Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
goldenarm 10 hours ago

Yes fortunately we have browser alternatives.

But on mobile, my bank and my government force me to use the Android/iOS duopoly.

jonathanstrange 9 hours ago | parent [-]

How do they do that? I'm not doubting that, it's an honest question. I understand how this works on Apple phones but I don't understand why an identity or attestation service cannot be replaced by another one by the alternative operating system when the hardware is not controlled by Google. Does Google have keys in tamper-proof chips? How else would those banks determine their apps are on the right phone? Or do those apps use Google authentication directly over the Internet, using hard-coded Google public keys?

well_ackshually 9 hours ago | parent [-]

Depending on the level of security you ask for Play Integrity, it can be:

* is this device rooted, is it an unsigned build ?

* Device is signed, but is it part of the blessed signing keys ? is play services untampered with ?

* Additional checks over the lifetime of the device.

You could fully trust the results of Play Integrity on device, but you can also send the returned token to your server, and your server then contacts play integrity to validate that token. So unless you know how to spoof those encrypted tokens, you won't go very far.

https://developer.android.com/google/play/integrity/overview

jonathanstrange 8 hours ago | parent [-]

So basically an alternative OS can offer a service like Play Integrity and the only problem is that those banks hard-code a dependence on Google's Play Integrity and Google has a monopoly for that service?

This is something that could be addressed at least in the EU by mandating banks to allow alternative services or not use this service at all.

well_ackshually 5 hours ago | parent [-]

Yep. You can even run your own play integrity-like backend.

>This is something that could be addressed at least in the EU by mandating banks to allow alternative services or not use this service at all.

The EU mandates banks to be interoperable, and to guarantee the security of users. You can solve that issue by going through an alternative app that doesn't use play integrity and is PSD2 compliant so other banks let you call their APIs. It usually requires you to be a bank, and as a bank, you're really risk averse. So you use play integrity.