cross-posted from: https://slrpnk.net/post/15995282

Real unfortunate news for GrapheneOS users as Revolut has decided to ban the use of ‘non-google’ approved OSes. This is currently being posted about and updated by GrahpeneOS over at Bluesky for those who want to follow it more closely.

Edit: had to change the title, originally it said Uber too but I cannot find back to the source of ether that’s true or not…

  • Fuck Yankies
    link
    fedilink
    266 days ago

    So, uh, the next version of GrapheneOS will probably come with some Android OS version spoofing tech that solves this - if there isn’t something on F-Droid already.

    • Sips'OP
      link
      fedilink
      125 days ago

      No it won’t. Or at least they said on BlueSky that if there had been a work around for this they would have solved it already.

    • @jagged_circle@feddit.nl
      link
      fedilink
      English
      6
      edit-2
      5 days ago

      I mean remote attestation is cryptographically secure (unless there’s some temp implementation vulnerability).

    • @FutileRecipe@lemmy.world
      link
      fedilink
      45 days ago

      But when did you set Authy up? I don’t recall when Authy made the change, but it wouldn’t kick you out. It would, however, prevent you from signing in a new device. So if you lose your phone, you might lose access to those tokens…

    • Sips'OP
      link
      fedilink
      15 days ago

      Guess you won’t be for much longer 🤷 I’d bare careful with logging out.

  • Brad Boimler
    link
    fedilink
    English
    118 hours ago

    I use McDonalds App all the time on GOS this only affect you if you use Google Pay when checking out to my knowledge.

  • tisktisk
    link
    fedilink
    English
    296 days ago

    Is this not a sign of the true intentions on both sides of the dilemma here!?!?
    Let us go to the end. We cannot afford to carry on in fear of these bans. Let the lines be neatly placed and the sides chosen wisely. If sustained profits are desired, the walled-gardens must come down.

    Vote with your dollar and vote again with your data. Wary, but never afraid is the motto privacy comrades!

    • @vividspecter@lemm.ee
      link
      fedilink
      35 days ago

      Agreed. Leave immediately to other services, and tell them why you’re leaving. It might not make a dent, but you’ll be doing the right thing at least.

  • qaz
    link
    fedilink
    English
    54 days ago

    Oh great, I guess I’ll have to change my payment info for everything now. Fantastic.

  • Madis
    link
    fedilink
    46 days ago

    Are there any checker apps to see which of user’s installed apps have this? Looking up “Play Integrity API” only finds the checkers for the phone itself…

  • @penquin@lemm.ee
    link
    fedilink
    515 days ago

    Webapps everything you can like I do with Firefox and ublock origin. Fuck these assholes.

  • Lol I spent a week going back and forth with Revolut support in august. I could sign into the app but it would always ask me for a “selfie” verification and every time support would say its a super dark selfie.

    Eventually I decided to try a stock ROM and it just worked and I realised what was happening so I transferred all of my money out and deleted my account.

    Most local banks here are terrible at making apps, some even require a separate device that looks like a calculator to use online banking, so hopefully they wont follow suit anytime soon

    • @kevincox@lemmy.ml
      link
      fedilink
      206 days ago

      require a separate device that looks like a calculator to use online banking

      To be fair this actually provides a very high level of security? At least in my experience with AIB (in Ireland) you needed to enter the amount of the transactions and some other core details (maybe part of the recipient’s account number? can’t quite recall). Then you entered your PIN. This signed the transaction which provides very strong verification that you (via the PIN) authorize the specific transaction via a trusted device that is very unlikely to be compromised (unless you give someone physical access to it).

      It is obviously quite inconvenient. But provides a huge level of security. Unlike this Safety Net crap which is currently quite easy to bypass.

      • @Aceticon@lemmy.dbzer0.com
        link
        fedilink
        English
        11
        edit-2
        5 days ago

        Those little boxes are just a bit of hardware to let the smartchip on the smartcard do what’s called challenge-response authentication (in simple terms: get big long number, encode it with the key inside the smartchip, send encoded number out).

        (Note that there are variants of the process were things like the amount of a transfer is added by the user to the input “big long number”).

        That mechanism is the safest authentication method of all because the authentication key inside the smartchip in the bank card never leaves it and even the user PIN never gets provided to anything but that smartchip.

        That means it can’t be eavesdropped over the network, nor can it be captured in the user’s PC (for example by a keylogger), so even people who execute files received on their e-mails or install any random software from the Internet on their PCs are safe from having their bank account authentication data captured by an attacker.

        The far more common two-way-authentication edit: two-channel-authentication, aka two-factor-autentication (log in with a password, then get a number via SMS and enter it on the website to finalize authentication), whilst more secure that just username+password isn’t anywhere as safe as the method described above since GSM has security weaknesses and there are ways to redirected SMS messages to other devices.

        (Source: amongst other things I worked in Smart Card Issuance software some years ago).

        It’s funny that the original poster of this thread actually refuses to work with some banks because of them having the best and most secure bank access authentication in the industry, as it’s slightly inconvenient. Just another example of how, as it’s said in that domain, “users are the weakest link in IT Security”.

        • @jagged_circle@feddit.nl
          link
          fedilink
          English
          25 days ago

          You had me until banks are secure. Most banks use 2FA over SMS. All banks in the EU require a phone number for PSD2 requirements.

          With GPG and TOTP support, its been easier to secure s Facebook or google account better than 99% of bank accounts

          • @Aceticon@lemmy.dbzer0.com
            link
            fedilink
            English
            65 days ago

            I literally said 2FA over SMS is not secure because of weaknesses in the GSM protocol.

            It’s still more secure than username + password alone, but that’s it.

            • @jagged_circle@feddit.nl
              link
              fedilink
              English
              1
              edit-2
              5 days ago

              Sure, but afaik all EU banks require a phone number so they can send OTPs using your phone for transaction auth. This is a mandate of PSD2.

              My disagreement is with your last paragraph. Because of this regulation, banks are horrendously insecure. If I refuse to enter a phone number when signing up for a bank account, I literally cannot get a bank account in Europe. That’s insecure despite the user, not because of the user.

              • @Aceticon@lemmy.dbzer0.com
                link
                fedilink
                English
                1
                edit-2
                5 days ago

                It think you’re confusing security (in terms of how easy it is to impersonate you to access your bank account) with privacy and the level of requirements on the user that go with it - the impact on banking security of the bank having your phone number is basically zero since generally lots individuals and companies who are far less security conscious than banks have that number.

                That said, I think you make a good point (people shouldn’t need a mobile phone to be able to use online banking and even if they do have one, they shouldn’t need to provide it to the bank) and I agree with that point, though it’s parallel to the point I’m making rather than going against it.

                I certainly don’t see how that collides with the last paragraph of my original post which is about how the original thread poster has problems working with banks which “require a separate device that looks like a calculator to use online banking” which is an element of the most secure method of all (which I described in my original post) and is not at all 2FA but something altogether different and hence does not require providing a person’s phone to the bank. I mean, some banks might put 2FA on top of that challenge-response card authentication methods, but they’re not required to do so in Europe (I know, because one of the banks in Europe with which I have an account uses that method and has no 2FA, whilst a different one has 2FA instead of that method) - as far as I know (not sure, though) banks in Europe are only forced to use 2FA if all they had before that for “security” was something even worse such as username + password authentication, because without those regulations plenty of banks would still be using said even worse method (certainly that was the case with my second bank, who back in the late 2010s still used ridiculously insecure online authentication and only started using 2FA because they were forced to)

                • @jagged_circle@feddit.nl
                  link
                  fedilink
                  English
                  1
                  edit-2
                  5 days ago

                  Transmitting an OTP to the user is a security risk.

                  Banks in the EU are, in fact, forced to implement 2FA using phone numbers as part of “dynamic linking” requirement of PSD2, which makes more secure methods of 2FA (like TOTP) not allowed

  • @Droggelbecher@lemmy.world
    link
    fedilink
    86 days ago

    I haven’t switched my phone yet, but will do so soon. Does anyone have experience with compatibility layers on phone, akin to wine? I unfortunately cannot go without my public transport apps, and they’re android or IOS only. I’ve looking into postmarket OS, but open for suggestions.

    • anti-idpol action
      link
      fedilink
      25 days ago

      What public transport apps if I may ask? Most of Western Europe and especially Germany present no issues and even have OSS options, same with Finland.

      • @Droggelbecher@lemmy.world
        link
        fedilink
        15 days ago

        Thanks for the input, i realise it’s been a while since I checked this! ÖBB Scotty, ÖBB Tickets (could forgo this one) and SBB mobile. I also need Digitales Amt (official government app for things like signing contracts without printing them, ordering your election materials to a different address than usual, checking your medical info etc). Do you happen to know whether that would work?

          • @Droggelbecher@lemmy.world
            link
            fedilink
            15 days ago

            Nice, thanks for the tip! Also thanks for going through the trouble of finding out for me, I appreciate it! I’m unfortunately in one of the regions where it’s specifically not available. But the second phone thing might be an option. That, or just a compatibility layer with regular old android after all.

            • anti-idpol action
              link
              fedilink
              15 days ago

              Well you can use Calyx instead, which supports microG instead of Graphene, at the expense of somewhat lower security level. Or wait until sandboxes google services gets patched accordingly.

  • @SnotBubble@lemmy.ml
    link
    fedilink
    135 days ago

    Would not updating Revolut keep the app compatible as long as you don’t sign out?

    If so, don’t update the app and write down the build number of the last app version which worked on GrapheneOS. That way you would have a bit more time to sort things out.

    • Andrew
      link
      fedilink
      145 days ago

      They constantly force you to update or the app won’t work. I was already having issues with Revolut on GrapheneOS so I just closed my account and switched to Wise. The Revolut app was a bloated mess anyway.

      • Sips'OP
        link
        fedilink
        35 days ago

        Yupp thinking about doing the same, but want to wait a little to see if wise decides to do the same…