilities. I had to google what to do with that thing - the bank I was with wasn't handling checks at all, so I had to go to a branch of a different bank. And even there they first had to look up what to do with that thing. | |
| ▲ | ryandrake a day ago | parent | prev [-] | | Maybe it's different for non-homeowners or people without kids. Just looking back at my records for about 2 years, I've written 36 paper checks in that time, not including the "online bill pay" provided by my bank which are often just physical checks they send in the mail: Kids extracurricular activities, school PTA donations, memberships in local clubs, pool service, home improvement jobs like fences and concrete, appliance repair, and, of course, property taxes. | | |
| ▲ | SoftTalker a day ago | parent | next [-] | | Last check I wrote was for some car repairs at a local shop, where using a credit card would add a 3% premium. I agree, local services and contractors are some of the last people who you still can't pay electronically, but it's getting increasingly rare. Most will now at least take Venmo/Zelle. I do own a home but find that almost everything can be paid online now. I write just a few paper checks per year. Even my taxes I pay on the state or IRS website (with ECH, so effectively a check but without the paper). | |
| ▲ | lotsofpulp a day ago | parent | prev [-] | | I’m a homeowner and have kids, and I’ve never written a check in my life. I can login to Bank of America and have them print and mail a check for free, but the recipient has to wait. I only have to do this rarely, and it’s always because the recipient wants to charge a “convenience fee” for having me pay with ACH or debit card or credit card. (The seller is assuming people would rather pay an extra $3 to $5 to not have to write a check or mail anything). |
|
|
| |
| ▲ | themafia a day ago | parent | prev | next [-] | | What's hilarious is that at the end of the day your transaction is added to a text file and sent along with the image to the Federal Reserve Bank Clearinghouse via SFTP. It's then communicated back to the other bank in the exact same way. | |
| ▲ | ErroneousBosh 16 hours ago | parent | prev [-] | | Oh, cheques. I don't think I've seen one of those since the early 90s. Do people still use them? | | |
|
|
| |
| ▲ | EvanAnderson a day ago | parent | prev [-] | | Hyperbolic take - There won't be PCs, as we know them, for too much longer (both by way of being made into walled garden phone-like "appliances" by software, and by the hardware becoming unavailable). | | |
| ▲ | fuzzzerd a day ago | parent | next [-] | | I hate that future so much, but I don't know what to do to avoid it. My sole choice to bank on pc and use it as a pc will not be considered by the product people making the choice to go smart phone app only. I'm essentially along for the ride because the masses will gobble it up. | | |
| ▲ | EvanAnderson a day ago | parent | next [-] | | re: hating the future I grew up in a world where personal computers weren't strange things (the 1980s). I remember reading Levy's "Hackers" in my teens and not comprehending how people could think personal computers were such a big deal. The talk about "technical priesthoods" and mainframes, the inaccessibility of computers to "normal people", etc, didn't mean anything to me. Now that I'm living through the twilight of the personal computer I understand. | |
| ▲ | shimman a day ago | parent | prev [-] | | You do realize you have the power to organize with other like minded individuals and exert political power right? You don't have to just sit around and "accept this fate." We still live in a democracy, you're allowed to have a say if you want to. | | |
| ▲ | EvanAnderson a day ago | parent [-] | | The concern about individual ownership of general purpose computing is of concern to a fraction of a fraction of a fraction of a percentage of people. In the USA, at least, even more basic issues that should matter to a large portion of the population don't because they're distracted by "culture wars" and "wedge issues". Money is speech, and speech builds political power. Industry lobbies have vastly more money than the minuscule number of people to whom this matters. On top of that, the market doesn't want general purpose computers. The market wants TikTok terminals and selfie cams. The market wants "content consumption", "AI slop", and "influencers". If there's no market for what I want it doesn't matter if it's legislated out of existence or not. Nobody will build it if nobody will buy it. Then there's the apologists for big tech who cry "But they're not computers, they're phones!" when the fact is brought up that we're all carrying general purpose supercomputers bristling with sensors and radios in our pockets but we're not allowed to own them or use them for what we want. (Cue sob stories about clearing malware from oldsters' computers in 3... 2... 1...) Technologists (who I'd argue should want general purpose computing in the hands of the masses) can't make any money re-architecting the OS and application metaphors and paradigms that give rise to the malware-laden cesspools of end users PCs so they just direct their efforts to working at big tech building the walled-garden prisons that we're all going to be forced into. It's hard not to feel like I have to accept this fate. |
|
| |
| ▲ | Alex2037 a day ago | parent | prev [-] | | yeah. Americans are one media campaign away from having to argue for their right to possess fully semiautomatic general purpose computers with high capacity peripherals. Europeans and the rest of the collective West won't even get such courtesy, their young global leaders don't need to justify their actions to the unwashed masses. all they really need to do is to make the Internet inaccessible from any device except the castrated thin clients that our computers are doomed to be replaced with. and that can be done trivially. |
|
|
|
| ▲ | m4rtink a day ago | parent | prev | next [-] |
| Are you sure it actually works ? Outdated but signed ROM with tons of unfixed CVEs will be still considered totally fine. Latets Lineage OS or Graphene OS will be rejected. |
|
| ▲ | kube-system a day ago | parent | prev | next [-] |
| > We are moving to a model where the user is considered the adversary on their own hardware. That has been the model since day one, since you are using spectrum that, because the end users are not licensed, requires it. Radios in 100% of commercially available phones are locked to prevent user tampering. You don't get root on your debit card either, despite it running a computer. |
| |
| ▲ | te7447 a day ago | parent | next [-] | | > That has been the model since day one, since you are using spectrum that, because the end users are not licensed, requires it. Radios in 100% of commercially available phones are locked to prevent user tampering. Why, then, can users be root on PCs that have wifi cards, SDRs or cellular radios? | | |
| ▲ | kube-system a day ago | parent | next [-] | | Wifi? Because it is part 15. That spectrum is less strict. SDRs? Because they are not certified transmitters. They are test RF gear, or a component of a transmitter, not an end-user product. Cellular radios in a PC? You don't get root on those. Same situation as they are in a cell phone: They are licensed-band transmitters, and they are required to be tamper proof to protect the licensee. | | |
| ▲ | te7447 a day ago | parent | next [-] | | > Cellular radios in a PC? You don't get root on those. Same situation as they are in a cell phone: They are licensed-band transmitters, and they are required to be tamper proof to protect the licensee. The original post said: > Locking down the bootloader and enforcing TEE signatures does stop malware. But it also kills user agency. We are moving to a model where the user is considered the adversary on their own hardware. The genius of the modders in that XDA thread is undeniable, but they are fighting a war against the fundamental architecture of modern trust and the architecture is winning. So, as I read it, Fiveplus is saying that we are moving to an architecture where the user is an adversary on the computer (the phone) as a whole. While licenses may require that specific components are out of bounds, the new thing is that the whole platform is denying the user the ability to do what they want with the parts that are not explicitly off-limits. IIRC, a Blu-Ray drive is required to store data about revoked keys and to stop playing discs if its own key is revoked. Presumably the BR license also states that the user can't be allowed to wipe this revocation list and start playing Blu-Rays again. But BR drives can still be fitted in computers where the user has root access, just like PC cellular radios. Phones are made to be default-deny instead of default-allow, and I think that makes it different from "enclosed modules you don't have control of". | | |
| ▲ | tadfisher a day ago | parent | next [-] | | Of note is that there is apparently one single application licensed to play Blu-Ray disks on PCs, CyberLink PowerDVD. Anyone watching Blu-Rays through alternate means on general-purpose computers today, by using MakeMKV or similar, are likely breaking anti-circumvention laws. As of November 2023, zero applications are licensed and capable of playing UHD Blu-Ray disks [0], and PC manufacturers are just not including the hardware necessary to do so. 0: https://www.cyberlink.com/support-center/faq/content?id=2834... | |
| ▲ | kube-system a day ago | parent | prev [-] | | My point in context to the original post was simply that this isn't a new perspective -- the idea that the end users of a phone should have any control over the operation of the device was something that came later in the timeline of cell phones. |
| |
| ▲ | rixthefox a day ago | parent | prev [-] | | Amateur Radio has entered the chat..... Even as a licensed ham it's getting increasingly difficult to even get hardware that allows utilization of frequencies I'm duly licensed to transmit on in the 2.4 GHz band. Short of building and designing your own transmitters it's become impossible to repurpose hardware like it was before. Our club has aging M2 Rockets from Unifi that were modified for this use that are now decaying and dying. It's unfortunate too because once these stop working that's it. A few club members have been championing GLiNET but same problems. They are relying on older models which weren't as locked down and already show signs of suffering the same fate as the Rockets. |
| |
| ▲ | MarsIronPI a day ago | parent | prev [-] | | SDRs are (IIRC) low-power enough that they don't fall under FCC regulations. |
| |
| ▲ | unethical_ban a day ago | parent | prev [-] | | You make good points, but your framing makes it sound like this new change is nothing new, when it is and it should be discouraged. |
|
|
| ▲ | dstroot a day ago | parent | prev | next [-] |
| Consumer level security always has to contend with the lowest common denominator. As my 80 year-old mother‘s technical support team I can testify that she will download and install anything she sees on Facebook. The consumer security world has to protect us from people like her. It’s also the reason I will only allow her iOS devices. |
| |
| ▲ | grishka a day ago | parent [-] | | Maybe people like her should just, uh, not use technology? Or not do it as much? The fact that the society so heavily pushes everyone — regardless of their technical literacy and willingness to learn — to use internet-connected devices is also a huge part of the problem. |
|
|
| ▲ | zeta0134 a day ago | parent | prev | next [-] |
| Personally I just don't use a banking app. The website works fine? I don't like the idea of having to use something from the Apple App Store or the Google Play Store, both companies of which could randomly decide I don't need to exist and cut off my access. ... no thanks? So I don't run "apps" at all. If your business is only available that way, sorry! But "I don't have a smartphone" tends to signal to the receptionist that they'll need to explain the myriad of other ways to do business. |
|
| ▲ | e2le a day ago | parent | prev | next [-] |
| >does stop malware Doesn't stop state approved malware in all its forms. |
|
| ▲ | piyuv a day ago | parent | prev | next [-] |
| “Irrefutable part” is easily refutable. Malware ran by governments and agencies is still malware. |
|
| ▲ | SkiFire13 a day ago | parent | prev | next [-] |
| > Locking down the bootloader and enforcing TEE signatures does stop malware. I have no idea about the kind of malware you're talking about. |
|
| ▲ | a day ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | aranelsurion a day ago | parent | prev | next [-] |
| > moving to a model where the user is considered the adversary on their own hardware I think we’ve been there at least since the first iPhone, and it’s now entirely normalized for the average user. |
|
| ▲ | zb3 a day ago | parent | prev | next [-] |
| The problem is that we're supposed to use these "secure apps" on our own devices.. but since they need these enhanced security guarantees, our own devices cease to be ours. |
|
| ▲ | emsign a day ago | parent | prev | next [-] |
| Yeah. Tech companies are coming for our hardware. Next step is OSes with agentic AI turning it from a system with frameworks and libraries with apps seperate from the base system, into a system that only runs AI models that the "owner" of the hardwre has no control over and the lines between the OS and the AI is very blurred. This totally beats the purpose of owning or using tech. Might as well go off grid and live a non-tech life. Big tech wants to colonize our hardware completely because data centers alone ain't cutting it. 1$ Trillion has to be paid back to the investors plus interests. They screwed up with AI and we have to pay for it. Or maybe they didn't screw up because big money always gets bailed out by the plebs. |
|
| ▲ | Terretta a day ago | parent | prev | next [-] |
| I really like this comment. I similarly don't like that banking is, from no collusion just internal incentives, locking out any users not opted into the Chromium hegemony. > The irrefutable part here is that the security model works. Yes! And that business model should be allowed. This leads me to worry the notion of "user agency" may be misplaced, meaning, aimed at the wrong level of the stack. It would seem both open (general compute ethos) and secure devices (appliance ethos) have a right to be in the market. So… ### Perhaps user agency should be at the experience level. ### We couldn't plug Sega Genesis cartridges into Nintendo 64. We understand this about consoles. If we remap mobile devices into consoles, it seems less obvious their internals should be opened and tinkered with by end users. User agency seems more at the level of picking a console family, and it's often for the whole brand aura including both the console itself and safeness-to-permissiveness dial by which the brand curates its the cartridges (spectrum from Nintendo to Apple to Sony to Microsoft and Steam). A free market for mobile devices or desktops would likely sort out a similar spectrum of just-works to fidget-able. If you choose the Nintendo 64, you wouldn't expect to run arbitrary software on it as you would expect on Dell. We hackers are capable of figuring out how to make Nintendo 64 software; our neighbor does not need or want those affordances, they want just works, no headaches. This idea that the user must be able to open their digital watch or toaster oven and change how it is wired glosses what users actually choose: the conveniently toasted meal. At the same time, business models around the curation and appliancification of digital tools, blurring the lines from hardware through solid state through firmware to software into a single product users can choose, must be defended. If I want to dev for a secure product, I similarly must be OK opting into the supply chain security model (with Apple, registering as a dev in order to exchange cert material and bypass consumer paths to loading software I'm making for the platform) that allows that product to be secure, and opted into by users with money to buy my app, that caused me to want to develop for it in the first place. Users must have a right to buy an appliance that isn't fiddle-able. Not mandated to, as this article sounds, but allowed to as the EU is trying to deny. Such products have a right to exist, and such business models have a right to exist. And then, user agency remains as simple as use dollars to buy a product offered through a biz model that matches the user's goals, rather than regulate to disable business offerings offerings/products that don't, and developer agency is to pour energy into the platform that aligns with one's ethos. If more money is to be made on a platform with a different ethos, perhaps it's worth reflection rather than rants. |
|
| ▲ | unethical_ban a day ago | parent | prev | next [-] |
| Does it? Are you telling me banking apps have no choice but to go to this extreme when none of my seven US financial institutions even implement TOTP? This is lazy control. |
|
| ▲ | cmxch a day ago | parent | prev | next [-] |
| Only if the vendor isn’t plying malware themselves. The only solution is to force some semblance of user agency on those models, such that the vendor isn’t imposing from above. |
|
| ▲ | add-sub-mul-div a day ago | parent | prev | next [-] |
| > you are locked out of the economy? Not that it excuses the withdrawal of user agency. But I've never used a banking app on my phone before. Anything important I still like to do on a desktop. Though how much longer that's safe, who knows. Apple's model of requiring their permission to run code on your own device will probably spread to everything given enough time. |
| |
| ▲ | cestith a day ago | parent | next [-] | | Much of the world uses mobile payment apps instead of credit or debit cards. Some banks allow a setting that using a card can require a ping to the banking app for verification of the transaction. I don’t know if it’s legal to turn down cash payments in Vietnam, but some vendors may only accept digital payments. I guess you could take your laptop out at the restaurant and in the taxi to pay. It seems a little strange. You might better just use a browser on the smartphone instead of the mobile app. | | |
| ▲ | add-sub-mul-div a day ago | parent [-] | | I guess I take credit and debit cards for granted. Surely the rest of the world had some solution before smartphones, though. Hopefully the US doesn't descend into needlessly using the phone as a middleman as the norm. |
| |
| ▲ | jolmg a day ago | parent | prev | next [-] | | > But I've never used a banking app on my phone before. Anything important I still like to do on a desktop. A lot of banks require using their banking app to get a 2FA token to log-in on a desktop web browser. | |
| ▲ | mschuster91 a day ago | parent | prev [-] | | > But I've never used a banking app on my phone before. Here in Europe, good luck using any form of online payment without one due to 2FA requirements. | | |
| ▲ | duser1 a day ago | parent [-] | | I don't have a problem with online payments, and I'm not using a banking app. |
|
|
|
| ▲ | raw_anon_1111 a day ago | parent | prev | next [-] |
| These banks don’t have websites? |
|
| ▲ | davidf18 a day ago | parent | prev [-] |
| [dead] |
