zlacker

GrapheneOS + F-Droid is a joy to use, for me. I'm kinda shocked when I use anyone else's phone, now.

If they start selling their own devices, I will buy one and (assuming it turns out how I hope it will) recommend it strongly.

>>miloig+(OP)
How do you access banking and other sensitive apps? If the answer is, you don't, well, you can see how that's a non starter for the vast majority of people.

>>miloig+(OP)
Side note, I read that GrapheneOS project is having some challenges recently.. between [0]the Android kernel drivers no longer having their Git history of changes being released (only a code dump with no history) - and [1]one of Graphene's two core contributors being detained/conscripted into a war.

[0] https://grapheneos.social/@GrapheneOS/114665558894105287

[1] https://grapheneos.social/@GrapheneOS/114359660453627718

>>petral+l1
My banking app works fine on GrapheneOS. There is a crowd-sourced list here with current status for many of them: https://privsec.dev/posts/android/banking-applications-compa...

>>petral+l1
A web browser in the worst case scenario. The same way you'd do it on a computer.

>>petral+l1
What's wrong with their web apps? The only real shortcoming I can think of is depositing checks digitally but I haven't had to do that in years.

>>petral+l1
My credit union app already wants 24x7 GPS tracking of my location and full access to my camera at all times and full access to my collection of photos, so the app is already dead to me anyway. Demanding that I use it on a locked down device isn't going to change anything for me, I'm already actively not using it. I use the website on a desktop, I rarely need to access my CU at all much less access it remotely. Given the large amount of battery and bandwidth already used to track my every move, I wish there was something like "Docker for phones" where I could enable and disable 24x7 full access to my every action IRL.

>>petral+l1
As a GrapheneOS user, the way I access my banking app is by downloading it from the Google Play store just like everyone else.

>>seanw4+v4
This is quickly disappearing as an option as well. I need my bank app to authenticate even when using a web browser on desktop. Luckily my banks app still works on GrapheneOS, but I suspect it's only a matter of time before they disable that because of "security" reasons.

>>petral+l1
Second phone for all official business apps, banking, etc. Never leaves home and it's used only for this purpose

>>petral+l1
Most banking app work, either directly or with a settings change to allow Google Play Service emulation. [1]

[1] https://grapheneos.org/usage#banking-apps

>>bogwog+y6
They don't all work, though: too many crank up the settings on google's various 'integrity' checks and will fail on anything that isn't 100% google-blessed. (Which is insane, because that's all that's required: on a previous phone of mine, it worked fine with a stock ROM with a bluetooth-based RCE, but upgrading to a custom ROM would have meant it was 'insecure')

>>petral+l1
Uh, my bank has a pretty good mobile website, personally.

>>debaze+P7
Android apps will be the IE6 activeX controls of the future.

>>debaze+P7
What bank is this? No bank I know /requires/ you to use a mobile app for anything; the web is enough. 2FA can usually be done via email, SMS, or a google-authenticator-compatible app.

>>GeoAtr+l9
Then use a laptop instead? Or you have one of those "modern" banks that's app only?

>>miloig+(OP)
If an alternative, privacy-focused OS like Graphene can support contactless payments (universal, like Google Wallet does it, not having to install an app per bank or card), and can 100% reliably get around apps requiring SafetyNet (or whatever they call it now) attestation, then I'd start using it.

I'd also need an alternate, safe source for common apps like Uber, Lyft, Slack, Kindle, Doordash, my banking/credit card apps, and a host of others that I use regularly. (And, no, "just use their website" is not acceptable; their website experiences are mostly crap.)

Way long ago I used to run CyanogenMod on my Android phones, and it was trivially easy to get every single app I needed working. Now it's a huge slog to get everything working on a non-Google-blessed OS, and I expect some things I use regularly just won't work. I hate hate hate this state of affairs. It makes me feel like I don't actually own my phone. But I've gotten so used to using these apps and features that it would reduce my quality of life (I know that sounds dramatic, but I'm lacking a better way to put it) to do without.

>>petral+l1
I love how so many of the responses in this thread are "it works for my particular bank" or "my bank's website is good enough" or "I'd only need it to deposit checks, but I never need to do that"... as if those are actually helpful responses to this general problem.

Many many people have banking apps that will not work on non-Google-blessed devices, use banks that have mobile websites that are terrible, and need to do mobile check deposits (which is usually only available in the app, and not the mobile website, if the bank even has one). And no, we're not going to "change our bank".

The reality is that there are so many things that break, sometimes in subtle ways, when you try to use an alternative Android OS. Some people may not have any problems, and that's great! But many -- I would dare to say most -- will.

And there's also a ton of uncertainty: I don't really want to wipe my phone, install GrapheneOS, spend hours messing with it and setting it up, only to find that something critical doesn't work, and now I have to flash back to the stock OS, and hope I can restore everything the way it was.

>>miloig+Z3
This is a good start! I think we need something like a ProtonDB for this sort of thing, but that covers all apps, not just banking apps.

I do see five banking apps I use listed there as working, which is great. But -- and maybe I'm being unnecessarily overly worried about this -- what about the future? What if I've been using Graphene for a year or two, and one of the ones that's critical for me changes how they operate, and Graphene no longer passes muster as a platform it will run on. I'm not afraid of this happening at all running Google's stock OS image, but once I do my own thing, I get to keep the pieces when it breaks.

>>ethagn+r5
Unfortunately I have checks to deposit every couple months. And my bank has no physical presence, so the only way I can do it is through the mobile app. (They also accept deposits by mail, but I'm a little wary of that; a lost check would be a huge hassle.)

>>petral+l1
Is that a jab at grapheneOS ? Because thats just another thing that google is borking up. And a little bit more so the banks themselves.

GrapheneOS is the way that all phone operating systems SHOULD be made. Layers and segregation between your banking apps and all the privacy breaking trash and malware you can get off the app store.

It is the banks and google making weird rootkit shit to try and lock down things that is the problem here.

>>kelnos+9p
All of my bank apps work fine on graphene. I'd switch banks if their app stopped working, not stop using graphene. I stopped using Google wallet, I don't miss it enough to justify using stock android. For other apps, I just put them in a separate profile that has good play installed/configured. It really wasn't bad. The worst part is wiping your phone to install graphene the first time, I prefer just to get a new device for it so I can move stuff over

>>kelnos+Mp
There's bound to be tradeoffs between scrappy open source communities and trillion dollar industry behemoths. The fact that it's this close of a call is pretty amazing. And really you can blame your bank for not making a usable mobile site. A lot of businesses like to force users into apps because it helps with engagement metrics, not because there's any functional benefit.

>>kelnos+9p
For those watching this stuff, there are two other promising paths using ZK-proofs which might disarm the tradeoff situation we've been stuck in. Banking apps etc aren't willing to eat the liability of devices that are rooted or running alternate OSes, and Google's been banking on the exclusivity that brings from being both hardware and security provider.

Path 1: a ZK-proof attestation certificate marketplace implemented by GrapheneOS (or similar) to prove safety in a privacy-securing way enough for 3rd party liability insurance markets to buy in. Banks etc can be indifferent, and wouldn't ignore the market if it got big enough. This would mean we could root any device with aggressive hacking and then apologize for it with ZK-proof certs that prove it's still in good hands - and banking apps don't need to care. No need for hard chains of custody like the Google security model.

Path 2: Don't even worry too hard about 3rd party devices or full OSes, we just need to make the option viable enough to shame Google into adopting the same ZK certificate schemes defensively. If they're reading all user data through ZK-proof certs instead of just downloading EVERYTHING then they're significantly neutered as a Big Brother force and for once we're able to actually trust them. They'd still have app marketplace centrality, but if and when phones are being subdivided with ZK-proof security it would make 3rd party monitoring of the dynamics of how those decisions get made very public (we'd see the same things google sees), so we could similarly shame them via alternatives into adopting reasonable default behaviors. Similar to Linux/Windows - Windows woulda been a lot more evil without the alternative next door.

Longer discussion (opinion not sourced from AI though): https://chatgpt.com/share/68ad1084-eb74-8003-8f10-ca324b5ea8...

>>miloig+(OP)
GrapheneOS can only be installed on Pixel devices, no? Hard to see Google not putting in a way to block that on their own hardware.

>>markas+bl
I should say that I'm not from the US, so that might be why you haven't heard of it.

There is also an alternative for now, but nothing as simple as SMS or authenticator app. They give you a special credit card shaped card with a card reader that you can use to authenticate with using your PIN, which is mostly considered legacy now with the bank app. It's also not realistic to be carrying this thing around everywhere either as it's bigger than my phone.

There is also a national ID app that is used everywhere that I'm worried will stop working on GrapheneOS... Because without it I won't even be able to access online government services like healthcare, taxes, etc.

>>miloig+(OP)
How is GrapheneOS / SeedVault looking these days in terms of being able to capture reliable backups and restore them to another device (without using the cloud)?

I gather the introduction of the android:allowBackup="false" manifest flag complicated things somewhat... I thought I read since then that a Device-to-Device (D2D) impersonation mode was implemented, and would love to hear if that helped?

(I posted a couple years ago about this topic, admittedly it was a bit ranty: >>37774254 )

>>debaze+2x
You still haven't answered their question.

Which bank?

>>VLM+l6
This is absolutely insane. If you block access, does the app stop working?

>>Klonoa+4y
I don't want to reveal where I'm from so I can't say which bank specifically.

>>rchaud+hw
I've never done it but

"Many other devices are supported by GrapheneOS at a source level, and it can be built for them without modifications to the existing GrapheneOS source tree."

https://grapheneos.org/faq#supported-devices

>>Klonoa+4y
I don't know the bank they are referring to, but I can cite an example for me: RBC Royal Bank of Canada requires the mobile app. There is nothing you can do on their website without first 2FA via their specific mobile app, and even then only in limited transaction sizes. If you want "full access" (e.g. up to $10k daily transfer via e-transfer) then you MUST use biometrics and the mobile app.

>>Klonoa+4y
I am quite sure Starling Bank requires an app if you still wanted an example.

>>markas+bl
For example, Starling Bank in the UK.

They have a nice web app, but you must use their mobile app to login on the web version. The app takes a video of a QR code on the web page during login. Web login completes as soon as the mobile app notifies the server. There's no 2FA code to enter, and no alternative.

I asked them about this, by phone call, when my phone screen broke and I urgently needed to make a transaction. Surely there as an alternative? Or could I do the transaction by phone call?

They told me that indeed there is no other option. Despite having phone customer support, they had no phone or web banking service at all which could be used without a registered mobile device. The only phone service they could perform was to register a new mobile device, which I didn't have. I had a tablet, but it was too old.

So I had no good choice. The Android phone I'm using right now was bought in a hurry just so I could be allowed to make a bank transaction.

It wasn't my first choice of phone. I didn't have time to investigate alternative devices, let alone weigh up open alternatives. I ended up buying a mid-range device under pressure that seemed ok and was available in a store without waiting. (It was a brand new Samsung, and despite the IP rating it got water damaged and stopped working entirely after a few splashes a year or so later, but I was able to get it repaired.)

>>miloig+(OP)
Fairphone + GrapheneOS + F-droid would be even more so.

>>GeoAtr+l9
This is probably the only real solution. It also makes sense from a getting mugged or breaking your phone perspective. At this point, my phone is probably more important than my IDs and passports.

>>tootie+ls
Its not even a matter of tradeoffs - banks just suck major ass so, of course, their piece of shit apps are extremely fragile and only work under just the right conditions.

That's not any OS' fault, that's banks fault. That's been my experience with every bank I've used so far and yes - they often break on certified OS' too! I've been on the phone with support!

Because they make bad software, period, and we're all just forced to use their bad software.

>>jlokie+1L
Sounds like you should find a new bank. I would, at least.

>>theoss+Kr
What are you going to do when eventually, all bank apps will stop working? Because they will and it has happened in many countries already.