"But it's not secure!" -- yeah, that really is the point.
And then they will make it so our devices need to pass hardware remote attestation to connect to the internet and even that will be taken away from us.
I don't know what to do anymore. The future is bleak. The free computing we love is being destroyed by forces outside our control, forces that cannot be stopped no matter what we do because they have trillions of dollars and their interests are aligned with those of governments the world over.
Wait until the authorities will require strong client side authentication for social media sites, news sites, and everywhere user generated content is accepted, tied to official ID issued by the government
This needs law/regulation forcing the duopoly to open up, unfortunately even in the EU we're moving in the opposite direction.
> unfortunately even in the EU
("Save the planet".)
It is not a good long term solution, however, because older phones do not support newer versions of the operating systems and gradually you'll notice that fewer and fewer applications work on your phone, because they require a newer operating system.
> "But it's not secure!" -- yeah, that really is the point.
Well, no.
The point isn't just to rail against impositions from someone else wanting what they see as essential for their security, but also to keep things secure and⁰ free¹ for you, the user.
Holding your devices back constrains both your security and your freedom rather than helping you in either manner. Security because you will be missing important updates in that regard, and freedom because your device won't be able to negotiate connections with external services² that you want to use³.
----
[0] And where these two conflict, you should be free to chose your threat model and therefore which compromises to make, except where that could negatively affect others.
[1] The freedom of reasonable action form of free, not monetarily free etc.
[2] We hit this a short while ago with some legacy code+infra using SOCKS via OpenSSH to make unauthenticated HTTPS calls from source addresses we can't fix (authentication is done with SSH, control is by the other end having the fixed address of the SOCKS host in the whitelist) - upgrading the VM running the SOCKS proxy upgraded OpenSSH which deprecated a number of encryption and negotiation options, the old client library used didn't support enough new ones to be able to negotiate a link, newer versions required a later .Net version that is supported inside SSIS, so we had to rearrange how those calls were made (obviously the long term fix is to kill all that legacy SSIS stuff, all SSIS stuff including the people that made it, with fire). The same will happen with parts of what you use your device for, if you keep it back in the way you are suggesting.
[3] Banking facilities being a key area that you'll likely hit problems with first, after that other online commerce flows, and so forth.
I disagree. I think most people could do just fine without them. Some might need to buy a desktop computer or even visit their bank's website using a browser on their phone, but humanity got along just fine without cell phone banking apps for a very long time. Many of the old options still exist for a lot of common banking activities. Options like calling your bank on the phone, using an ATM, or going to a branch in person. If your bank really doesn't allow you to do anything with your money without a cell phone app I'd say finding a new bank is justified. Better yet, try to find a credit union.
Banking apps are convenient, but it's getting to the point where the inconvenience of being abused by the OS outweighs the convenience of a banking app which is probably collecting (and selling/exploiting) data they couldn't get from a visit to their website anyway.
But at least we can build alternatives for interpersonal communication and other uses independent from big companies, like the late 90s-early 2000s Internet, and access that with free devices.
when desktop browsers are considered less trustworthy to the bank than mobile apps (this is approximately now) they'll invert the functionality and limitations surface so mobile will have more authorizations than desktop browser (this is also happening now).
client attestation is a fundamental transfer of freedom from the client to the server. it's nice in theory (I too want my money safe), but at the very least it needs a third party with different incentives, not the OS, hardware and browser vendor.
The only need I have for banking apps is created by banks themselves, to verify online payments. But it would work just fine with regular text messages. I don't need a banking app at all.
(And maybe verifications aren't needed either, since in the 40+ years I have been using a credit card, never once have I been asked to verify something that I didn't initiate myself.)
now. In general it certainly is; web interfaces will be phased out unless web browsers gain client attestation capabilities (at which point it's game over for the open web).
E.g. Revolut never had a web interface and is doing just fine.
We mostly can't. The most we can do is grow new big companies.
The internet was carefully reorganized so that it's impossible to do anything without money moving around.
I can't go to Google HQ and reinstall their locks because I think their locks are insecure, and I certainly can't declare myself the arbiter of who should be allowed to open their locks. I'd be charged and put in jail. But they can do the digital equivalent to my device and that's valid business.