| ▲ | joe_mamba 9 hours ago |
| >And the winning point is that the bootloader can be unlocked and is supported by LineageOS Don't banking, security and payment apps detect the unlocked bootloader and prevent them from working on lineageos? At least that's what happened to me after i flashed lineage on my old tablet. Because then what's the point of a smartphone if it can't do banking, payment, shopping, ticketing, etc? Use it as a gimped pocket web browser and ebook reader? There's not gonna be any mass market adoption for such "smartphones" until they can run all apps out of the box like vanilla androids and IOS phones. Your average consumer isn't gonna wanna fuck around with signing keys and bootloader relock. Hell, even this tech savvy HN user doesn't want to do that because he has better things to do with his time. The days from my childhood when I always rooted my Android phone, installed custom ROMs with custom kernels, magisk, titanium backup, cerberus to make the phone "my own" are long behind me. |
|
| ▲ | carpenecopinum 9 hours ago | parent | next [-] |
| There is the option to register the signing key of the ROM with the bootloader and then relocking it, thereby making those apps happy again. The biggest issue is that there is a different way to do this for every device, so most custom ROMs don't bother. It's relatively simple and automatable for Pixel devices, so the GrapheneOS installer takes care of it. e/OS/, which is based on Lineage, allows this for some devices, iirc. |
| |
| ▲ | notpushkin 6 hours ago | parent [-] | | DivestOS supported it, too. Probably the closest thing to LineageOS with a relockable bootloader (and it worked with microG!). |
|
|
| ▲ | throawayonthe 9 hours ago | parent | prev | next [-] |
| (at least on pixels and apparently this future motorolla,) it can be re-locked, so it passes the integrity check; however there is an additional layer that needs google signing keys, which of course means you can't pass that one if you can't ship the keys funnily enough my banking app works but the mcdonalds app doesn't, lol |
| |
| ▲ | szszrk 9 hours ago | parent | next [-] | | Mcdonalds decided it's "unsafe" to run their app in private space of Android. In literally the most locked down part :) Marketing must have gotten a nice bonus for that mental effort. I can run banking apps like that, corporate apps like that, but I can't show a QR code to order happy meal. | | |
| ▲ | sunaookami 8 hours ago | parent | next [-] | | You can't even use the McDonald's app if you have an overlay. I use KineStop and in the car I'm already choosing what to order and I can't click anything until I turn off KineStop... In comparison the Burger King app works without problems and is very fast. | |
| ▲ | bzzzt 8 hours ago | parent | prev [-] | | I've read about a few incidents where people could order for free or below cost so I'm not surprised their app developers are a little paranoid. | | |
| ▲ | szszrk 6 hours ago | parent | next [-] | | Could be related. It was likely their management doing random shit to fix it. Instead of fixing real problem, which was bogus campaign rules. Reddit was full of people abusing their app discounts and ordering insane amount of food for free. It was well described. None of that was due to app security holes. It was an issue in their promotional campaign. It was still working after those "secure" app limitations appeared. | |
| ▲ | joking 6 hours ago | parent | prev | next [-] | | if you can order for free or below cost doing anything in the app, you are not paranoid, you are directly stupid, is like being able to modify the shopping cart total in the browser and the server accepting that as the correct price. Everything should be server side validated where you have the full control of it. | | |
| ▲ | bzzzt 6 hours ago | parent [-] | | Tell that to marketing types running coupon campaigns not realizing coupons are essentially money... |
| |
| ▲ | bombolo 3 hours ago | parent | prev [-] | | [dead] |
|
| |
| ▲ | kopirgan 7 hours ago | parent | prev [-] | | So you can send a remittance for $1m but not order fries. It believes that health is wealth. |
|
|
| ▲ | lifis 8 hours ago | parent | prev | next [-] |
| Switch to a bank that offers a fully functional web or Android app, as opposed to only allowing Google Android |
| |
| ▲ | Narushia 11 minutes ago | parent | next [-] | | Not possible in Finland. :( I'm using the one bank (OP) that used to allow rooted devices to use their app, but even they eventually blocked it via SafetyNet. | |
| ▲ | microtonal 7 hours ago | parent | prev [-] | | I'm all in favor of voting with your wallet, though easier said then done when your mortgage, long-term saving accounts, etc. are tied up with your bank account. That said, my banking and credit card apps work fine on GrapheneOS. |
|
|
| ▲ | jbstack 9 hours ago | parent | prev [-] |
| What we need is a way for the OS to trick banking apps into thinking they are running on the platform they expect. |
| |
| ▲ | microtonal 7 hours ago | parent [-] | | You cannot, the OS does not have that level of access. Attestation is anchored in a (typically) non-replaceable bootloader and trusted execution environment, both of which the OS does not have access to. A remote server can verify that the attestation chain is signed by a hardware-backed key and contains the verified boot status and verification key. If you would change this information, it would be detected by the remote server, since the signature would not be valid anymore. |
|
