zlacker

[parent] [thread] 3 comments
1. MzHN+(OP)[view] [source] 2023-07-25 04:55:26
Since this is currently being built on Play Integrity API, and banking _apps_ are some of the most prominent users of it, I'm sure banking sites will follow if possible.

For example it is currently the reality in EU, that in order to use any of the native banking apps, a user has no choice but to expose themselves to privacy violations by either Google or Apple, i.e. US companies.

While at least one alternative exists, https://grapheneos.org/articles/attestation-compatibility-gu..., these alternatives are not being used in practice.

I see no way of preventing this happening on the web as well, if the Web Environment Integrity API ships.

replies(2): >>hilios+F3 >>omnimu+Hg
2. hilios+F3[view] [source] 2023-07-25 05:23:30
>>MzHN+(OP)
So far I haven't encountered ans issues with banking apps using MicroG in Germany. Could be our banking apps are even more backward though. Also given PSD2 there is always the option of someone developing 3rd party banking apps.
replies(1): >>iggldi+SR
3. omnimu+Hg[view] [source] 2023-07-25 07:25:57
>>MzHN+(OP)
I have heard podcast with lead dev of local bank app talking about how they wish PWAs would be possible. Because right now they have to secure and audit web, ios, android. Instead having one platform would be easier and probably more secure.

Maybe web is the right platform for these. But of course Google will use this to close things down.

◧◩
4. iggldi+SR[view] [source] [discussion] 2023-07-25 12:42:20
>>hilios+F3
> Also given PSD2 there is always the option of someone developing 3rd party banking apps.

1. From what I've seen, the PSD2 APIs haven't really been created with end users in mind – there are non-trivial accreditation requirements on people/entities wishing to make use of those APIs, the expectation being that only professional middlemen will dally with those APIs.

2. The PSD2 APIs don't necessarily cover the full functionality of a bank's online banking functionality.

3. While you can probably still get quite far with "just" the ability to query the current account data and recent transactions, as well as being able to initiate payments, this doesn't sidestep the bank's authorisation requirements – meaning that unless you can use a hardware TAN generator or something like that, you're still dependent on the bank's app for payment and account access authorisation.

[go to top]