For the past 15 years1, F-Droid has provided a safe and securehaven for Android users around the world to find and install free and opensource apps. When con...
You can blame the courts for this one. They basically ruled “Apple isn’t a monopoly, because they don’t even LET other people compete in the first place”. (which is about a bass-ackwards as it gets but whatever)
Google saw this and went “shit…” so they’re rushing to implement the same thing.
You would wish Google would turn into Apple. AAPL at least has the decency of respecting some privacy.
Google, on the other hand, is an advertising company (not a tech company), selling all the people pocket size advertisement billboards named “Android” for years, and they’re taking the last step of seizing full control over it.
Why the Google identity check is completely useless:
Step 1: scammer acquires stolen id card
What’s the difference between malware developed anonymously and malware developed anonymously but registered under a fake id? It can be installed today and it can be installed tomorrow. Do they really believe that malware developers will doxx themselves when publishing their malware?
Disclaimer: I have been a maintainer for LineageOS and a long time user.
Whoever advocates for LineageOS don’t get it. Using LineageOS will not fix any issue like this.
Already today using LineageOS means give up on banking apps, ID apps, and even McDonald’s and some games like Pokemon.
Yeah because Google with play intergrity now demands valid keys that gets invalidated as soon Google detect they are used for such usage. The cat and mouse game suddenly got much harder to beat.
So no, using LineageOS will soon be possible only with secondary devices and not your primary that you will need for your actual stuff to work.
I don’t know about the US but on this side of the pond banks have their own 2nd factor apps. So to log in to a bank’s website you need an app - quite probably with play integrity.
That sounds extremely inconvenient. Individual apps for 2FA? No thanks. I’m good with KeePass and Aegis, both open source, encrypted, and don’t require any extra hardware.
No, hardware TAN generator work fine. If the bank wants to force me to use proprietary snake oil it’s time for a new bank. Or using a dedicated old smartphone just for the app.
Consors bank so far is an alternative. NFC cards, hardware TAN generators, app not forcing use of proprietary OSses. LineageOS is fine, need to check GOS.
Dang. Y’all need to pick better credit unions. MFA rolling token is an open standard. Any single app can support all of my (correctly implemented) tokens. I prefer Aegis, but they (correctly implemented MFA apps) all work.
I don’t want to trust my money to someone who can’t implement standards compliant MFA.
Well, they have a kind of 2FA since at least 30 years, long before rolling tokens were all over the place. Their latest implementations are as simple to use as Steam 2FA. If a bank isn’t able to implement a proper 2FA login there’s a ton of other security issues to worry about.
Lastly, I think by using their own implementation/app they prevent their customers from using compromised apps.
If a bank isn’t able to implement a proper 2FA login there’s a ton of other security issues to worry about.
Exactly. Any organization whose MFA doesn’t work on Aegis, I take action to protect myself from their incompetence.
Lastly, I think by using their own implementation/app they prevent their customers from using compromised apps.
I’m sure they claim that. But I still recognize it as simple incompetence. They aren’t able or willing to hire someone with the Cybersecurity expertise to implement a relatively simple open specification.
Y’all are welcome to risk your money there. It’s probably insured anyway, right?
For me, that’s too much risk. Even if insurance makes me whole, getting robbed is a huge pain.
Exactly. Any organization whose MFA doesn’t work on Aegis, I take action to protect myself from their incompetence.
That’ll surely end their business. /s
I’m sure they claim that. But I still recognize it as simple incompetence. They aren’t able or willing to hire someone with the Cybersecurity expertise to implement a relatively simple open specification.
Just out of curiosity: What percentage of the population is capable of running Graphene/Aegis? What percentage, regardless of capability, is willing to do so?
Creators of popular OSS regularly warn about downloading their stuff elsewhere or pay for it. How do you think that would apply to any 2FA application?
Now think of how stupid the average person is, and realize half of them are stupider than that. (love some George Carlin). Given that even (very) stupid people have and need bank accounts: How would you implement an authentication that can’t easily be compromised to ripp off stupid people?*
* Let’s just assume that you, the lead developer, are not at all “incompetent”, quite the opposite. Also take into consideration that you need to keep cost down (hint: That means you want no one to call support because of 3rd party applications!).
The credit union mplements (purchases from a competent vendor) their own custom branded standards compliant MFA solution.
This is what competent organizations already do.
Because the app is standards compliant, experts use Aegis instead of the branded app. Everyone else sticks with the branded app.
Also because the app is standards compliant, provided by a specialized vendor, and occasionally being used in unusual ways by expert users, serious security mistakes are much less likely to happen, and less likely to only be noticed by attackers.
I don’t expect my credit union to tell me to use Aegis - I expect them to use a credible MFA vendor that interoperates correctly when I do use Aegis.
That’s crazy. Yeah in the rest of the world you can’t do shit on a bank website, it’s mostly just view only, and the rest is via the app. If it lets you do anything at all, it’ll require 2FA via the app.
You can transfer money from a savings account with one bank to another account with another bank just via tapping said bank account icon in the app, like you don’t even need the BIC/IBAN/AccNo/Name or any details, it knows where to go just because you have the app of the other bank, all you do is tap the icon.
I’m not even sure you can withdraw the money from the savings account without having the app of the target bank installed on the phone, signed into the target account.
Same way you can add a card to Google Pay by just tapping a button in the bank app, no details or anything required.
Frankly I don’t even know where any one of my bank cards are, I remember for a good while I had a credit card that I didn’t actually have physically because when you open the credit card account (which requires extra checks compared to what is default - debit cards) they don’t bother to ship the physical thing to you unless you explicitly ask for it (via an option in the app), since most people just use it only via Google Pay because everywhere is cashless and uses only NFC.
I didn’t realize at first but it meant that my “card” didn’t even have a PIN, because there was no way to physically have it, any large transactions are authorized in the app, everything else, including IRL is implicitly authorized by me unlocking my phone with my fingerprint, which is required to make NFC payments on Android. I think with Apple phones it’s required to open the app but for me since 2018 it’s been muscle memory to tap the fingerprint reader and slap the phone on the NFC reader on anything from the tube to the dodgy corner shop.
To get the actual card details it’s a relatively hidden submenu in the app, to add to Google pay is a giant button on the card icon in the app.
Convenient as hell but the sheer amount of privacy violations involved and info that must be gathered about the phone to do this in a compliant fashion makes me shudder.
Yeah, happened to me. I tried to go to one of the bank locations but they not so subtly told me to fuck off and call their customer service instead if for some reason I couldn’t use the ‘in-app help menu’. The entire concept of me losing access to it seemed alien to them, as it I was born into the app or some shit, idk how much they pay those ghouls to stand there and gaslight folks like that but I sure hope it’s a lot.
To restore it I had to call them and turned out I needed to know some kind of extra hidden secret “telephone banking” password after fighting past 10 people who could barely speak English. I didn’t know it ofc and like an hour later I was able to prove who I was.
I’ve been using a dedicated TAN generator for banking since I first made my account but I don’t doubt that’s going away at some point, since debit cards from the same bank already require an app for 3-D secure.
Banks use their app to generate the otp and they reinvented the wheel so if you want to login you need to install it, can’t use a generic authenticator. I am not aware of any single bank in the EU that allows the use of generic authenticators.
For McDonald’s, using the app gives at least 50% off. A menu in the app costs 5 euro while on the store kiosk costs 12 euro. I do not personally care because I find their food to be just barely edible, but I understand why there’s a need to install the app
My bank had a device that was basically a simple android phone running the 2fa app. The phone app got updated through new versions and eventually got the drm treatment, but the old app keeps working because it is still running on those dedicated 2fa “devices”.
Naturally the bank is now trying their best to make people deregister the old “devices” and switch to only the “app”.
The old app has no internet permissions. It reads qr from the camera and shows verification as a 6 digit code.
The new app has internet permissions and is integrated with other apps so you can conveniently accept the request of your banking app in the 2fa app (on the same phone) with a single tap via an overlay. 2fa.
I (for the moment) use stock android without a google account without any issues.
Then again i don’t use banking apps on a smartphone.
My gov provides ID apps and they work fine - then again, GPS is installed of course.
Fuck McDonnalds.
I’ll have to check app support on Linage or PostMarketOS in the near future.
Same, my bank also doesn’t require strict play integrity. I think I ran into an issue with a dating app once, but that’s about it, and that’s no real loss.
If my bank would suddenly stop working on Android with microG (with no simple alternative), I’d just switch to another bank, there are enough.
Seriously? Open computing is dead to you because you can’t order fast food or play games? I don’t even have Google Play on this GOS device.
And, by the way, my banking app works fine on LineageOS. Not that I need it, since I use a hardware TAN generator.
I remember when internet banking meant installing some shitty “security” software on Windows before it would let you access the proper page on your browser.
Exactly, trying to find software alternative for what ultimately going to be locked down hardware is never going to be a sustainable solution.
Alternative OS means nothing if there’s no widely supported open hardware with unlocked bootloader to run such OS long term, and Google is got all mainstream phone manufactures cornered legally and commercially with this and their requirement for manufecturer authorization for shipping GMS suite with their products.
The only way out is this ridiculous decision of Google getting push backs from legislation, because there’s nothing manufecturers can do and without them there’s nothing FOSS developers can do to push back long term, and Google isn’t stopping themselves from doing Evil™.
Already today using LineageOS means give up on banking apps, ID apps, and even McDonald’s and some games like Pokemon.
Yeah because Google with play intergrity now demands valid keys that gets invalidated as soon Google detect they are used for such usage. The cat and mouse game suddenly got much harder to beat.
But if I’m already using LineageOS without GApps, this wouldn’t make any difference, right?
I agree that those things are going to happen, but again, I’m deliberately not using GApps and thus no Playstore apps, including WA. Using an undesirable product is a vote for the continued existence of that product, so the only winning move is not to play, isn’t it? 🤷
wellp. time to go back to a time where phones were phones and not much more. i don’t need a smart phone, i barely wanted one to begin with. i just want a way to talk to people, send sms with a T9 keyboard, listen to preloaded MP3s and maybe play snake.
If this comes to pass, f-droid might get closed as the userbase dwindles. Many apps will also cease to be developed and be left without updates. You will not get out with just updating to LineageOS. We should be looking at Linux phones at that point.
Linux Phones have a few software hurdles to pass through to get usable.
The biggest problem right now is adoption and contribution to the ecosystem, but there’s a few things in the way of outright using Linux apps on a phone. One is that most Linux apps aren’t made to be verical. Some newer ones can adapt to it, but many of the apps you likely would depend on using a Linux laptop are almost unusable on a Linux phone, like… vlc, for instance.
The network stack isn’t as beaten to death for 4G and 5G as Android’s is. I work in a slightly iffy area, and on Android I’d have times where I’d lose signal, but it would always come back within 5-10 minutes or so. There’d be times on Linux when it wouldn’t until I’d missed two calls and three texts and an hour and a half had gone by because the system was choking on a comma or a misplaced semicolon it found somewhere in the background and wouldn’t reset until I forced airplane mode off and on. If I was at home, or in the city, I’d never notice this problem, but the second I hit a road trip or went to work, boy.
Also, and this is just my phone, my OP6T had iffy microphone and earpiece settings. Pulse Audio was at the forefront of this audio stack almost entirely unchanged from its appearance on gnome or kde and on a phone it’s just confusing and obtuse as to what app is using what and what even is what. If you got it right, it was fine, then the next call it wouldn’t be, or would change back, again, probably more the 6T being a 6T than anything else.
I think right now, in this interim period, I’m going to buy a hotspot that I can just slip a sim card into and tether a Linux phone to it. I can use Conversations on Waydroid and use JMP.chat to send phone calls and texts over XMPP. I did fine on my OP6T for my actual use of a phone. I was browsin’, I was textin’, I was sendin’ messages, I was doin’ terminal stuff, administratin’ my servers, readin’, listening to musicn’. It was fine. Will do some experimenting.
Very insightful and interesting. Thanks. I am using GrapheneOS at the moment and only have read about the Linux phones. Of course an open android system that is decoupled from Google and their shenanigans would be great as well. But I am not very hopeful as Google has started a battle on several fronts…
Fdroid will not close, it’s decentralized. I have my little personal repository with apps I care about. Thousands of people do. Together we have pretty much everything
Maybe an altstore type option will pop up so people don’t have to manually install or update each app they use with adb. Might lead to enough people still sideloading on non custom rom phones so there is still interest providing apps for people.
What should happen at this point is EU and European governments (and why not others) doling out money to do it.
The risk of the phone duopoly to Europe (among others) is too great now with the US already having succumbed to outright fascism and it’s tech sector running around rampant with blatant disregard for any kind of basic human rights. They all seem to correct themselves only after lawsuits and only in the EU sector.
I’ll run my own copy of the F-Droid servers, before I bend my knee to Google. So will others.
Edit: But yes, you are correct that Linux phone is the long term solution. Android is a pile of corporate Java. Linux is a lean sleek set of mature highly optimized tools. Once the big show-stoppers are cleared, my Linux phone will be the envy of all who see me use it.
The big problem is, I think many apps will cease to get updates as the devs stop developing on Android. Just running F-Droid is not going to solve this.
Most of those on a Google ROM isn’t moving to GNU/Linux, its either Lineage, Graphene, etc…, or just give up on these non-google apps. “Linux” is so broken and dysfunctional compared to Android ROMs.
I will probably keep my current device for shit apps necessary for banking etc.
I will install LineageOS on moto g45, and it will be for programs that will not have google’s approval / F-Droid stuff.
Holy crap I got one! So stoked to try it out! I’ve been seeing all the pixel stuff about it and just assumed it was flagships only, but my $150 unlocked phone is supported! Thank for the push I needed to look it up.
I think way forward for me once these restrictions come in place will be to go with custom rom for my main phone, and a cheap stock phone for just apps that aren’t custom rom friendly like bank apps. I don’t need bank apps on the go, so not really going to need to carry 2 personal phones around.
really hope someone finds a way to break google’s block on apks that aren’t registered. with more and more manufacturers locking down bootloaders, changing roms is no longer an option.
Except that it is still an option to only buy phones that allow bootloader unlocking and root? That’s been a requirement for me since my first smartphone.
Google can do this for own their own store first. I doubt it will make any difference in the number of malicious and shit apps on that store. Requiring this be mandatory for everyone is clearly malicious.
I feel like you don’t really know anything about the scam community, but a side loaded app is like 500 times more likely to be malware than a Play store app. The amount of millions that have been stolen from users in India, Mexico, Africa, and Brazil because of sideloaded apps is pretty staggering.
I’m fairly certain fdroid should just be able to alter the way that they’re doing things a bit and still exist under the need to obtain a signing cert from Google.
I mean personally I’m not on the same side with this. I would rather Google not do this without some way to disable it via the UI given enough warnings and what not.
i don’t know why people would but it appears as if they already have. f-droid is a catalogue of FOSS apps for android. sort of like an alternative app “store” (but there is no purchasing).
FDroid is an alternative app store where its main focus is Free (libre) software. Free in the sense of freedom. They have also strong focus on tracking. Under app, you have “anti-feature” that tell you that part of its code is not opensource or that there is sensible data. :)
You should visit their website. ;)
Here is some info from their website :)
F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.
FDroid respects your privacy. We don’t track you, or your device. We don’t track what you install. You don’t need an account to use the client, and it sends no additional identifying data when communicating with our web servers, other than its version number.
We don’t even allow you to install other applications from the repository that track you, unless you first enable ‘Tracking’ in the AntiFeatures section of preferences.
Any personal data you decide to give us (e.g. your email address when registering for an account to post on the forum) goes no further than us, and will not be used for anything other than allowing you to maintain your account.
The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users5 will be left adrift, with no means to install — or even update their existing installed — applications.
My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.
How would this impact F-Droid in any way? Presumably by the time F-Droid enters the picture the developers of the apps they distribute would have already gone through that entire process, right? The apks will be tied to that new Google certificate, but after that they can still be distributed anywhere.
I mean, don’t get me wrong, this has genuine, very serious, dealbreaking issues, in that Google can just cancel the account of a developer making apps they don’t like, the same way Apple has done in the past. That’s not great. But from F-Droid’s perspective all of that has happened upstream, they are not anywhere in that loop, unless I’ve misunderstood the changes.
They use Google’s developer identity process to sign every APK they build with their own developer identity, which Google is likely not going to allow or is going to quickly find an example of a “malicious” app so they can blacklist all of them; or
They stop building APKs and just trust the developer provides a non-malicious, pre-verified APK;
They find a way to mediate the process between the original developer and Google. Knowing Google, they would make it as needlessly painful for everyone involved to discourage and punish alternative app stores.
I guess it’d make sense to take that first option as far as it will go, at which point the issue becomes litigating this the first time Google has their own weird censorship issue in the Apple mold. I’d expect if they ban all of F-Droid explicitly that would at least make more ripples than going after a single torrent client app or whatever. It may play out different from a regulatory perspective, too, if the practical effect is they ban third party stores.
Side note, I’m really mad at the very deliberate choice Google made of categorizing all potential apps as either “apps meant for Google Play” or “student or hobbyist apps”. You know they know why that’s wrong, but it still makes you want to explain it to them.
My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.
Yes, and google asks for identification from the developers, and a lot of open source developers - having privacy in mind - don’t want to provide personal information. This is shitty beyond anything google has done before.
“Want” isn’t my concern. Presumably no developers want to give Google a piece of anything they generate, open source or not.
My concern was not understanding how this interferes with F-Droid and that has been explained above: F-Droid builds their own APKs for verification and this process potentially makes that a lot harder while not providing a replacement for their verification from Google.
That makes sense and it is indeed a dealbreaker. The other thing much less so.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.
6. Memes are not allowed to be posts, but are allowed in the comments.
7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.
8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.
Fucking google at it again. Straight up turning into apple.
You can blame the courts for this one. They basically ruled “Apple isn’t a monopoly, because they don’t even LET other people compete in the first place”. (which is about a bass-ackwards as it gets but whatever)
Google saw this and went “shit…” so they’re rushing to implement the same thing.
If you see a Googler, spit in its face
You would wish Google would turn into Apple. AAPL at least has the decency of respecting some privacy.
Google, on the other hand, is an advertising company (not a tech company), selling all the people pocket size advertisement billboards named “Android” for years, and they’re taking the last step of seizing full control over it.
If you don’t think Apple is profiting off your data for advertising, I have a bridge to sell you
Why the Google identity check is completely useless:
Step 1: scammer acquires stolen id card
What’s the difference between malware developed anonymously and malware developed anonymously but registered under a fake id? It can be installed today and it can be installed tomorrow. Do they really believe that malware developers will doxx themselves when publishing their malware?
This. Every day there is a new legitimate dataset of ids for sale on the internet. I have seen enough never to trust ids anymore
Fdroid is just the best. Around half of the apps on my phone are from Fdroid and Izzy.
Disclaimer: I have been a maintainer for LineageOS and a long time user.
Whoever advocates for LineageOS don’t get it. Using LineageOS will not fix any issue like this.
Already today using LineageOS means give up on banking apps, ID apps, and even McDonald’s and some games like Pokemon.
Yeah because Google with play intergrity now demands valid keys that gets invalidated as soon Google detect they are used for such usage. The cat and mouse game suddenly got much harder to beat.
So no, using LineageOS will soon be possible only with secondary devices and not your primary that you will need for your actual stuff to work.
Counterpoint: I use the McDonald’s app where it belongs - on a giant greasy ordering kiosk.
But seriously, banks have websites. Everyone and everything has a website.
I don’t need Android apps at the cost of my privacy or at the cost of control of my devices.
I use GrapheneOS as my only phone, and I have done so for years.
Whatever the topic, I don’t need an app for that.
I don’t know about the US but on this side of the pond banks have their own 2nd factor apps. So to log in to a bank’s website you need an app - quite probably with play integrity.
That sounds extremely inconvenient. Individual apps for 2FA? No thanks. I’m good with KeePass and Aegis, both open source, encrypted, and don’t require any extra hardware.
No, hardware TAN generator work fine. If the bank wants to force me to use proprietary snake oil it’s time for a new bank. Or using a dedicated old smartphone just for the app.
Good luck, there are no other alternatives.
Consors bank so far is an alternative. NFC cards, hardware TAN generators, app not forcing use of proprietary OSses. LineageOS is fine, need to check GOS.
That’s apparently a German bank. Interesting though, hopefully we get something like that elsewhere.
BNP Paribas is french.
In America, we’re lucky if our bank supports 2fa, let alone require an app for it
Dang. Y’all need to pick better credit unions. MFA rolling token is an open standard. Any single app can support all of my (correctly implemented) tokens. I prefer Aegis, but they (correctly implemented MFA apps) all work.
I don’t want to trust my money to someone who can’t implement standards compliant MFA.
That would scare the daylights out of me.
Well, they have a kind of 2FA since at least 30 years, long before rolling tokens were all over the place. Their latest implementations are as simple to use as Steam 2FA. If a bank isn’t able to implement a proper 2FA login there’s a ton of other security issues to worry about. Lastly, I think by using their own implementation/app they prevent their customers from using compromised apps.
Exactly. Any organization whose MFA doesn’t work on Aegis, I take action to protect myself from their incompetence.
I’m sure they claim that. But I still recognize it as simple incompetence. They aren’t able or willing to hire someone with the Cybersecurity expertise to implement a relatively simple open specification.
Y’all are welcome to risk your money there. It’s probably insured anyway, right?
For me, that’s too much risk. Even if insurance makes me whole, getting robbed is a huge pain.
That’ll surely end their business. /s
Just out of curiosity: What percentage of the population is capable of running Graphene/Aegis? What percentage, regardless of capability, is willing to do so?
Creators of popular OSS regularly warn about downloading their stuff elsewhere or pay for it. How do you think that would apply to any 2FA application?
Now think of how stupid the average person is, and realize half of them are stupider than that. (love some George Carlin). Given that even (very) stupid people have and need bank accounts: How would you implement an authentication that can’t easily be compromised to ripp off stupid people?*
* Let’s just assume that you, the lead developer, are not at all “incompetent”, quite the opposite. Also take into consideration that you need to keep cost down (hint: That means you want no one to call support because of 3rd party applications!).
This is actually a solved problem:
The credit union mplements (purchases from a competent vendor) their own custom branded standards compliant MFA solution.
This is what competent organizations already do.
Because the app is standards compliant, experts use Aegis instead of the branded app. Everyone else sticks with the branded app.
Also because the app is standards compliant, provided by a specialized vendor, and occasionally being used in unusual ways by expert users, serious security mistakes are much less likely to happen, and less likely to only be noticed by attackers.
I don’t expect my credit union to tell me to use Aegis - I expect them to use a credible MFA vendor that interoperates correctly when I do use Aegis.
That’s insane, I have never heard of such a thing, but I’m in the US where most banks don’t even have non-sms second factor.
That’s crazy. Yeah in the rest of the world you can’t do shit on a bank website, it’s mostly just view only, and the rest is via the app. If it lets you do anything at all, it’ll require 2FA via the app.
You can transfer money from a savings account with one bank to another account with another bank just via tapping said bank account icon in the app, like you don’t even need the BIC/IBAN/AccNo/Name or any details, it knows where to go just because you have the app of the other bank, all you do is tap the icon.
I’m not even sure you can withdraw the money from the savings account without having the app of the target bank installed on the phone, signed into the target account.
Same way you can add a card to Google Pay by just tapping a button in the bank app, no details or anything required.
Frankly I don’t even know where any one of my bank cards are, I remember for a good while I had a credit card that I didn’t actually have physically because when you open the credit card account (which requires extra checks compared to what is default - debit cards) they don’t bother to ship the physical thing to you unless you explicitly ask for it (via an option in the app), since most people just use it only via Google Pay because everywhere is cashless and uses only NFC.
I didn’t realize at first but it meant that my “card” didn’t even have a PIN, because there was no way to physically have it, any large transactions are authorized in the app, everything else, including IRL is implicitly authorized by me unlocking my phone with my fingerprint, which is required to make NFC payments on Android. I think with Apple phones it’s required to open the app but for me since 2018 it’s been muscle memory to tap the fingerprint reader and slap the phone on the NFC reader on anything from the tube to the dodgy corner shop.
To get the actual card details it’s a relatively hidden submenu in the app, to add to Google pay is a giant button on the card icon in the app.
Convenient as hell but the sheer amount of privacy violations involved and info that must be gathered about the phone to do this in a compliant fashion makes me shudder.
Not so convenient when one loses their phone or service. Then get locked put of everything.
Yeah, happened to me. I tried to go to one of the bank locations but they not so subtly told me to fuck off and call their customer service instead if for some reason I couldn’t use the ‘in-app help menu’. The entire concept of me losing access to it seemed alien to them, as it I was born into the app or some shit, idk how much they pay those ghouls to stand there and gaslight folks like that but I sure hope it’s a lot.
To restore it I had to call them and turned out I needed to know some kind of extra hidden secret “telephone banking” password after fighting past 10 people who could barely speak English. I didn’t know it ofc and like an hour later I was able to prove who I was.
I’ve been using a dedicated TAN generator for banking since I first made my account but I don’t doubt that’s going away at some point, since debit cards from the same bank already require an app for 3-D secure.
That’s not it, the TAN and 3-D Secure are different components to the 2FA required to access the bank account.
Counter-counterpoint:
Banks use their app to generate the otp and they reinvented the wheel so if you want to login you need to install it, can’t use a generic authenticator. I am not aware of any single bank in the EU that allows the use of generic authenticators.
For McDonald’s, using the app gives at least 50% off. A menu in the app costs 5 euro while on the store kiosk costs 12 euro. I do not personally care because I find their food to be just barely edible, but I understand why there’s a need to install the app
Some people have no smartphone at all. How can they be customers at your bank?
Pay a fee of 0.30€ to receive the otp via SMS every time they want to login without the proprietary otp app and 0.30€ for each payment to authorize
Fucking hell, y’all make me realize how lucky I am with my bank that runs without gapps.
My bank had a device that was basically a simple android phone running the 2fa app. The phone app got updated through new versions and eventually got the drm treatment, but the old app keeps working because it is still running on those dedicated 2fa “devices”.
Naturally the bank is now trying their best to make people deregister the old “devices” and switch to only the “app”.
The old app has no internet permissions. It reads qr from the camera and shows verification as a 6 digit code.
The new app has internet permissions and is integrated with other apps so you can conveniently accept the request of your banking app in the 2fa app (on the same phone) with a single tap via an overlay. 2fa.
That is incredibly stupid.
Wow, I admit that’s reaally bad 😅
Also the norm tho, afaik
They physically go there in person.
That’s still a thing.
Damn… The two extremes of the cyberpunk dystopia: no tech at all vs tech slavery.
Would you recommend a B-2 Spirit solution or not yet?
I (for the moment) use stock android without a google account without any issues.
Then again i don’t use banking apps on a smartphone.
My gov provides ID apps and they work fine - then again, GPS is installed of course.
Fuck McDonnalds.
I’ll have to check app support on Linage or PostMarketOS in the near future.
I’ve never had an issue with the three banking apps I tried on LineageOS, and I didn’t even know there was a McDonald’s app or pokemon games.
If this list for /e/os roughly applies to LineageOS (with microG), I wouldn’t call it “only for secondary devices”, more “won’t work for some people”
Did I miss something? AFAIK google is requiring devs to ID, not to use SafetyNet or whatever the “only-runs-on-certified-phones” thing is called
Same, my bank also doesn’t require strict play integrity. I think I ran into an issue with a dating app once, but that’s about it, and that’s no real loss.
If my bank would suddenly stop working on Android with microG (with no simple alternative), I’d just switch to another bank, there are enough.
Seriously? Open computing is dead to you because you can’t order fast food or play games? I don’t even have Google Play on this GOS device. And, by the way, my banking app works fine on LineageOS. Not that I need it, since I use a hardware TAN generator.
I assume this is the same with GrapheneOS?
My bank app works without issue inside a private space with sandboxed Play services on my main user profile.
I also have an investment app which runs without any issue whatsoever.
Maybe I’m lucky and these Canadian companies just aren’t dicks about mandating google.
As far as I’m aware, as of now, graphene does not meet googles attestation (Uncertified Device), because google says so, but is easily more secure.
Google’s lockdown has zero to do with security.
I remember when internet banking meant installing some shitty “security” software on Windows before it would let you access the proper page on your browser.
Exactly, trying to find software alternative for what ultimately going to be locked down hardware is never going to be a sustainable solution.
Alternative OS means nothing if there’s no widely supported open hardware with unlocked bootloader to run such OS long term, and Google is got all mainstream phone manufactures cornered legally and commercially with this and their requirement for manufecturer authorization for shipping GMS suite with their products.
The only way out is this ridiculous decision of Google getting push backs from legislation, because there’s nothing manufecturers can do and without them there’s nothing FOSS developers can do to push back long term, and Google isn’t stopping themselves from doing Evil™.
Fully agree
But if I’m already using LineageOS without GApps, this wouldn’t make any difference, right?
Edit: Also - thanks for all your work!
And soon you will need a second device with locked down bootloader and play integrity to use mainstream apps.
What when meta will require attestation to run WhatsApp? Not if, when…
I agree that those things are going to happen, but again, I’m deliberately not using GApps and thus no Playstore apps, including WA. Using an undesirable product is a vote for the continued existence of that product, so the only winning move is not to play, isn’t it? 🤷
wellp. time to go back to a time where phones were phones and not much more. i don’t need a smart phone, i barely wanted one to begin with. i just want a way to talk to people, send sms with a T9 keyboard, listen to preloaded MP3s and maybe play snake.
Nokias are back, maybe see if you can get one where you are
Looks like I’m searching for a device that can run LineageOS, then.
🤗
If this comes to pass, f-droid might get closed as the userbase dwindles. Many apps will also cease to be developed and be left without updates. You will not get out with just updating to LineageOS. We should be looking at Linux phones at that point.
Linux Phones have a few software hurdles to pass through to get usable.
The biggest problem right now is adoption and contribution to the ecosystem, but there’s a few things in the way of outright using Linux apps on a phone. One is that most Linux apps aren’t made to be verical. Some newer ones can adapt to it, but many of the apps you likely would depend on using a Linux laptop are almost unusable on a Linux phone, like… vlc, for instance.
The network stack isn’t as beaten to death for 4G and 5G as Android’s is. I work in a slightly iffy area, and on Android I’d have times where I’d lose signal, but it would always come back within 5-10 minutes or so. There’d be times on Linux when it wouldn’t until I’d missed two calls and three texts and an hour and a half had gone by because the system was choking on a comma or a misplaced semicolon it found somewhere in the background and wouldn’t reset until I forced airplane mode off and on. If I was at home, or in the city, I’d never notice this problem, but the second I hit a road trip or went to work, boy.
Also, and this is just my phone, my OP6T had iffy microphone and earpiece settings. Pulse Audio was at the forefront of this audio stack almost entirely unchanged from its appearance on gnome or kde and on a phone it’s just confusing and obtuse as to what app is using what and what even is what. If you got it right, it was fine, then the next call it wouldn’t be, or would change back, again, probably more the 6T being a 6T than anything else.
I think right now, in this interim period, I’m going to buy a hotspot that I can just slip a sim card into and tether a Linux phone to it. I can use Conversations on Waydroid and use JMP.chat to send phone calls and texts over XMPP. I did fine on my OP6T for my actual use of a phone. I was browsin’, I was textin’, I was sendin’ messages, I was doin’ terminal stuff, administratin’ my servers, readin’, listening to musicn’. It was fine. Will do some experimenting.
Very insightful and interesting. Thanks. I am using GrapheneOS at the moment and only have read about the Linux phones. Of course an open android system that is decoupled from Google and their shenanigans would be great as well. But I am not very hopeful as Google has started a battle on several fronts…
Fdroid will not close, it’s decentralized. I have my little personal repository with apps I care about. Thousands of people do. Together we have pretty much everything
I hope so. But the app devs might stop if they don’t want to get certified.
Maybe an altstore type option will pop up so people don’t have to manually install or update each app they use with adb. Might lead to enough people still sideloading on non custom rom phones so there is still interest providing apps for people.
So where’s the Dev push to make that usable?
If Google goes ahead bans sideloading I think that might spur some developers into action long term.
Intent is declared. Where are they? Please hurry?
I do not know, I hope it is there somewhere.
What should happen at this point is EU and European governments (and why not others) doling out money to do it.
The risk of the phone duopoly to Europe (among others) is too great now with the US already having succumbed to outright fascism and it’s tech sector running around rampant with blatant disregard for any kind of basic human rights. They all seem to correct themselves only after lawsuits and only in the EU sector.
Nah. F-Droid is already federation-ready. https://f-droid.org/docs/Installing_the_Server_and_Repo_Tools/
I’ll run my own copy of the F-Droid servers, before I bend my knee to Google. So will others.
Edit: But yes, you are correct that Linux phone is the long term solution. Android is a pile of corporate Java. Linux is a lean sleek set of mature highly optimized tools. Once the big show-stoppers are cleared, my Linux phone will be the envy of all who see me use it.
The big problem is, I think many apps will cease to get updates as the devs stop developing on Android. Just running F-Droid is not going to solve this.
My favorite Android apps are developed by people like myself who just wanted that app, and don’t really care if anyone else uses them.
I assume we will all join the same BitTorrent link cloud thingy and swap APK files directly, if Google locks down Android.
I will also switch to a Linux phone that much sooner, I imagine.
Edit: Pro tip - if that world happens and you want stick with the crazy free range folks, look for updates in 2600 Magazine.
Where will devs move? Apple is even worse
I don’t know, Linux? But if they don’t want to get the dev certificate I doubt they continue to develop on Android.
Doubt it.
Most of those on a Google ROM isn’t moving to GNU/Linux, its either Lineage, Graphene, etc…, or just give up on these non-google apps. “Linux” is so broken and dysfunctional compared to Android ROMs.
There are other software sources, e.g. I use Obtainium mostly.
I just got my Moto G 5G 2024 unlocked 😁 Its only like $140
This is the same as moto g45 5G i think.Apparently moto g 5G ≠ moto g45 5G.I am considering moto g45 5G at the moment.
I will probably keep my current device for shit apps necessary for banking etc.
I will install LineageOS on moto g45, and it will be for programs that will not have google’s approval / F-Droid stuff.
Holy crap I got one! So stoked to try it out! I’ve been seeing all the pixel stuff about it and just assumed it was flagships only, but my $150 unlocked phone is supported! Thank for the push I needed to look it up.
I think way forward for me once these restrictions come in place will be to go with custom rom for my main phone, and a cheap stock phone for just apps that aren’t custom rom friendly like bank apps. I don’t need bank apps on the go, so not really going to need to carry 2 personal phones around.
Still using LOS, haven’t looked back…
The USA with its corporations setting a new, unbeatable WR in any% glitchless turning into a dictatorship with zero human rights or freedoms.
DOWN WITH GOOGLE
DOWN WITH GOOGLE
DOWN WITH GOOGLE
…
The only apps I have installed from the play store are ones that came pre-installed with the phone. The rest are all from f-droid…
LONG LIVE F-DROID ! !
really hope someone finds a way to break google’s block on apks that aren’t registered. with more and more manufacturers locking down bootloaders, changing roms is no longer an option.
Except that it is still an option to only buy phones that allow bootloader unlocking and root? That’s been a requirement for me since my first smartphone.
Where can I find a list of such phones?
On the respective ROM websites:
https://wiki.lineageos.org/devices/
https://doc.e.foundation/devices
and whatever else ROM you’d like.
Google can do this for own their own store first. I doubt it will make any difference in the number of malicious and shit apps on that store. Requiring this be mandatory for everyone is clearly malicious.
I feel like you don’t really know anything about the scam community, but a side loaded app is like 500 times more likely to be malware than a Play store app. The amount of millions that have been stolen from users in India, Mexico, Africa, and Brazil because of sideloaded apps is pretty staggering.
I’m fairly certain fdroid should just be able to alter the way that they’re doing things a bit and still exist under the need to obtain a signing cert from Google.
I mean personally I’m not on the same side with this. I would rather Google not do this without some way to disable it via the UI given enough warnings and what not.
I imagine I’m gonna get downvoted for this, but I have no idea what F-Droid is.
Google fdroid or use chatgpt
i don’t know why people would but it appears as if they already have. f-droid is a catalogue of FOSS apps for android. sort of like an alternative app “store” (but there is no purchasing).
https://f-droid.org/
FDroid is an alternative app store where its main focus is Free (libre) software. Free in the sense of freedom. They have also strong focus on tracking. Under app, you have “anti-feature” that tell you that part of its code is not opensource or that there is sensible data. :)
You should visit their website. ;)
Here is some info from their website :)
I’m confused by this:
My understanding is that developers need to sign up with Google and once they have an account they can sign their own apks.
How would this impact F-Droid in any way? Presumably by the time F-Droid enters the picture the developers of the apps they distribute would have already gone through that entire process, right? The apks will be tied to that new Google certificate, but after that they can still be distributed anywhere.
I mean, don’t get me wrong, this has genuine, very serious, dealbreaking issues, in that Google can just cancel the account of a developer making apps they don’t like, the same way Apple has done in the past. That’s not great. But from F-Droid’s perspective all of that has happened upstream, they are not anywhere in that loop, unless I’ve misunderstood the changes.
F-Droid itself builds the APKs to ensure that they’re reproducible and not signed on a development machine that could be compromised.
https://f-droid.org/en/docs/FAQ_-_General/#is-your-building-and-signing-process-secure
With these changes, either:
Oooh, gotcha. That makes sense.
I guess it’d make sense to take that first option as far as it will go, at which point the issue becomes litigating this the first time Google has their own weird censorship issue in the Apple mold. I’d expect if they ban all of F-Droid explicitly that would at least make more ripples than going after a single torrent client app or whatever. It may play out different from a regulatory perspective, too, if the practical effect is they ban third party stores.
Side note, I’m really mad at the very deliberate choice Google made of categorizing all potential apps as either “apps meant for Google Play” or “student or hobbyist apps”. You know they know why that’s wrong, but it still makes you want to explain it to them.
Yes, and google asks for identification from the developers, and a lot of open source developers - having privacy in mind - don’t want to provide personal information. This is shitty beyond anything google has done before.
“Want” isn’t my concern. Presumably no developers want to give Google a piece of anything they generate, open source or not.
My concern was not understanding how this interferes with F-Droid and that has been explained above: F-Droid builds their own APKs for verification and this process potentially makes that a lot harder while not providing a replacement for their verification from Google.
That makes sense and it is indeed a dealbreaker. The other thing much less so.