This is rubbish. I'm running GrapheneOS and have left my bootloader unlocked, and there's no app that has refused to work. The only caveat is some of them need Google Play services. No, I am not rooted, but my last phone was rooted and there might have been one or two apps out of dozens that wouldn't work with root even with Magisk trying to hide the root status. Using a custom ROM is easily one of the beat choices I have made.
So I guess next thing we need is someone sueing the fucking banks that do that. Mine luckily doesn't because I explicitly use an old phone with LineageOS, the banking app, and nothing else on it for online banking. It's arguably way more secure than using your main phone with a bazillion other Apps installed and online at all times.
How would that stick? You can just sign into the bank via your web browser in the case of a nonfunctional app. The apps just give you added security assurances beyond using the web.
"The app can't function in a low security environment, but complainant is free to use the web client in such event." case dismissed
(obviously an oversimplification, but the point stands)
For my banks the only fallback is a hardware device that you put your card into. Before the app you had to carry this everywhere when traveling to do online banking.
Fair. I still wouldn’t want to have such a fallback available by default. Being stronger than an even worse option doesn’t change that. Because it eliminates the security of the strongest option.
Agreed. Unfortunately almost every bank here forces me to use this less secure option "for security" due to my rooted phone. Not one has just offered standard TOTP (perhaps because the pull-only nature of it means they can't present the message explicitly telling the user what they're about to authorize. Which is an understandable qualm I guess)
Well, some offer a hardware device for like 25€ that can do the same thing, but then if you have an account with multiple banks, you need multiple of these devices.
There are app-only banks too. Some of them provide a web interface, but it depends on the app to sign you into the web interface (similar to the way whatsapp requires you to use the app to sign into whatsapp web).
What happens when you primary bank has been one of these app-only banks for the last 5 years, and you decide to make a technology change to your phone, and can now no longer get into your banking app?
When you reject GrapheneOS, the most secure mobile OS on the planet but accept a no-name chinese ROM I feel like that you can't invoke security reasons anymore.
Signing transactions usually take you back to the 2FA app here, where the amount and receiver is repeated.
Even if someone hijacks my computers web browser, the worst they can do is see my statements, any attempt to transfer out will pop up a prompt in the phone.
A lot of this actually seems to have come from recent regulatory pressure for 2FA (which I support in principle, don't get me wrong). I don't even think most of them have given much thought to rooted phones, rather they're just cargo culting Industry Standard Best Practices and turning all the device verification options to max. Luckily, most of them realize they still have customers without a compliant smartphone, or one at all, and offer a fallback, which is almost always SMS...
Though you get those newer "app only" banks. I've never used any since I see that as a major downside, not a selling point, so idk whether they tolerate root. Even with traditional banks, I've come across a few features which can only be accessed via the phone app - in this case likely due to the belief that "web? Everyone just uses apps!" rather than security
It's far from secure. You are using an outdated phone, which hasn't received any kind of firmware or vendor security patches in a while. And as far as I remember, LineageOS doesn't support relocking the bootloader which further reduces the overall security of your phone
What's the attack vector? There is nothing else installed on this phone, and I only turn it on when the banking website asks me to confirm the login via their app. So it's connected to my wifi for like 5 minutes.
Meanwhile my main phone is always on the mobile network, using a proprietary modem that's running ridiculously complex firmware that does edge, lte, 5g, VoIP, has its own tcp/ip stack and a dozen other super complex protocols, is closed source, gets no security reviews and is exposed to at least my mobile provider at all times. And that's just the modem. Don't let me get started with all the value-add software the phone vendor loaded the device up with. Some of which is running with elevated privileges. You seriously think this is more secure?
For UK banks on my Graphened Pixel 6a I can use the apps for HSBC, First Direct, Barclays, NatWest, RBS, Co-Operative Bank and Metro Bank with no issues, and have only had trouble with the Lloyds Bank app as of an update from maybe 2-3 months ago which throws an error saying they've detected I'm using a jailbroken/rooted device
I get a message that the device is not secure but I can still make transfers and such from the banking app on a rooted OP9Pro.
Never tried to use NFC payments though.
> Do you use a banking app? Last I read depending on the type of check used some apps can still be problematic.
It's important to distinguish between banking app and payment app.
If you just want to check your account balance or find an ATM, the banking app will probably not mind that you're on a device that can't pass integrity checks.
If you want to use your phone's NFC to pay for coffee, though, you're going to have a bad time.
Also many "corporate" things, usually depending on your org's policy. E.g. I can't run OpsGenie (it may actually be the Microsoft SSO step failing, I'm not entirely sure, but the error definitely mentions my device not meeting security policies)
I use N26, Revolut, ING, and others. No issues, I just add the apps I need to the magisk hide list. I also use NFC payments. Only Google wallet does not work.
Yeah, my bank app both did not work with rooted phones, last I checked, and they also appear to whitelist phone models or something - at one point I had an uncommon mid-range Chinese phone and I had to contact support to have them approve my phone.
What are the downsides with GrapheneOS? I had a few problems with root (Netflix and banking apps) but would love my privacy. My main reason for root is the firewall to block outgoing connections from apps that are not supposed to do it
It's really a downside of the Google app ecosystem and not GrapheneOS per se, but apps requiring higher levels of integrity per Google attestation (Play Integrity/SafetyNet) generally won't work. Intentionally breaking apps on "untrusted" configurations is basically the point of that feature, and GrapheneOS does provide the relevant services, but would need to be specifically enabled by the app developer.
Firewall wouldn't be necessary with GrapheneOS. There's a network toggle which you can use to completely cut off internet access for an app. As for the downsides, I would say close to zero. It feels just like a stock OS, without any kind of bloatware and a lot more secure
what? safetynet is absolutely a pain in the ass. i think there are some xposed and magisk modules or whatever that can work around it but that's a cat-and-mouse thing and can break. lot of bank and financial apps, lot of stuff with DRM will break.
