A collegue of mine was tech lead at a large online bank. For the mobile app, the first and foremost threat that security auditors would find was "The app runs on a rooted phone!!!". Security theater at its finest, checkboxes gotta be checked. The irony is that the devs were using rooted phones for QA and debugging.

> It's mind boggingly stupid that they lock down apps like this, when you can just open the thing in a website anyway. I can use my bank on some linux distro...

Not in Spain. I can access my bank's website but I can't do anything without their bank app. Even sometimes they require to confirm my identity using their app in order to access their website.

I have several linux phones but I can only do banking with their app downloaded from Aurora Store in my Vollaphone.

> I can use my bank on some linux distro,

Yes, I've been doing that since 2009 on Ubuntu and Debian but there are several caveats.

One of those banks has its own TOTP device and they won't replace it when the battery dies. It's almost 20 years old now. Then it's the fingerprint sensor on my phone.

The other banks authenticate accesses and many operations with either their app + fingerprint (all of them) or SMS (some of them). So basically I would still need a phone with a blessed OS. I could buy the cheapest one and store it in a drawer, but it's still a dependency on Google or Apple.

GrapheneOS requirement of Pixel devices is a dependency on Google too.

I'd also recommend to slowly migrate to GrapheneOS, getting to know where the boundaries are for specific apps. Once you've got your 'dailies' all up and running predictably, then you're good to go, but it could take a few days depending on how much spare time you have to find said boundaries. Having said that, I turn on most of the higher level security protections, which quite a few apps need exceptions from.

But, yes, you can't tap to pay and it's unlikely you ever will. Banking apps will be hit and miss depending on their (generally hypocritical) paranoia levels.

I pay with a tap-to-pay card, and I have never needed to do banking related things immediately, I've always done it via the bank's website.

I also still have a not-very-old 'normal' android phone for some edge cases - which are few and far between (actually, I think it's usually to cast youtube to the TV since I only have the revanced youtube app on the GrapheneOS device).

P.S. On the use of profiles, I use them to separate work apps and notifications from personal, from sporting club, from X, Y, and Z. Yes, they're a pain in the arse to switch between, but I'd argue it's more of a pain in the arse to have them all jumbled together causing even more notifications, frustrations, and distractions from whatever one should actually be concentrating on in the present moment.

Thanks for the Norwegian perspective.

I agree that the locking down is truly stupid. For what it’s worth, the reasoning for locking down mobile apps is allegedly that mobile users are a less technologically competent demographic than desktop users. I do not think so myself, given the difficulty in trying Graphene vs. Desktop Linux.

> when you can just open the thing in a website anyway. I can use my bank on some linux distro

Unfortunately not.

I'm in the UK. Two of my personal banks, all four business banks that I need to use, and several credit cards, require authentication using their phone app to confirm login on their website.

None of those I've seen are using TOTP or SMS, for which I could use a general security service. All use their own phone or tablet app. One does something interesting where the website shows a unique QR code on each login, the phone app reads it with the phone camera, and then website login proceeds instantly without clicking anything.

Oh, and some of them also require phone app confirmation for card purchase transactions.

When my last phone's screen stopped working, I called one bank's "phone banking" line (using another phone of course) to make an urgent transaction, and they told me they can't do that, as only service they offer by phone is registering a new phone or tablet. They told me explicitly that it's not possible to login to their web-based banking service without using their app for authentication, and on a registered device.

It's the reason I have my current phone. I had to buy a cheap-ish Android in a hurry from a local shop, in order to proceed with my bank transaction.

Back to the main topic: I love the idea of a properly open source phone, I used to own not one but two Nokia N900s, and I once toyed with the idea of building my own Linux phone from scratch, big project though that is.

But the security ecosystem around logins has changed, and so have the services I depend on. These days I use many bank and other financial-service related apps, and I'm not, in practice, free to switch providers. So I couldn't use a Nokia N900 or modern equivalent any more as my only mobile device. I'd have to carry a second phone as well.

(Banking and other service authentications are also the only reason I have my current passport. I resented having to pay to renew my expired passport, given I had no plans to travel (small children) and the expired passport used to be accepted, but I found some banks, credit cards and even government services increasingly requiring to see a non-expired passport from time to time. When I asked one of them what do they do for the large number of people who don't have one, they simply told me they close those people's accounts and that's ok, they don't need to serve everyone. But that's another story.)

I was the one that submitted the DNB Bedrift app report to the sec dev repo! I contacted DNB but they never responded to my email. I wonder if we can find a dev? I believe that's how the private app got fixed.

Want to use Vipps tæpp so much but I have Nordea for private and they don't allow it on their cards, for whatever godforsaken reason.

> I can use my bank on some linux distro, crazy that they trust me

enjoy it while it lasts. hardware attestation requirement for (at least) banking apps is a question of 'when', not 'if'.

Same with Lineage OS, may daughter has an old Samsung with Lineage on it and the Wallet app doesn't work because the phone's been rooted.

I have a few features that I need that I'm not sure if Graphene supports. If you could check that would help!

Can you record phone calls? Do third party voice recorders continue recording even when the screen is locked? Thank you!

test