Ultimately, I don't think the most important challenge is in binary firmware blobs, but the software which people depend upon to run their lives. What does it matter if you can run a completely free software stack on your phone, if your bank software (or your required government ID, as is looking depressingly likely) requires you to run a Big Tech approved phone OS? Perhaps the FSF can't do much about that, but that is where I feel they could truly make the biggest difference for freedom for the average user.
A free OS will empower developers to implement technical workarounds that could trick these apps into working there. If the OS is tightly controlled, we have no recourse.
Even in the worst case scenario, we could use a cheap big-tech-approved phone for these applications (a glorified digital token) and use the free phone for everything else. When there's enough adoption and trust in the new phone, non-technical avenues are available to influence these organizations to accept the alternative.
I've kinda migrated to the worst-case scenario already and it's really not that bad - for my use case.
I have an old phone (actually running LineageOS rather than stock) that works as you perfectly describe as a glorified digital token. This device doesn't come with me. There's no banking I need to do, on a day-to-day basis, requiring said token, that has to be done right now or the world will end. It can wait until I get home (and I usually use the bank's web interface from a desktop). This device has minimal other apps installed, which limits bank app accessibility of other app data, and other app accessibility of bank data.
Then my GrapheneOS daily driver serves my day-to-day needs with minimal data leakage, tracking, ads, other general paranoia-inducing modern-life shit.
I pay for things on a day-to-day basis with a physical debit card due to an existing habit of not wanting to depending on a single device for "all the things", so GrapeheneOS wasn't a downgrade, but it should be noted to others that whilst Google Wallet can run on GrapheneOS, NFC payments through the Google Wallet will not work due to Full SafetyNet requirements that GrapheneOS can not pass. Non-NFC items such as tickets and boarding passes have been reported to work (and I'm pretty sure I've used it for that, although Google Wallet is no longer installed on my device).
That is a slight concern, but I don't see it happening, at least in Australia for the big four banks, in the near future.
If that became the case, then the 'glorified token device' would become the dedicated banking device, and not much else would change (ie. I still wouldn't be doing 'banking' while I'm out and about).
I hadn't migrated my life to any of the (tiny, possibly zero) convenience improvements that "mobile banking" may offer me, so none of what I've described has been any kind of downgrade in 'living'.
(I don't mean this in a sarcastic way) are you able to make tangible what 'living' I may be sacrificing?
Having a separate phone as a "glorified digital token" is probably within the top 3 things you want to do anyway if you are serious about digital security.
Also, if your bank uses SMS for verification then the phone should have its own phone number which you keep secret. Otherwise it's one data leak and one sim swap attack (https://en.wikipedia.org/wiki/SIM_swap_scam) from breaking your SMS verification.
> A free OS will empower developers to implement technical workarounds that could trick these apps into working there.
Not if they require something like hardware-backed remote attestation, and only accept such attestation from Google or Apple.
I'd love a practical Linux phone, and being able to run a deblobbed close-to-mainline kernel on a new-ish phone would help with that, but that doesn't really solve the most user-facing problem of mobile phones, the ecosystem lockdown.
You can trust hardware and software that's easy to inspect.
If you can't be sure what's going on and unable to inspect or debug the hardware and software, how can you trust it's doing what you want?
Proprietary hardware and software is already known to work against the interests of the user. Not knowing exactly what's going on is being taken advantage of at large scale.
Let's put it this way: if you can choose between making your own lasagna with a good recipe vs ready-made microwave lasagna. What would you choose? How about your suit? And would you trust an open known to work well pacemaker vs the latest Motorola or Samsung pacemaker? Would you rather verify the device independently or pay up for an SLA?
No software is "easy to inspect". Only a tiny fraction of users will ever even try. When things are inspected and problems are found, you need a way to revoke the malicious bits. You'll never notify everyone, which is one of the roles app stores play.
You trust hardware and software by establishing boundaries. We figured this out long ago with the kernel mode/user mode privilege check and other things. You want apps to be heavily locked down/sandboxed, and you want the OS to enforce it, but every time you do you go up against the principles of open source absolutists like the FSF. "What do you mean my app can't dig into the storage layer and read the raw image files? So what if apps could use that to leak user location data, I need that ability so I can tell if it's a picture of a bird"
For sensitive information - such as financial transactions - the rewards for bad actors are simply too high to trust any device which has been rooted. The banks - who are generally on the hook if something goes wrong, or at least have to pay a lot of lawyers to get off the hook - are not interested in moral arguments, they want a risk-reduced environment or no app for you - as is their right.
> For sensitive information - such as financial transactions - the rewards for bad actors are simply too high to trust any device which has been rooted
In practice, that just means you trust a Chinese black box Android ROM from a random manufacturer, but not a fresh Lineage OS. To run some banking apps there, one has to root it and install all kinds of crap to hide the fact that your phone is running an OS you actually can trust.
I don't think it's right, I don't think non-manufacturer provided ROMs are a real danger in practice, or rooted phones, and I think this is all just security theater and an excuse to control what people do on their own devices.
> The banks - who are generally on the hook if something goes wrong, or at least have to pay a lot of lawyers to get off the hook - are not interested in moral arguments, they want a risk-reduced environment or no app for you - as is their right.
If they pay for the phone and ship it to you then I agree. Otherwise, they have an obligation to serve their community (part of their banking charter) and that may include meeting their customers where they are, rather than offering an app with unreasonable usage requirements.
No charter requires allowing access from any device. The charters don't even require banks to be open during hours most of their customers are off work.
> You trust hardware and software by establishing boundaries. We figured this out long ago with the kernel mode/user mode privilege check and other things. You want apps to be heavily locked down/sandboxed, and you want the OS to enforce it, but every time you do you go up against the principles of open source absolutists like the FSF. "What do you mean my app can't dig into the storage layer and read the raw image files? So what if apps could use that to leak user location data, I need that ability so I can tell if it's a picture of a bird"
Well, no. The objection isn't to sandboxing apps, but to sandboxing the user, as it were. On my laptop, I run my browser in a sandbox (eg. bubblewrap, though the implementation of choice shifts with time), but as the user I control that sandbox. Likewise, on my phone, I'm still quite happy that my apps have to ask for assorted permissions; it's just that I should be able to give permission to read my photos if I choose.
Users can't be trusted. They don't read. You can put a popup that flashes in all caps saying "THIS WILL GIVE ACCESS TO YOUR BANK ACCOUNT" and users will blindly click OK to get to whatever they think they want, be that an Instagram feed, a game, or whatever.
That's not a good example. My bank issued a token device which scans their code, asks me my pin, prompts me what's going to happen and asks for confirmation. Then I can enter the digits to proceed.
This is reasonably secure. If you hijack my account, you still don't have the hardware device and the random secret that was set up between the device and the bank.
You need to actually hack into the bank itself to transfer my money elsewhere.
Meanwhile, I only access the bank with my own computers. That means I installed them and have root. Not a problem at all.
The threat models aren't secret algorithms, they're apps reading the contents of the screen, stealing keystrokes, MITM attacks against 2FA, and much more.
I don't have this problem on my computers, they run free software. My wifes thinkpad runs free software. The friends I gave a computer with various GNU+Linux distros don't have this problem.
Add Google Chrome with its spammy extensions to the mix and they start getting problems.
So, things that can be exploited on a stock Pixel with no user root? This is a weird argument to make at the same time as https://news.ycombinator.com/item?id=45588594 is on the front page.
There’s no way I’d trust open source anyone with my health. And I am not sure there is one open known to work well project, let alone a pacemaker that couldn’t possibly be funded in the open source world. What open source hardware is actually more usable than the closed source alternative for most people?
Should the app builder’s ability to “trust” that the hardware will protect them from the user supersede the user’s ability to be able to trust that the hardware will protect them from the app?
In other words, should the device be responsible to enforcing DRM (and more) against its owner?
There is one solution to this problem that many people reading this message can contribute to:
Make sure your app has a progressive web app version that has feature parity with the store apps. That way, the app will work on phones like the librephone, and, if Apple or Google decide to kick you off the store, you and your users have some recourse. As a bonus, it’s compatible with open source — users can modify the app and install it without jailbreaks, root or (for now) sideloading.
React Native supports this (and can mostly be bundled with electron for mac/win/linux support).
You are mixed up 3 different tech stacks:
1. React Native has nothing in common with web apps except JS runtime. It uses "native" widgets for Android and iOS. You need to add a new "native" runtime for your free OS. There are some third-party attempts to add mac/win/linux support, but they are not feature complete as officially supported platforms. Again, your free OS will be step behind.
2. Yes, you can write PWA with React (Web), but PWA still have many missing features which offered by platform APIs of Android and iOS. Your app will not be in "feature parity" with "native" app. Especially banking app.
3. Electron apps are integrated with desktop platform APIs, you cannot easily port Electron app to mobile.
Every time big company with big investments wins.
Does anyone have a recommendation for a good "Remote Attestation 101" tutorial? I'm trying to wrap my head around why someone couldn't just run an Android emulator to run your banking app or whatever. I mean there then must be hardware keys that are not present in the code, but then there must be a revocation method for compromised hardware keys, etc..
I have a react native app, and can compile it to pwa mode. It runs well in a browser.
99% of the code runs fine in electron to. Index.tsx is the main exception.
I’m not saying you can automatically run software for one of these targets across all three. I’m saying it’s straightforward to write portable software that works on all of them.
Also, I can’t think of any apps I use that require any platform-specific APIs at this point. Even if they did, the phone I want would be able to surface those APIs to pwas.
It won't just be them. I foresee Cloudflare and other CDNs offering a free checkbox: [] Require age of majority verified user
And it will in turn depend on Secure Attestation, Web Credentials, and other recent W3C work to provide proof that you're the registered owner, age of majority and verified by thumbprint or other biometrics, running an unmodified device. Your ID might be escrowed with your OS vendor, email provider, bank, ISP, or even Twitter/X, who knows. Either way, as an end user you'll be mollified that you don't have to provide your ID to the adult site, and the adult site will be happy that they don't have to implement any of this themselves.
And, of course, this will mean that an intelligence service could have ironclad proof of exactly what person visits what website, effectively killing a lot of online anonymity.
I agree, but unfortunately I think the chances of that are just about zero. The reality is that the vast, vast majority of people don't care about software freedom. They care about the flashy marketing features in the newest iPhone (and competitors). I wish it were otherwise, but alas. Heck, you can't even get people to care about their physical freedom most of the time, let alone their digital life. It's hard to see this effort taking off as a result.
These days browsers are becoming increasingly distrusted. My bank logs my browser out after 30 minutes inactivity and then to log back in I have to confirm the login on my phone.
That… seems reasonable? My bank does that with their website and their mobile app. I was able to setup 2fa using a totp app, so i don’t rely on sms for that part
It is given the environment. But it does highlight the poor security of desktop browsers where they are only trusted to do anything when a phone app approves it. While the phone app is considered secure enough to just stay logged in perpetually without any external confirmation.
To hack the banks app you have to find an exploit in iOS or Android which would allow you to read the other apps private storage, which is borderline impossible now. To hack the banks website you just have to buy some random browser extension and add malware to it, or break into someones NPM account and distribute it there, or any number of ways to run code on someone else's computer. Something very achievable by an individual.
> But it does highlight the poor security of desktop browsers where they are only trusted to do anything when a phone app approves it.
Does it? The browser doesn't do anything, the person sitting at the computer where the browser is running is what performs the actions. The reauthentication and 2fa is meant to authenticate and authorize the user, not the browser.
The attack vector of someone else using your phone using an app that doesn't require (re)authentication is independent of the browser or the app itself being trusted. That your bank doesn't periodically require some kind of re-authentication for their app is a security hole, but because the device could fall into the wrong hands, not because the code/app/browser used to access it isn't trusted.
That is true. I guess one of the main differences is the bank app can run a faceid check when you open the app and before you make a transaction while websites don't have access to these apis. So they are forced to make you approve the action via your phone.
Every banking phone app I've used auto-logouts after being idle or unused for a bit, and my primary bank's app requires 2fa using an app that exists on the same device -- a second factor that secures nothing. They probably are not explicitly considering the phone more secure than a computer, but rather a good 80% of this is security theater or a checkbox on some baseline security checklist that was implemented without really understanding what the implications, for usability and security, were going to be.
> 2fa using an app that exists on the same device -- a second factor that secures nothing
2FA on the same device secures against your login credentials becoming known to another party, e.g. by fishing, password reuse, database leaks, etc., which are real threats. It is not meant to protect against someone being in possession or full control of your unlocked device, which is of course also a real threat, though possibly less common.
> 2fa using an app that exists on the same device -- a second factor that secures nothing
If I steal your device, and you didn’t have faceid, I have both factors. But if I steal your password, or find it in a leak of another site because like most people you re-use passwords, then I only have one factor. It still provides a fair bit of security because of that.
This isn't the browser not being trusted, it's access to the device the browser runs on. Forcing logout when idle, and authenticating again, is good in general to avoid leaving something accessible when walking away from it, even if it's a home computer that is otherwise "secured".
webauthn cares about the strength of the authenticators used. Mobile has standard libraries for biometrics and secure enclaves. This is less common on desktops and laptops. Your bank may offer the ability to enroll a yubikey or similar.
I took "tap to pay" being clicking on Order in an app; and I have certainly made a "online order" from inside the Chipotle, on their wifi with my laptop (usually because walking to the counter would cost more because of stupid promotions).
It makes more sense that they're referring to Apple Pay or similar shenanigans (which itself is more annoying than a credit card, to be honest, Face ID goes wrong or the double click closes the wallet app instead of authenticating way too many times, especially if you're trying to do it one-handed).
You seem to be part of the problem. As long as people like you are happy to run spyware on their phones for the sake of convenience or a meager discount, companies will be empowered to make such software and devices a requirement.
I use cash whenever possible, but carrying cash for larger transactions has its own risks and those risks need to be balanced against the privacy benefits it offers. The way I see it, carrying a credit card in addition to my phone when I might need it is a minor inconvenience relative to that of allowing Google complete control over my phone.
My bank doesn't let me do anything in the browser without 2FA, and the only 2FA they offer is their smartphone app.
My other bank offers 2FA via chip reader as an alternative. I guess that's somewhat viable for an alternative phone OS, if you want to carry the reader around with you
In my country we have a large religious community that eschews smartphones. Due to this no company or government agency requires a smartphone for service.
This is a very good thing. I don't think many people here on HN reject technology, but sometimes no technology is better than one that is not controlled by the user.
It's because it's way easier to install malware on PC than mobile. None of us are immune either. In recent times there has been malware distributed by common NPM packages as well as game mods. Every NPM package you install has the ability to steal your browser session tokens and the only thing stopping the attacker from actually logging in and spending your money is the fact it has to be confirmed on your phone.
Depends on the bank's policies. Currently it tends to be when you transfer to a new destination and/or above a certain amount. I could certainly imagine a bank requiring it for every PC-initiated transaction as and when they reach a point where most normie customers are using their app.
> What type are transactions are you talking about?
Bank transfers and I guess direct debit authorisations (if your bank requires you to confirm those) and reauthorisation/confirmation of card payments that were blocked by the bank's fraud detection. I think those are the only kinds of transactions one would ever use a PC for? I mean for me most of my day-to-day transactions are me paying by debit card in a shop, but you can't do that on a PC in the first place; pretty much everything else I do on my PC.
No. Only to unblock when they get blocked/flagged as fraud (tends to happen for large transactions like plane tickets or buying a bunch of furniture), and even then I currently have the option of authorizing via the web browser (and I think also via phone call).
But sending a bank transfer is also a fairly common day-to-day transaction that I do a couple of times a month (and is the only way to pay for some government services like tax certificates short of visiting the tax office in person). Authorising a new direct debit happens occasionally (joined a gym, changed my utility provider, got a new credit card, that kind of thing).
My brokerages require it every time I login from a computer. My bank will require it if it can't find a cookie from a previous login session. Occasionally, my bank will require it seemingly randomly since I usually log in at least once a week from my laptop yet every couple of months or so I have to reconfirm on the app or another secondary method.
AFAIK Zelle is something US banks got together and set up on their own because the government didn't. So a Zelle transfer is the US equivalent of a SEPA transfer.
Indeed, binary blobs are not much of a problem; it's anti-user "security" that has to be attacked. Otherwise we'll end up with user-hostile systems that we can see the source code of but can't modify, in contrast to systems that we can't see the source code of but can modify. The Windows modding scene of the late 90s/early 2000s is a good example of the latter (and I've joked that every power user was a novice reverse-engineer), while Android is turning out to be a good example of the former.
Stallman had a good idea for free (as in freedom) software, but then "missed the forest for the trees" by focusing on the source code.
> What does it matter if you can run a completely free software stack on your phone, if your bank software (or your required government ID, as is looking depressingly likely) requires you to run a Big Tech approved phone OS?
What does it matter if you can use any OS you want if your phone is filled with SoCs which are bugged and backdoored by the state and/or who knows who else? The reality is that we need both free hardware and free software. I can always tell my bank to fuck off and move my accounts to one that gives me freedom to use the mobile OS of my choosing, and if there isn't a single bank on earth willing to do that I can always simply refuse to use my cell phone for banking.
I'd much rather keep the phone I control and trust while limiting myself to only having the options of a desktop PC, a laptop, an ATM, a phone call, a drive thru, and walking into my bank's closest branch when interacting with my bank. Not being able to also stab my finger at a cell phone screen to check my balance isn't really that big of a deal.
> What does it matter if you can use any OS you want if your phone is filled with SoCs which are bugged and backdoored by the state and/or who knows who else?
Perhaps. But how does this effort from the FSF do anything to solve that? They are (as far as I can tell) producing firmware, not hardware. If the hardware manufacturers are working with the government or whomever to spy on you, they will just not use the FSF firmware in that case.
Well you're partially right. After all, the "big tech approved phone OS" is actually Linux, so just having a free OS isn't enough to prevent it from being co-opted and turned into a locked-down platform.
But the partially wrong part is, we can make our own platform. PCs let you install and run any software you want, because it's an open platform. If we make an open platform smartphone that can compete on features with the closed behemoths, and that then becomes popular enough, then banks may offer apps on that.
But this is tricky too. Linux already has issues getting official support from corporations. We'd need our open platform to be compatible with the closed ones, so that it's easy for banks to run their apps on our open platform. There are already ways around this, like virtual machines to run Android, or other methods. But the closed behemoths may try and end-run around this, like DRM. So we'll still need to advocate for our rights and compatibility.
Get a big tech second phone. Cheapest available. Just perform the needed tasks and use your Libre phone for everything else.
Does anyone remember having a copy of internet explorer that the bank required (or chrome these days) but using firefox for everything else? Apply that concept to a phone.
For people without a viable alternative such as transferring their funds to a bank that does not require Google/Apple certified devices, this seems to be the way. The second phone does not even need to have a SIM card in it, except perhaps during set up. That phone does not leave home and is ideally be powered off with its battery removed when not in use. Everything else can be done on a free device, ideally using FOSS apps. Ideally again, this means no Facebook, no Whatsapp, no IoT crapware.
Luckily, here in the U.S. this is still possible. I run Graphene on a Pixel without Play Store compatibility layer and everything just works. Most of my apps come from F-Droid, with the notable exception of Whatsapp, for which a standalone APK is available. Unfortunately, it is proving difficult to get rid of Whatsapp entirely because of friends and family.
Yup. Right now that's something running graphene for me. I'd prefer full linux but the other options don't seem viable yet to me. When I tried the pine phone a few years ago its battery life was in the 3-5 hours range if I used the phone which is not sufficient.
Some banking apps require relatively new OS, so if you have an old phone with e.g. Android 8 and you can't upgrade (Android 9 removes certain important features), you are out of luck.
But then I would need to constantly charge two phones and keep two phones in my pocket all the time because I never know when I would need to do those things on the go.
I recently added a second phone for secure comms (Graphene). The biggest hassle turned out to be moving data between them. For that I settled on running my own Matrix server.
> You check your banking apps multiple times each day with the frequency and unpredictability expected from messaging apps?
I almost do, yes. Life's complicated, I use several bank and credit card services a day. I'm not at home at suitable times for my banking needs. And payments for purchases sometimes require confirmation in real time via phone app.
> If not that frequently or unpredictably then you could just plan to use your laptop for banking some time during the day.
I used to do that years ago back when it was an option.. But these days, 3 banks I use (two for business) require using their mobile app to authenticate login on a laptop browser. There's no other option.
One of the card apps I have to use often won't even run when Android developer mode is enabled, which is quite annoying.
I hope all the things you mention never become mandatory some day because I currently use my phone for voice and text only. Sooner than later I plan to get rid of my phone all together. I'm gonna surprise the phone company and get a land line. That means any online service that uses SMS/text to verify me will fail.
If you're being serious, you're in for a rude awakening. POTS lines are dead and being replaced with VOIP and VoIP to pots modems on the premise. lots of cities have already started to grub the copper out and replaced it a long time ago with fiber.
I get what you are saying but POTS in my location is still copper. I know because I dug it up when putting in a cattle guard. I will have to splice it back together and run it somewhere other than under my driveway which I had paved. 811 marked it as disco/not-in-use. The telco accidentally leaked their plans to run fiber everywhere so I might wait for them to do that. If it ends up being VoIP then maybe I would still have SMS capability for poor mans 2FA? Maybe the competition will drive the cost of my existing fiber down. To userbinator's point the end result will be no more options to install applications. It would just be a phone. I would be back to good old fashioned NSA voice monitoring.
Exactly. A simple phone that runs a browser I can trust that's also capable of running web-based apps is all I need. I already avoid running apps on my iphone whenever possible.
The phone I really want is as uncomplicated and open as possible and beholden to no corporate economic interests or privacy invasions.
Now that I'm retired I'm looking for a project to immerse myself in. This sounds like just the ticket.
It depends on what definition of "uncomplicated" you'll assume, but that's pretty much how I perceive my Librem 5. It's fairly inspectable and relatively easy to understand as a computing device - no weird stuff like hundreds of disk partitions that you can't touch without risking bricking the phone like on Qualcomm devices, but a fairly regular GNU/Linux installation with well-defined boundaries on what's open and what's not - and it runs web apps pretty well. I have things like my bank, public transit planner, ride-hailing, webmail, RSS reader, Matrix client, package delivery status, even Facebook & Messenger for the handful of people that can still be only reached there - all "installed" as web apps using Epiphany (aka GNOME Web). Some of them required a bit of fiddling to discover which user-agent leads to a usable experience, but the results have been pretty good so far. In case I really need to run some Android app for some reason, I can boot Waydroid up and launch it there, though I use it very rarely. No corporate economic interests, no privacy invasions, no invasive notifications or ads, it simply works the way I want it to work. I just have to be careful with battery usage, but it's manageable :)
Actually "open" is a misnomer, maybe it was a decade ago but it's clear that Big G has an effective monopoly over browser(s), the web "standards", and is gradually making them more user-hostile.
I use Safari as my daily driver and I'm still routinely shocked at just how terrible certain aspects of the experience is compared to Chrome. For example, the UI seems to completely block for most of the website loading process, rather than streaming as Chrome does. Also, rather than restore the previous state when I swipe to go back, it has to reload the page from scratch. Little things like this continue to annoy me day by day, the primary reason I don't switch to Chrome is because it just doesn't integrate with macOS at all.
Also, rather than restore the previous state when I swipe to go back, it has to reload the page from scratch
I've encountered cases when both behaviours would've been desired (either use the cached version, or the latest version), so I think that's neither a point in favour nor against.
Well, Safari caches resources, it just doesn't seem to cache the actual runtime state of the page like Chrome does (look for bfcache). The bfcache article claims Safari and Firefox do it too, but I have both in front of me and no they don't (or it's not good enough).
I think real caching is superior because you can manually reload if you actually needed that, but you can't go in the other direction.
I've never used safari but to be fair to Firefox: I haven't experienced either on desktop. When I go back, the page loads instantly. I haven't checked the network tab but I'm assuming it's not doing a new request.
Something Safari does is show a stale version of the webpage while the updated version is loading. I notice because none of my pointer movements take effect until the page finishes loading again. I'm not sure if Firefox does this too.
Mozilla is absolutely asleep at the wheel (and have arguably already swerved off the road and hit a tree) and Apple aren't any better than Google in terms of wanting to lock down the web.
Yeah... Corporations and governments are starting to push remote attestation. There'll be little point to a free computer if it gets us denied service everywhere. At this point we're gonna end up marginalized, like second class citizens of society.
> There'll be little point to a free computer if it gets us denied service everywhere. At this point we're gonna end up marginalized, like second class citizens of society.
Given the apparent trajectory of the corporate/government model of organizing society, it seems like they're going to be the ones that will be second-class citizens.
The mere fact such phone exist could be enough argument for pushing back, for ex. hurtful legislations.
People tend to see current world as carved in stone, like it is not going to change. It is, still not easy but, much easier to ask government not to mandate Windows/MacOS only program for essential task, because of couple of users of other systems, rather than asking to imagine that in future there might be other systems.
Funny that bank software needs approved phone, but runs absolutely fine in the browser. That to me sounds like collusion - something that regulators should look at. There is absolutely no need for banking app to require "legitimate" Android or other operating system.
As terrible as proprietary app 2fa is, it still beats the tar out of SMS or email 2fa, security-wise. I don't get why my bank, who used to be pretty cutting edge, never implemented TOTP or passkeys...
UBS bank mandates their "Secure Access" app as second factor even when logging in from a desktop. They used to allow the smart card reader for existing customers that had it as a work around for a few years but they disabled that.
Also many websites are making it remarkably hard to not use the app if they even remotely sense you're not on an actual PC. FB and LinkedIn aren't banks but prime examples.
To be clear I'm not saying that alternatives don't exist now. But it's a worrying trend that big businesses, and even governments in some cases, are moving away from such alternatives being available. Look for example at the proposed age verification scheme in the EU, where they don't plan to make a version you can use on a desktop (and even for mobile devices require you use a vendor-attested device). Sure, right now it's just for looking at porn. But it seems to me that once that settles, it won't be long (a decade or two) before you start to see government IDs require a similar mobile app. That's the kind of thing I fear happening soon.
Monzo bank in the UK doesn't have a web access (apart from very basic page where you can block your card and do nothing else, not even see your balance).
They also retired support for older Android phones, so if you happen to use it on an old phone, you are out of banking.
I, for security, refuse to install bank apps on my phone that I carry, but I have them on a separate phone that I have in safe place.
Here in SE Asia (in my country at least) you're lucky if they even offer you SMS 2FA (and even then, only for cash withdrawal from ATMs), because otherwise its just using PIN or biometrics without any kind of second factor auth.
> are you asking if WhatsApp offers some alternative to banking services? It doesn't
Indian banks provide their full suite of services through WhatsApp. I have opened and closed accounts, completed KYC and authorised transfers through it.
This was a problem during the early 2000s when Windows and Internet Explorer were utterly dominant. Some banks, government services, and other essential websites used ActiveX controls, preventing access by non-Windows users. I remember during my senior year of high school being unable to fill out a college financial aid application circa late 2004 or early 2005 on my PC running FreeBSD and Firefox; I needed to use Windows and Internet Explorer.
I remember the stagnation of Internet Explorer combined with increased awareness of security exploits in Windows and Internet Explorer led to the rise of Mozilla Firefox and (to a lesser extent) increased marketshare for the Mac. This, combined with the arrival of smartphones around 2007, put pressure on organizations to make their Web sites accessible to a wider range of browsers instead of just IE.
Perhaps if we had a critical mass of people using phones with FOSS software, this would be enough for banks and other organizations to consider people who don’t use Apple/Google products.
The challenge, though, is getting that critical mass. Firefox benefitted from Microsoft’s fumbles in the 2000s. It’s going to be hard for a FOSS project to compete head-on against Apple and Google.
I agree that FSF and similar groups should be focusing efforts on influencing government policy at least as much as on software. The problem is that in practice, you’ll get a bunch of people who are erstwhile free software supporters, shouting back that the FSF should “stay n their lane” and stay out of politics (missing the point that in life, everything is politics).
Why would the FSF be working on a problem that has absolutely no technical element? What exactly do you want them to tell your bank and your government? Why exactly can't you tell your bank and your government that?
> that is where I feel they could truly make the biggest difference for freedom for the average user.
By doing what exactly? Telling your government to change their ID policies? You seem to be complaining at your health food store about the nutrition of McDonald's food, because most people eat at McDonald's and that's where they would make the most difference.
Historically we have seen bumps in Linux usage because of cross-platform support. Either officially or unofficially. So I agree that focusing on making that transition more seamless will be of more benefit than telling people they need to use something different or suck it up. There is a reason rooting and making banking and other high security apps functional has been pretty popular.
i think the best solution to this would be some sort of docker-project for people to remotely access a device hooked up to a raspberry pi or something at home via adb via https://github.com/Genymobile/scrcpy as "natively" as possible.
I agree, and I've done similar to this for mobile banking successfully. This is the way :)
However, I expect at some point they'll insist on biometric authentication.
That'd exclude people who can't use the biometrics. But one bank (Revolut) told me that they're dropping customers who don't have a passport or driving license in the UK, for KYC reasons that they said they were required to follow, despite there being a large number of people without either.
So I expect banks to have no problem excluding <x% of people in a discriminatory way, if they can find an excuse, eventually.
I tried calling Starling Bank in the UK when my phone screen stopped working. I assumed they would have basic phone banking service.
They told me no. The only service they could provide over the phone was registering a new device to resume access to bank services via their mobile app.
Although they have a web banking service, which can he used on a desktop, that requires authentication via the mobile app too. It's not TOTP, it's their own thing.
As I needed to make a transaction, I had no choice but to buy a new phone in a hurry.to do it.
Several people suggest switching banks and credit card services, but I've found that not so easy. I have accounts with several banks (some for business), and 3 of them require use of their mobile app. Most credit card services I use also require use of their app. Some have websites that hand you over to the app at some point in the flow.
> What does it matter if you can run a completely free software stack on your phone, if your bank software (or your required government ID, as is looking depressingly likely) requires you to run a Big Tech approved phone OS?
Log in to your bank over the internet, the normal way.
You can replace the banking system. Replacing the banking system does nothing if a single tech company can brick the phones of people using the replacement, or block it from launching.
In that case, I will own a surveillance phone JUST for the government ID app, and put that into airplane mode almost all the time, except for the few times per month where I need that shitty app.
The rest of the time, I will use a free phone.
All the apps that I will not be able to use any more? Doesn't matter. I am now old and grumpy enough to realise that phones are utterly evil and actually useless. Give me a camera, Google Maps (or better a non-Google alternative), Signal and a browser, and I don't need anything else.
Banks and national id apps already work on GrapheneOS. Sometimes you just need to msg devs and ask them to use a different OS attestation method - see link 1. This battle is won already.
Sorry, but no. Device attestation is another mechanism to track and ultimately exercise control over the user. It fundamentally goes against the freedom of choice. You want me to authenticate with multiple factors? Cool.. let me tell you which method I'm already using on all my other accounts and then tell me how to register that with your service. You want to "measure" my device? Okay, I'll take my business elsewhere..
