| ▲ | bergheim 2 hours ago |
| Been using this for about a year on a p9 pro. It works very well. I hear the google tap to pay does not work, but I've never tried it. However Vipps with their tap to pay works fine. BankID works but not with biometric login, which some things require IIRC. And for some reason DnB private works fine, but you are not allowed in on the corp app. It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro, crazy that they trust me since it is not Windows - the truly secure OS! Knew about those things before I started, so all in all I'm pretty happy. I'd recommend NOT using different users for different things (I started with banking etc in one profile, that ended up being a huge PITA and according to their docs it is mostly security theater anyway). Happy tinkering! |
|
| ▲ | fodmap an hour ago | parent | next [-] |
| > It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro... Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website. I have several linux phones but I can only do banking with their app downloaded from Aurora Store in my Vollaphone. |
| |
| ▲ | shevy-java 4 minutes ago | parent | next [-] | | This should be illegal that the government forces people into apps controlled by private, commercial entities. I call such a government corrupt. Here in central Europe I can still access the bank website fine without smartphone. I need a physical device to yield a TAN though, but I can access and do online transactions fine. So I think something is wrong with the spanish government. People need to protest. | |
| ▲ | lejalv 7 minutes ago | parent | prev | next [-] | | > Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website. https://triodos.es has 2FA via SMS, for what is worth. | |
| ▲ | Tharre 29 minutes ago | parent | prev | next [-] | | > Not in Spain. I can access my bank's website but I can't do anything without their bank app. I don't know about Spain specifically, but as far as I understand it no bank in the European Economic Area + UK should allow banking via just the website alone anymore, because of the "Revised Payment Services Directive" (PSD2) regulation. Essentially, banks are required to implement "strong customer authentication", which in essence is just multi-factor authentication with a password + either biometrics or a security device of some sort. And in practise that means a banking app, because most people do not want a separate token they have to buy and can lose. Though a lot of banks do offer those as well. | | |
| ▲ | askonomm 17 minutes ago | parent [-] | | In Estonia you can easily do banking via the website on all the banks (LHV, Swedbank, SEB). That said, we do have it all integrated with our digital-ID (which every ID card has private keys encoded into with a PIN you know) so it's not like you can access it with a simple password (our online voting works the same way). |
| |
| ▲ | b112 an hour ago | parent | prev | next [-] | | Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website. I've seen this elsewhere, and it's absolutely ridiculous. Why? Because in almost all cases, the apps may only be installed with Google Play, and require the framework to work correctly. And that means? If you are not in good standing with Google, you cannot bank!! I cannot stress how inane it is, to have Google or Apple as the gatekeeping to identify verification. How not having an active, in good standing account with one of these two, means you cannot bank. And it's happening more and more. Meanwhile, banks -- which tend to make billions in profits quarterly, do this to save on infrastructure costs. They do it so they don't have to stand up their own push servers, or have an app which doesn't require firebase. Well cry me a river, boo-hoo Mr Banker, I'm not even remotely interested in you saving on infra-structure costs at the loss of autonomy. And on top of this, many banks are reducing hours, closing branches, claiming that they don't need them. Leaving absolutely no other choice. This sort of thing should be illegal. Being in Spain, but requiring a US megacorp to tell your own bank, that you're you. | | |
| ▲ | vladms 8 minutes ago | parent | next [-] | | As far as I remember, last time I needed to use Google play on a shared phone I could just create a random Google address (I mean, completely invented name, etc.) and it allowed me to do anything, just as my normal Android. I am too lazy to test, but did this change? Can't you just make a "fake" account and continue with your life? The phone company knows where you are, the bank knows what you purchase. Compared to that Google will know far less (ofc, if you don't activate everything) I find it much more insane that it was possible for so long to do banking WITHOUT strong authentication (however implemented) by just providing those 3 numbers on the back of the card (strong security!) | |
| ▲ | bytejanitor 3 minutes ago | parent | prev | next [-] | | In Germany for some banks you can buy a TAN generator and then you do not need a smartphone app anymore.
Is this an option in your area as well? | |
| ▲ | FullMetalBitch 42 minutes ago | parent | prev | next [-] | | Why? Technofeudalism is not going to impose itself | |
| ▲ | bergheim an hour ago | parent | prev [-] | | Especially with how things are currently, I whole heartedly agree - you cannot operate as a human being in Europe without having a good standing with either Alphabet or Apple. Absolute madness. |
| |
| ▲ | FullMetalBitch an hour ago | parent | prev [-] | | I have been using GrapheneOS for a few months in Spain with and out of three banking apps only one gave me trouble, I had to enable "Exploit Protection Compatibility Mode" on "app information". Personally I refuse to pay with the phone so I am okay not having that option. If someone wants to try Graphene os maybe that option will work on their banks too. |
|
|
| ▲ | BLKNSLVR an hour ago | parent | prev | next [-] |
| I'd also recommend to slowly migrate to GrapheneOS, getting to know where the boundaries are for specific apps. Once you've got your 'dailies' all up and running predictably, then you're good to go, but it could take a few days depending on how much spare time you have to find said boundaries. Having said that, I turn on most of the higher level security protections, which quite a few apps need exceptions from. But, yes, you can't tap to pay and it's unlikely you ever will. Banking apps will be hit and miss depending on their (generally hypocritical) paranoia levels. I pay with a tap-to-pay card, and I have never needed to do banking related things immediately, I've always done it via the bank's website. I also still have a not-very-old 'normal' android phone for some edge cases - which are few and far between (actually, I think it's usually to cast youtube to the TV since I only have the revanced youtube app on the GrapheneOS device). P.S. On the use of profiles, I use them to separate work apps and notifications from personal, from sporting club, from X, Y, and Z. Yes, they're a pain in the arse to switch between, but I'd argue it's more of a pain in the arse to have them all jumbled together causing even more notifications, frustrations, and distractions from whatever one should actually be concentrating on in the present moment. |
|
| ▲ | vages 2 hours ago | parent | prev | next [-] |
| Thanks for the Norwegian perspective. I agree that the locking down is truly stupid. For what it’s worth, the reasoning for locking down mobile apps is allegedly that mobile users are a less technologically competent demographic than desktop users. I do not think so myself, given the difficulty in trying Graphene vs. Desktop Linux. |
| |
| ▲ | malfist 40 minutes ago | parent [-] | | Those people who root their phone and install alternate OSes sure are less technologically competent than someone with a browser and a laptop |
|
|
| ▲ | birdsongs an hour ago | parent | prev | next [-] |
| I was the one that submitted the DNB Bedrift app report to the sec dev repo! I contacted DNB but they never responded to my email. I wonder if we can find a dev? I believe that's how the private app got fixed. Want to use Vipps tæpp so much but I have Nordea for private and they don't allow it on their cards, for whatever godforsaken reason. |
| |
| ▲ | omgmajk an hour ago | parent | next [-] | | Does the Nordea app work on Graphene? I am curious because I have been itching to switch my main phone to an alternate OS. | | |
| ▲ | birdsongs 37 minutes ago | parent [-] | | Yep! Perfectly, I use it daily. (The private customer one, not sure about business.) |
| |
| ▲ | bergheim an hour ago | parent | prev [-] | | Ah. Where did you send this in? I wouldn't mind sending in a complaint to both BankID (allow biometric login) and of course DnB corpo edition. | | |
| ▲ | birdsongs an hour ago | parent [-] | | Oh! Sorry, you described the current state of things so well I assumed you were close to the project. Here is the github repo where banking app compatibilities are tracked: https://github.com/PrivSec-dev/banking-apps-compat-report And it's rendered to a page here: https://privsec.dev/posts/android/banking-applications-compa... | | |
| ▲ | bergheim an hour ago | parent [-] | | Hah - both were in my browser history, yes I know them :) I misunderstood and thought you had sent direct emails to relevant parties arguing for why they should be allowed on grapheneos. Thanks anyway! | | |
| ▲ | birdsongs 31 minutes ago | parent [-] | | Oh I also misunderstood! I did send an email to DNB Bedrift customer service about Graphene support, citing the private app fix. They technically gave me a response that it would be looked into, but it felt very handwavy, and that was 3 months ago. It was via the bedrift portal, there is a "Send E-Post" button. I don't know how to contact the engineering team. IIRC that is how the private app got fixed, someone got word to someone on the inside. |
|
|
|
|
|
| ▲ | jlokier 36 minutes ago | parent | prev | next [-] |
| > when you can just open the thing in a website anyway. I can use my bank on some linux distro Unfortunately not. I'm in the UK. Two of my personal banks, all four business banks that I need to use, and several credit cards, require authentication using their phone app to confirm login on their website. None of those I've seen are using TOTP or SMS, for which I could use a general security service. All use their own phone or tablet app. One does something interesting where the website shows a unique QR code on each login, the phone app reads it with the phone camera, and then website login proceeds instantly without clicking anything. Oh, and some of them also require phone app confirmation for card purchase transactions. When my last phone's screen stopped working, I called one bank's "phone banking" line (using another phone of course) to make an urgent transaction, and they told me they can't do that, as only service they offer by phone is registering a new phone or tablet. They told me explicitly that it's not possible to login to their web-based banking service without using their app for authentication, and on a registered device. It's the reason I have my current phone. I had to buy a cheap-ish Android in a hurry from a local shop, in order to proceed with my bank transaction. Back to the main topic: I love the idea of a properly open source phone, I used to own not one but two Nokia N900s, and I once toyed with the idea of building my own Linux phone from scratch, big project though that is. But the security ecosystem around logins has changed, and so have the services I depend on. These days I use many bank and other financial-service related apps, and I'm not, in practice, free to switch providers. So I couldn't use a Nokia N900 or modern equivalent any more as my only mobile device. I'd have to carry a second phone as well. (Banking and other service authentications are also the only reason I have my current passport. I resented having to pay to renew my expired passport, given I had no plans to travel (small children) and the expired passport used to be accepted, but I found some banks, credit cards and even government services increasingly requiring to see a non-expired passport from time to time. When I asked one of them what do they do for the large number of people who don't have one, they simply told me they close those people's accounts and that's ok, they don't need to serve everyone. But that's another story.) |
| |
| ▲ | eloisius 25 minutes ago | parent [-] | | > require authentication using their phone app And banks often have their apps region locked, so if you live abroad or have accounts in more than one country, you’re fucked. |
|
|
| ▲ | Neil44 an hour ago | parent | prev | next [-] |
| Same with Lineage OS, may daughter has an old Samsung with Lineage on it and the Wallet app doesn't work because the phone's been rooted. |
|
| ▲ | baq an hour ago | parent | prev [-] |
| > I can use my bank on some linux distro, crazy that they trust me enjoy it while it lasts. hardware attestation requirement for (at least) banking apps is a question of 'when', not 'if'. |
| |
| ▲ | BLKNSLVR 44 minutes ago | parent | next [-] | | I hope this isn't going to be the case universally. If my bank cuts off my access from my browser-on-linux setup, then I'm finding an alternative bank (hopefully some will always exist), which I don't say lightly since I've been with my current bank since I was old enough to have a bank account. | |
| ▲ | an hour ago | parent | prev [-] | | [deleted] |
|
