zlacker

>>kotaKa+(OP)
Meaning to use your device you need to have a contractual relationship with a foreign (unless you are in the US) third party that decides what you can or cannot do with it. Plus using GrapheneOS is less of an option every day, since banks and other "regulated" sectors use Google Play Protect and similar DRMs to prevent you from connecting from whatever device you want. Client-side "trust" means the provider owning the device, not the user.

Android shouldn't be considered Open Source anymore, since source code is published in batches and only part of the system is open, with more and more apps going behind the Google ecosystem itself.

Maybe it's time for a third large phone OS, whether it comes from China getting fed up with the US and Google's shenanigans (Huawei has HarmonyOS but it's not open) or some "GNU/Linux" touch version that has a serious ecosystem. Especially when more and more apps and services are "mobile-first" or "mobile-only" like banking.

>>arielc+542
I think Play Integrity is the fundamental issue here, and needs to go. That's the crux of the issue.

Allowing apps to say "we only run on Google's officially certified unmodified Android devices" and tightly restricting which devices are certified is the part that makes changes like this deeply problematic. Without that, non-Google Android versions are on a fair playing field; if you don't like their rules, you can install Graphene or other alternatives with no downside. With Play Integrity & attestation though you're always living with the risk of being cut off from some essential app (like your bank) that suddenly becomes "Google-Android-Only".

If Play Integrity went away, I'd be much more OK with Google adding restrictions like this - opt in if you like, use alternatives if you don't, and let's see what the market actually wants.

>>pimter+V42
Banks seem to actually "want" Play Integrity. At least they act like it. I bet they would like for normal online banking on user-controlled devices to completely go away.

>>avhcep+X52
What's absurd though is that they have never demanded it for browsers. I think there is a much higher risk of someone being tricked into downloading a compromised browser with a backdoor than someone being tricked into downloading a modified version of their particular banking app. It gives the attacker the same level of control though.

>>ulrikr+go2
Banks have never accepted browsers. They don't need to because they can require the web app be paired with a mobile app or SMS code to log in. Before they used mobile apps they issued smartcard readers (at least they did everywhere I lived). The smartcard readers were also used to digitally sign transactions.

In other words, there aren't many banks that let you take sensitive actions with just a browser and that's been true since the start of online banking.

These days they also apply differential risk analysis based on the device used to submit a transaction and do things to push people towards mobile. For instance in Switzerland there's now a whole standard for encoding invoices in QR codes. To pay those you must use the mobile apps.

Edit: people are getting hung up on the "never accepted browsers" part. It means they only use the browser for unimportant interactions. For important stuff like login or tx auth, they expect the use of separate hardware that's more controlled like a SIM card/mobile radio, smartcard or smartphone app. Yes some banks are more lax than others but in large parts of the world this was always true since the start of online banking.

>>mike_h+Mo2
I work in fintech, formerly as a contractor for some major banks, and absolutely nothing you say is true, generally.

This might be the case for a couple of banks - or maybe in one or two specific countries, but broadly, none of what you've said here applies to banks anywhere else in the world.

>>devmor+nM2
Which banks outside the US allow you to submit payments using only an arbitrary desktop browser, without any other device getting involved? No mobile phones to receive codes, no smartcard readers, no secure elements, nothing except a browser and a password? I have never encountered such a bank.

>>mike_h+TR2
I’m not sure why “outside the US” is a factor here, but nearly every bank in the world. Some only require email verification, some don’t even require that.

There are banking systems in some countries that do not even require an ATM/Debit card for automated withdrawals, just an account number and grouping code.

>>devmor+g34
It's fascinating that people have had such different experiences here.

In my entire life, I have never banked anywhere that would let you transact or log in with just a desktop browser. You seem to be convinced this is an edge case but every bank in Europe works this way, as far as I know. There are US financial institutions that would do this, but the US financial system is uniquely fraud prone to a level just not tolerated elsewhere. It lagged years behind on chip-and-PIN cards for instance, and largely never managed to roll it out. The US treats bank account numbers as credentials and other stuff that doesn't apply elsewhere.

Just look at this thread: plenty of people saying what I'm saying. If you bank somewhere that lets people use just a browser to do transactions, you're either in an environment where fraud doesn't matter at all, or you're with a bad bank and should leave them.

>>mike_h+E65
Have you considered that Europe is a fractional part of the world with close international relationships to its geographical neighbors and does not represent the rest of the world's experiences?

You mention the US as lagging behind Europe, which is true - but I assure you from my experience working in international fintech from the US, there are more people in the world than the entire population of my country with even worse banking security controls by default.