WingNews logo WingNews
top | item 47046437

(no title)

bergheim | 12 days ago

Been using this for about a year on a p9 pro. It works very well. I hear the google tap to pay does not work, but I've never tried it. However Vipps with their tap to pay works fine. BankID works but not with biometric login, which some things require IIRC. And for some reason DnB private works fine, but you are not allowed in on the corp app.

It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro, crazy that they trust me since it is not Windows - the truly secure OS!

Knew about those things before I started, so all in all I'm pretty happy. I'd recommend NOT using different users for different things (I started with banking etc in one profile, that ended up being a huge PITA and according to their docs it is mostly security theater anyway). Happy tinkering!

discuss

order

madeforhnyo|12 days ago

A collegue of mine was tech lead at a large online bank. For the mobile app, the first and foremost threat that security auditors would find was "The app runs on a rooted phone!!!". Security theater at its finest, checkboxes gotta be checked. The irony is that the devs were using rooted phones for QA and debugging.

protimewaster|12 days ago

Meanwhile, it's probably A-OK for the app to run on a phone that hasn't received security updates for 5 years.

I don't get it. If they're worried about liability, why not check the security patch level and refuse to run on phones that aren't up to date?

I'm guessing it's because there are a lot of phones floating around that aren't updated (probably far more than are rooted), and they're willing to pretend to be secure when it impacts a small number of users but not willing to pretend to be secure when it impacts many users.

zobzu|12 days ago

ive seen: -"but ios can be jailbroken and it doesnt have an AV!" while the MDM does not allow jailbroken devices, and they also allowed sudo on linux.

auditors are clueless parasites as far as im concerned. the whole thing is always a charade where the compliance team, who barely knows any better tries to lie to yhe auditor, and the auditor pick random items they dont understand anyway. waste of time, money and humans.

dlcarrier|12 days ago

As long as copying some numbers, printed on a piece of plastic, into an online order form is all the authentication that is needed for a transaction, anything more than that is inherently security theater.

sunaookami|12 days ago

Yeah that's the first thing a pentest will complain about, had the same problem too. I pushed back enough so that it's trivial to bypass but the bank and pentesters also agreed with me that it's security theater or else I would never had the chance.

bnjms|12 days ago

Who do we lobby to get this removed from the auditors checklists? This is a solvable problem but it’s political. And if we don’t solve it personal computing is at risk.

monksy|12 days ago

A lot of that is security theater at its best. However given the forced attack surface I would imagine that there is a hard push from authoritarians and the finance world to make a "secure chain" from service to screen.

My guess: They're afraid that the scammers are going to mirror the screen and remote control access to the app. (More orgs are moving to app/phone based assumptions because it saves the org money and pushes cost on the consumer) Instead of providing protections from account take over.. we're going to get devices we don't own and we have to to pay for, maintain and pay for services to get a terminal to your own bank account. Additionally, there are many dictatorships, like the UK, North Korea, etc, that are very adimate that you don't look at things without their permission. So they're trying to close the gap of avoiding age verification bypasses with VPNs.

mmooss|12 days ago

> the first and foremost threat that security auditors would find was "The app runs on a rooted phone!!!".

GrapheneOS is not rooted, or is not required to be.

NewJazz|12 days ago

But grapheneos doesn't need to be rooted!

ACCount37|12 days ago

Oh how I fucking wish "security" wasn't a stupid cargo cult checkbox list 3/4 of the times.

Unfortunately, the rot runs too deep.

fodmap|12 days ago

> It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro...

Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.

I have several linux phones but I can only do banking with their app downloaded from Aurora Store in my Vollaphone.

shevy-java|12 days ago

This should be illegal that the government forces people into apps controlled by private, commercial entities. I call such a government corrupt.

Here in central Europe I can still access the bank website fine without smartphone. I need a physical device to yield a TAN though, but I can access and do online transactions fine. So I think something is wrong with the spanish government. People need to protest.

Tharre|12 days ago

> Not in Spain. I can access my bank's website but I can't do anything without their bank app.

I don't know about Spain specifically, but as far as I understand it no bank in the European Economic Area + UK should allow banking via just the website alone anymore, because of the "Revised Payment Services Directive" (PSD2) regulation.

Essentially, banks are required to implement "strong customer authentication", which in essence is just multi-factor authentication with a password + either biometrics or a security device of some sort.

And in practise that means a banking app, because most people do not want a separate token they have to buy and can lose. Though a lot of banks do offer those as well.

severino|12 days ago

I don't know which banks you are using but in my case I work with five Spanish banks and I can do everything from their websites, no app required. Yes, they try to push you to use their app, some tried to activate mobile 2fa for me when this psd2 thing became mandatory but I always told them their app doesn't work on my phone (which is true) and they offered me alternate methods like sms.

lejalv|12 days ago

> Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.

https://triodos.es has 2FA via SMS, for what is worth.

FullMetalBitch|12 days ago

I have been using GrapheneOS for a few months in Spain with and out of three banking apps only one gave me trouble, I had to enable "Exploit Protection Compatibility Mode" on "app information". Personally I refuse to pay with the phone so I am okay not having that option.

If someone wants to try Graphene os maybe that option will work on their banks too.

b112|12 days ago

Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.

I've seen this elsewhere, and it's absolutely ridiculous.

Why?

Because in almost all cases, the apps may only be installed with Google Play, and require the framework to work correctly. And that means?

If you are not in good standing with Google, you cannot bank!!

I cannot stress how inane it is, to have Google or Apple as the gatekeeping to identify verification. How not having an active, in good standing account with one of these two, means you cannot bank.

And it's happening more and more.

Meanwhile, banks -- which tend to make billions in profits quarterly, do this to save on infrastructure costs. They do it so they don't have to stand up their own push servers, or have an app which doesn't require firebase.

Well cry me a river, boo-hoo Mr Banker, I'm not even remotely interested in you saving on infra-structure costs at the loss of autonomy. And on top of this, many banks are reducing hours, closing branches, claiming that they don't need them.

Leaving absolutely no other choice.

This sort of thing should be illegal. Being in Spain, but requiring a US megacorp to tell your own bank, that you're you.

abdullahkhalids|12 days ago

Similar in Canada.

- RBC 2FA is that if I try to login through my browser, the phone app will ask if I authorize the login. I think I can disable this and use sms/call, but that's even more insecure, so I don't.

- TD lets me login fine and do everything in the browser. But any online transaction that is moderately large or presumably fishy, will force me to authorize the transaction via the app.

These are among the largest banks in Canada.

rglynn|12 days ago

Other than the inconvenience, is there any privacy risk in just having a separate device purely for those apps and nothing else?

Or is it more of a principle to resist this being forced on us?

BLKNSLVR|12 days ago

I'd also recommend to slowly migrate to GrapheneOS, getting to know where the boundaries are for specific apps. Once you've got your 'dailies' all up and running predictably, then you're good to go, but it could take a few days depending on how much spare time you have to find said boundaries. Having said that, I turn on most of the higher level security protections, which quite a few apps need exceptions from.

But, yes, you can't tap to pay and it's unlikely you ever will. Banking apps will be hit and miss depending on their (generally hypocritical) paranoia levels.

I pay with a tap-to-pay card, and I have never needed to do banking related things immediately, I've always done it via the bank's website.

I also still have a not-very-old 'normal' android phone for some edge cases - which are few and far between (actually, I think it's usually to cast youtube to the TV since I only have the revanced youtube app on the GrapheneOS device).

P.S. On the use of profiles, I use them to separate work apps and notifications from personal, from sporting club, from X, Y, and Z. Yes, they're a pain in the arse to switch between, but I'd argue it's more of a pain in the arse to have them all jumbled together causing even more notifications, frustrations, and distractions from whatever one should actually be concentrating on in the present moment.

HybridStatAnim8|12 days ago

I recommend dividing per persona rather than per app category.

pmontra|12 days ago

> I can use my bank on some linux distro,

Yes, I've been doing that since 2009 on Ubuntu and Debian but there are several caveats.

One of those banks has its own TOTP device and they won't replace it when the battery dies. It's almost 20 years old now. Then it's the fingerprint sensor on my phone.

The other banks authenticate accesses and many operations with either their app + fingerprint (all of them) or SMS (some of them). So basically I would still need a phone with a blessed OS. I could buy the cheapest one and store it in a drawer, but it's still a dependency on Google or Apple.

GrapheneOS requirement of Pixel devices is a dependency on Google too.

microtonal|12 days ago

GrapheneOS requirement of Pixel devices is a dependency on Google too.

They are currently working with an OEM to release a non-Pixel GrapheneOS phone in the future.

tranq_cassowary|11 days ago

It's not really a requirement of a Pixel device. It just happens to be the case that Pixel devices currently are the only devices meeting the hardware requirements listed in the FAQ: https://grapheneos.org/faq#future-devices. The hardware requirements don't contain exoctic things but non-Google and non-Apple companies until now just fail to deliver on the security front. It's also not that GrapheneOS catered these requirements to fit to Google and Google only. They are actively working with an OEM partner since June 2025 to help them meet the hardeware requirements for a subset of their future devices. So they are even willing to assist companies to meet the requirements if they have the ambition to do so. The OEM is not yet disclosed, the launch of the device will be somewhere in 2027.

jlokier|12 days ago

> when you can just open the thing in a website anyway. I can use my bank on some linux distro

Unfortunately not.

I'm in the UK. Two of my personal banks, all four business banks that I need to use, and several credit cards, require authentication using their phone app to confirm login on their website.

None of those I've seen are using TOTP or SMS, for which I could use a general security service. All use their own phone or tablet app. One does something interesting where the website shows a unique QR code on each login, the phone app reads it with the phone camera, and then website login proceeds instantly without clicking anything.

Oh, and some of them also require phone app confirmation for card purchase transactions.

When my last phone's screen stopped working, I called one bank's "phone banking" line (using another phone of course) to make an urgent transaction, and they told me they can't do that, as only service they offer by phone is registering a new phone or tablet. They told me explicitly that it's not possible to login to their web-based banking service without using their app for authentication, and on a registered device.

It's the reason I have my current phone. I had to buy a cheap-ish Android in a hurry from a local shop, in order to proceed with my bank transaction.

Back to the main topic: I love the idea of a properly open source phone, I used to own not one but two Nokia N900s, and I once toyed with the idea of building my own Linux phone from scratch, big project though that is.

But the security ecosystem around logins has changed, and so have the services I depend on. These days I use many bank and other financial-service related apps, and I'm not, in practice, free to switch providers. So I couldn't use a Nokia N900 or modern equivalent any more as my only mobile device. I'd have to carry a second phone as well.

(Banking and other service authentications are also the only reason I have my current passport. I resented having to pay to renew my expired passport, given I had no plans to travel (small children) and the expired passport used to be accepted, but I found some banks, credit cards and even government services increasingly requiring to see a non-expired passport from time to time. When I asked one of them what do they do for the large number of people who don't have one, they simply told me they close those people's accounts and that's ok, they don't need to serve everyone. But that's another story.)

eloisius|12 days ago

> require authentication using their phone app

And banks often have their apps region locked, so if you live abroad or have accounts in more than one country, you’re fucked.

birdsongs|12 days ago

I was the one that submitted the DNB Bedrift app report to the sec dev repo! I contacted DNB but they never responded to my email. I wonder if we can find a dev? I believe that's how the private app got fixed.

Want to use Vipps tæpp so much but I have Nordea for private and they don't allow it on their cards, for whatever godforsaken reason.

bergheim|12 days ago

Ah. Where did you send this in?

I wouldn't mind sending in a complaint to both BankID (allow biometric login) and of course DnB corpo edition.

omgmajk|12 days ago

Does the Nordea app work on Graphene? I am curious because I have been itching to switch my main phone to an alternate OS.

mtlmtlmtlmtl|12 days ago

About BankID: There was a regression in the app back in june that broke the app entirely. Back then I emailed the developers complaining about it, and their response indicated that there was no deliberate attempt at breaking BankID on GrapheneOS, and the specific developer who replied to me said he was a fan of the OS.

Biometric login was also confirmed to work around the same time. I can however confirm that it doesn't work on the latest app version. It complains that the webview isn't Google Chrome.

This is probably just an oversight. I will email them again; good chance they'll push a fix to recognise Vanadium webview.

natterangell|12 days ago

Fwiw, biometric login works fine for me. You need to install something like DuckDuckGo or Brave and set as default browser during setup. And only Google Password manager works for storing the passkey.

vages|12 days ago

Thanks for the Norwegian perspective.

I agree that the locking down is truly stupid. For what it’s worth, the reasoning for locking down mobile apps is allegedly that mobile users are a less technologically competent demographic than desktop users. I do not think so myself, given the difficulty in trying Graphene vs. Desktop Linux.

malfist|12 days ago

Those people who root their phone and install alternate OSes sure are less technologically competent than someone with a browser and a laptop

microtonal|12 days ago

I agree that the locking down is truly stupid.

I don't agree that it is stupid. Both banking on a Windows PC or on an unlocked + rooted phone is potentially catastrophic. Windows because of the prevalence of malware, unlocked phones with custom AOSP forks because people download 'ROMs' (as they call them) from the most shady sites.

Once 10,000s of Euros are siphoned from a bank account, it's usually the bank that has to deal with the mess. Especially if they cannot prove the transactions were done in on an insecure platform.

Phones are generally safer (though there is a huge variance between the safety of different Android phones) because they use verified boot and strong application sandboxing.

I think it is possible to believe the following two things a the same time:

- Banking apps should only run on locked phones with secure boot.

- Banking apps should not be limited to the Apple/Google duopoly.

The solution is that there is some validation of alternative OS vendors, e.g. in the form of an audit, and that banks are required to approve apps on their platforms after the audit. This would be fairly straightforward tech-wise, because e.g. GrapheneOS supports remote attestation, but banking apps need to add/allow the hashes of the official boot keys: https://grapheneos.org/articles/attestation-compatibility-gu...

RandomPenguin|12 days ago

> It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro, crazy that they trust me since it is not Windows - the truly secure OS!

I'm worried the day will come when some sites will require, even on a computer, a full-chain verification from the bootloader to the OS, all the way down to the browser. By requiring that each of these elements be digitally signed so that if you're not on a "secure" platform, from the bootloader to the browser, sites such as home banking could restrict access. Imagine not being able to login to your home banking because your linux box is rooted.

Btw, the good old days of modding are gone...

baq|12 days ago

> I can use my bank on some linux distro, crazy that they trust me

enjoy it while it lasts. hardware attestation requirement for (at least) banking apps is a question of 'when', not 'if'.

BLKNSLVR|12 days ago

I hope this isn't going to be the case universally. If my bank cuts off my access from my browser-on-linux setup, then I'm finding an alternative bank (hopefully some will always exist), which I don't say lightly since I've been with my current bank since I was old enough to have a bank account.

Aachen|12 days ago

My bank has always had hardware attestation, but it was their hardware that was being attested. Customers get it loaned when signing up

I have no problem with a device that they trust being used for transaction approval, but that device shouldn't also be the device I use for my daily life and do all sorts of private things on. We should want to be able to inspect that one

Neil44|12 days ago

Same with Lineage OS, may daughter has an old Samsung with Lineage on it and the Wallet app doesn't work because the phone's been rooted.

Brybry|12 days ago

You're doomed to this issue with old phones in general.

Even un-modified you'll then be stuck with an old version of Android that doesn't support the latest versions of apps and the old versions of apps won't work properly.

It's really a shame because a lot of old phones work perfectly fine otherwise.

notpushkin|12 days ago

Wallet app is still impossible to get working, but there’s been some development recently: https://github.com/microg/GmsCore/issues/361

Some other apps are often willing to accept my current setup (Lineage for microG [0], plus Magisk, if you don’t need root – Magisk Hide does some magic I don’t really understand, but even without Play Integrity passing, apps just start working).

With more tweaks, you might be able to get Play Integrity to work to some extent, but it’s hit or miss. I’ve just stopped using apps that demand it.

[0]: https://lineage.microg.org/

jcul|12 days ago

All of my banking related apps work fine.

The only apps that haven't worked are Google wallet for NFC payments and, strangely "macrofactor" a calorie tracking app.

Google wallet works for things like library cards, tickets etc, just not NFC payment.

Macrofactor since seem to have fixed their app, the features that did not work now do.

Graphene used to lack android auto support but it has since been added and works perfectly.

They maintain a guide for app developers as well as a list of apps that refuse to add comparability here:

https://grapheneos.org/articles/attestation-compatibility-gu...

moogly|12 days ago

It sorely needs to break free from the lackluster Pixel hardware. The OEM announcement can't come soon enough (and I hope it's Motorola).

dotancohen|12 days ago

I have a few features that I need that I'm not sure if Graphene supports. If you could check that would help!

Can you record phone calls? Do third party voice recorders continue recording even when the screen is locked? Thank you!

Cider9986|12 days ago

Yes to both.

stronglikedan|12 days ago

> BankID works but not with biometric login

Do you use any authenticator apps such as Okta? My org requires biometrics when using Okta on my phone.

birdsongs|12 days ago

I use microsoft authenticator, in its own work profile for work. I also use fingerprint login for Nordea, the Proton Suite, my personal 2fa program. Biometric works great on the Pixel 9A, at least, and it was fine on the 8 Pro when I had it.

The BankID thing is a SW quirk on their end, but generic fingerprint seems works great across the ecosystem.

absqueued|12 days ago

This reads like a very norwegian experience!

alwyn|11 days ago

For the tap to pay I am now using my Garmin smartwatch. Still corporate, but not Google/Apple huge corporate.

Very content with GOS otherwise. I blame app providers for their ridiculous limitations, not custom ROM developers.