zlacker

>>sschue+(OP)
This is a great example of how this whole requirement hasn't been properly thought out.

> Desktop support is not currently within the project's scope.

What I would like to take from this is that, by their own definition, desktop apps are out of scope for Age Verification. So does that mean we will see a return of the 'desktop applications' instead of everything being a web service ?

One can dream perhaps. Until then adults who are willing to 'do what they're told' will be the ones who are inconvenienced by this constantly.

Edit: Also this will completely disable any new phone OS' being developed. Why would anyone bother when you can't verify your wallet to do anything online.

>>bileka+vb
> Also this will completely disable any new phone OS' being developed. Why would anyone bother when you can't verify your wallet to do anything online.

This already the case today, you can't run your bank's app or government eID apps on anything but Google or Apple devices.

>>j0057+4r
> you can't run your bank's app

I can log in to my bank account using my desktop PC

> government eID apps

I can sign into government websites using my desktop PC and its smart card reader and my government-issued eID smartcard. No smartphone needed.

>>logifa+wB
Not in EU. Many banks mandate you either have an iPhone or Google approved Android as 2FA. Those fucking idiots have killed their own competition options.

>>okanat+sG
Which banks? Which country? How do they check and enforce iPhone / Google wrt. 2FA? Are you referring to TOTP as 2FA?

>>johnis+lZ
All banks are required to have "safe" 2FA in the EU by EU regulation. SMS is banned.

Most banks in Germany, Austria and Portugal default to Play Store or App Store apps with OS integrity checks. It seems like the Nordic countries have it a bit better with the ID reader apps. There are sometimes alternatives and some of them require paid subscription.

The apps they require are proprietary. They are not generic TOTP generators. Some of them require biometric approval. Some just logging in and approving a notification. I have seen some generate a form of non-standard TOTP. Otherwise I wouldn't complain about being locked into Google or Apple ecosystems. They are Play Store or App Store apps that require attestation from the libraries / systems provided Google or Apple like SafetyNet or Play Integrity. Some require strong hardware attestation. If the OS is modified, those checks do not pass. You cannot use any FOSS system without crazy hacks. If the phone is stolen, you have to go through manual reonboarding. It sucks when you're out of the country.

>>okanat+IQ1
>SMS is banned. Really? I didn't know that. Can you point me to a document that states that? I'd greatly appreciate it.

>SafetyNet or Play Integrity

A few days ago I did inspect the NovoBanco (Portuguese) apk, and I did look for SafetyNet specifically. They didn't use it. But since I'm not that familiar with the android eco-system I couldn't really tell if Play Integrity was used instead. But I did find a LOT of HMS (Huawei Mobile Services) stuff, and some if it was definitely related to security.

I might take a look at it again tomorrow.

I was curious if I could sideload the app without logging into a google account, meaning without using google services, but all I did was a tiny bit of static analysis instead of actually trying it.

If you have any write-ups on crazy hacks for foss systems, again it would be awesome if you could share them and greatly appreciated. Cheers

Also, is using HMS a normal thing in android development? Last I checked Huawei was persona non grata in the west, at least when it came to hardware like network equipment and consumer devices. I was surprised when I saw HMS in the apk.