cross-posted from: https://slrpnk.net/post/15995282
Real unfortunate news for GrapheneOS users as Revolut has decided to ban the use of ‘non-google’ approved OSes. This is currently being posted about and updated by GrahpeneOS over at Bluesky for those who want to follow it more closely.
Edit: had to change the title, originally it said Uber too but I cannot find back to the source of ether that’s true or not…
FYI, grapheneOS devs added a list of apps to their wiki:
https://grapheneos.org/articles/attestation-compatibility-guide#apps-banning-grapheneos
So, uh, the next version of GrapheneOS will probably come with some Android OS version spoofing tech that solves this - if there isn’t something on F-Droid already.
No it won’t. Or at least they said on BlueSky that if there had been a work around for this they would have solved it already.
What aboit downloading thw app feom Aurora Store? I think that would solve most of the problems
How would that change anything?
I mean remote attestation is cryptographically secure (unless there’s some temp implementation vulnerability).
This sounds like an antitrust legal problem…
The GrapheneOS team is already talking to regulators: https://grapheneos.social/@GrapheneOS/112539378681400395
fuk em keep using it
If you log out of your account it’s said you can’t log back in.
take your money over to their competitors
This is actually good, see it as an enrichment of your life. The only sad thing is Revolut though.
As an alternative to Authy I recommend Stratum (previously known as Authenticator Pro) https://apt.izzysoft.de/fdroid/index/apk/com.stratumauth.app
This due to its compatibility with Android wear (companion)
Can anyone who has used both Aegis and Stratum compare them?
Fuck both of these companies. Never used McDicks app in the first place. Spyware bullshit.
The mcdonalds app is a scam to get you to agree to their arbitration clause
Care to elaborate? I’m curious.
Never mind. I found an article pretty quick. Thanks for the heads up anyway. :)
Funny that news nowadays is citing tik tok and reddit comments
https://www.thedailymeal.com/1431937/mcdonalds-app-terms-waive-rights-trial/
I can’t tell you how frustrating it is to not only be subjected to Fox
EntertainmentNews by my family, but to be subjected to their social media segments every 5 minutes (not exaggerating).It feels like when I find those ancient newspaper articles about how so-and-so moved in with her boyfriend before their wedding night or whatever.
Some things never change I guess.
I use Authy under a separate work profile on graphene with no issues 🤔
But when did you set Authy up? I don’t recall when Authy made the change, but it wouldn’t kick you out. It would, however, prevent you from signing in a new device. So if you lose your phone, you might lose access to those tokens…
Oh ok. Yeah it was a while ago. Will have to switch to something else soon then.
Guess you won’t be for much longer 🤷 I’d bare careful with logging out.
I use Aegis.
I use McDonalds App all the time on GOS this only affect you if you use Google Pay when checking out to my knowledge.
Is this not a sign of the true intentions on both sides of the dilemma here!?!?
Let us go to the end. We cannot afford to carry on in fear of these bans. Let the lines be neatly placed and the sides chosen wisely. If sustained profits are desired, the walled-gardens must come down.Vote with your dollar and vote again with your data. Wary, but never afraid is the motto privacy comrades!
Agreed. Leave immediately to other services, and tell them why you’re leaving. It might not make a dent, but you’ll be doing the right thing at least.
Oh great, I guess I’ll have to change my payment info for everything now. Fantastic.
Are there any checker apps to see which of user’s installed apps have this? Looking up “Play Integrity API” only finds the checkers for the phone itself…
Webapps everything you can like I do with Firefox and ublock origin. Fuck these assholes.
not really. services make the mobile site unusable. example:
- facebook: nags you to use the facebook app with popups and large banners
- facebook messenger: does not even let you to log in
Fuck Facebook. I left that shithole in 2015.
I’ve done so similarly, but I can’t tell that to everyone I know if I don’t know an alternative that doesn’t have their friends
Not for Revolut. App only.
They do have a web app, it’s just very feature limited https://www.revolut.com/blog/post/introducing-the-revolut-web-app/
Like you can’t even pay people money kind of feature limited
Lol I spent a week going back and forth with Revolut support in august. I could sign into the app but it would always ask me for a “selfie” verification and every time support would say its a super dark selfie.
Eventually I decided to try a stock ROM and it just worked and I realised what was happening so I transferred all of my money out and deleted my account.
Most local banks here are terrible at making apps, some even require a separate device that looks like a calculator to use online banking, so hopefully they wont follow suit anytime soon
require a separate device that looks like a calculator to use online banking
To be fair this actually provides a very high level of security? At least in my experience with AIB (in Ireland) you needed to enter the amount of the transactions and some other core details (maybe part of the recipient’s account number? can’t quite recall). Then you entered your PIN. This signed the transaction which provides very strong verification that you (via the PIN) authorize the specific transaction via a trusted device that is very unlikely to be compromised (unless you give someone physical access to it).
It is obviously quite inconvenient. But provides a huge level of security. Unlike this Safety Net crap which is currently quite easy to bypass.
In Germany they’re called TAN generators if you want to learn more
Those little boxes are just a bit of hardware to let the smartchip on the smartcard do what’s called challenge-response authentication (in simple terms: get big long number, encode it with the key inside the smartchip, send encoded number out).
(Note that there are variants of the process were things like the amount of a transfer is added by the user to the input “big long number”).
That mechanism is the safest authentication method of all because the authentication key inside the smartchip in the bank card never leaves it and even the user PIN never gets provided to anything but that smartchip.
That means it can’t be eavesdropped over the network, nor can it be captured in the user’s PC (for example by a keylogger), so even people who execute files received on their e-mails or install any random software from the Internet on their PCs are safe from having their bank account authentication data captured by an attacker.
The far more common
two-way-authenticationedit: two-channel-authentication, aka two-factor-autentication (log in with a password, then get a number via SMS and enter it on the website to finalize authentication), whilst more secure that just username+password isn’t anywhere as safe as the method described above since GSM has security weaknesses and there are ways to redirected SMS messages to other devices.(Source: amongst other things I worked in Smart Card Issuance software some years ago).
It’s funny that the original poster of this thread actually refuses to work with some banks because of them having the best and most secure bank access authentication in the industry, as it’s slightly inconvenient. Just another example of how, as it’s said in that domain, “users are the weakest link in IT Security”.
You had me until banks are secure. Most banks use 2FA over SMS. All banks in the EU require a phone number for PSD2 requirements.
With GPG and TOTP support, its been easier to secure s Facebook or google account better than 99% of bank accounts
I literally said 2FA over SMS is not secure because of weaknesses in the GSM protocol.
It’s still more secure than username + password alone, but that’s it.
Sure, but afaik all EU banks require a phone number so they can send OTPs using your phone for transaction auth. This is a mandate of PSD2.
My disagreement is with your last paragraph. Because of this regulation, banks are horrendously insecure. If I refuse to enter a phone number when signing up for a bank account, I literally cannot get a bank account in Europe. That’s insecure despite the user, not because of the user.
It think you’re confusing security (in terms of how easy it is to impersonate you to access your bank account) with privacy and the level of requirements on the user that go with it - the impact on banking security of the bank having your phone number is basically zero since generally lots individuals and companies who are far less security conscious than banks have that number.
That said, I think you make a good point (people shouldn’t need a mobile phone to be able to use online banking and even if they do have one, they shouldn’t need to provide it to the bank) and I agree with that point, though it’s parallel to the point I’m making rather than going against it.
I certainly don’t see how that collides with the last paragraph of my original post which is about how the original thread poster has problems working with banks which “require a separate device that looks like a calculator to use online banking” which is an element of the most secure method of all (which I described in my original post) and is not at all 2FA but something altogether different and hence does not require providing a person’s phone to the bank. I mean, some banks might put 2FA on top of that challenge-response card authentication methods, but they’re not required to do so in Europe (I know, because one of the banks in Europe with which I have an account uses that method and has no 2FA, whilst a different one has 2FA instead of that method) - as far as I know (not sure, though) banks in Europe are only forced to use 2FA if all they had before that for “security” was something even worse such as username + password authentication, because without those regulations plenty of banks would still be using said even worse method (certainly that was the case with my second bank, who back in the late 2010s still used ridiculously insecure online authentication and only started using 2FA because they were forced to)
Transmitting an OTP to the user is a security risk.
Banks in the EU are, in fact, forced to implement 2FA using phone numbers as part of “dynamic linking” requirement of PSD2, which makes more secure methods of 2FA (like TOTP) not allowed
I haven’t switched my phone yet, but will do so soon. Does anyone have experience with compatibility layers on phone, akin to wine? I unfortunately cannot go without my public transport apps, and they’re android or IOS only. I’ve looking into postmarket OS, but open for suggestions.
What public transport apps if I may ask? Most of Western Europe and especially Germany present no issues and even have OSS options, same with Finland.
Thanks for the input, i realise it’s been a while since I checked this! ÖBB Scotty, ÖBB Tickets (could forgo this one) and SBB mobile. I also need Digitales Amt (official government app for things like signing contracts without printing them, ordering your election materials to a different address than usual, checking your medical info etc). Do you happen to know whether that would work?
Don’t know and sadly my Pixel got stolen recently, but you can see if Offi or Transportr meet your needs, they’re available on fdroid.
I guess I have bad news for you regarding the government app: https://discuss.grapheneos.org/d/253-compatibility-for-austria-e-government-app
Anyway depending on your threat model keeping a normiephone as a decoy and mainlining something like graphene os can be a good opsec decision.
Nice, thanks for the tip! Also thanks for going through the trouble of finding out for me, I appreciate it! I’m unfortunately in one of the regions where it’s specifically not available. But the second phone thing might be an option. That, or just a compatibility layer with regular old android after all.
Well you can use Calyx instead, which supports microG instead of Graphene, at the expense of somewhat lower security level. Or wait until sandboxes google services gets patched accordingly.
You can use Waydroid on PostmarketOS to install Android apps. It basically runs a full VM for you.
Would not updating Revolut keep the app compatible as long as you don’t sign out?
If so, don’t update the app and write down the build number of the last app version which worked on GrapheneOS. That way you would have a bit more time to sort things out.
They constantly force you to update or the app won’t work. I was already having issues with Revolut on GrapheneOS so I just closed my account and switched to Wise. The Revolut app was a bloated mess anyway.
Yupp thinking about doing the same, but want to wait a little to see if wise decides to do the same…