cross-posted from: https://slrpnk.net/post/15995282
Real unfortunate news for GrapheneOS users as Revolut has decided to ban the use of ‘non-google’ approved OSes. This is currently being posted about and updated by GrahpeneOS over at Bluesky for those who want to follow it more closely.
But like, why?
Fuxk u
He makes a solid point
This surprises me because McDonald’s app is hands down the worst app I’ve ever encountered in the history of all Android apps.
It’s is sluggish, ignores touches/taps half the time, doesn’t adhere to Android best practices for flow, crashes a lot, errors a lot, etc.
But OK McDonald’s. Fuck off.
I can add that it requires location permission (even when you attempt to search manually with zip or city). What a shitty, dystopian timeline we are experiencing when we’re mandated to run privacy invasive spyware, just to get a fucking discount on nugs.
It’s almost as if a clown programmed it
deleted by creator
Next update
Stops working if you log in and out of your account. At least this is what GrapheneOS folks stated on BlueSky.
Maybe it’s worth keeping a budget mobile phone at home with Rustdesk host running on it? When you have a need for an app that must run on a genuine Android, you just remote into that phone. Since the phone never leaves home, there’s less to track.
This is very bad news, because this means any app that wants your data could do the same.
Maybe graphene will find a way into duping those apps to think you have a regular android phone?
On the other hand, it makes it easy to find which apps aren’t to be trusted with your data.
Also very obvious when an app or website have an US and an EU version. You just know they buttfuck the Americans because no rules.
Even Apple had to make two versions of iOS.
I use Authy under a separate work profile on graphene with no issues 🤔
I use Aegis.
But when did you set Authy up? I don’t recall when Authy made the change, but it wouldn’t kick you out. It would, however, prevent you from signing in a new device. So if you lose your phone, you might lose access to those tokens…
deleted by creator
not really. services make the mobile site unusable. example:
- facebook: nags you to use the facebook app with popups and large banners
- facebook messenger: does not even let you to log in
deleted by creator
Not for Revolut. App only.
They do have a web app, it’s just very feature limited https://www.revolut.com/blog/post/introducing-the-revolut-web-app/
Like you can’t even pay people money kind of feature limited
womp womp.
Can I simulate another OS environment for these kind of apps?
Are there any checker apps to see which of user’s installed apps have this? Looking up “Play Integrity API” only finds the checkers for the phone itself…
So, uh, the next version of GrapheneOS will probably come with some Android OS version spoofing tech that solves this - if there isn’t something on F-Droid already.
No it won’t. Or at least they said on BlueSky that if there had been a work around for this they would have solved it already.
What aboit downloading thw app feom Aurora Store? I think that would solve most of the problems
How would that change anything?
I mean remote attestation is cryptographically secure (unless there’s some temp implementation vulnerability).
Would not updating Revolut keep the app compatible as long as you don’t sign out?
If so, don’t update the app and write down the build number of the last app version which worked on GrapheneOS. That way you would have a bit more time to sort things out.
They constantly force you to update or the app won’t work. I was already having issues with Revolut on GrapheneOS so I just closed my account and switched to Wise. The Revolut app was a bloated mess anyway.
Yupp thinking about doing the same, but want to wait a little to see if wise decides to do the same…
Guess I’ll have to follow suit, because I’d love to switch to graphene OS
Can Graphene add a feature to run in emulation mode to allow apps to believe it’s on an unrestricted OS?
Unfortunately, this is probably because of the apps started using the Play Integrity API, which is a hardware-based attestation and can only be faked in two ways that GrapheneOS isn’t interested in:
- you can fake an older device that didn’t support hardware attestation yet, or had a broken implementation
- or you can try getting leaked vendor keys and emulate the crypto with those until they get revoked
Well, Google is known for destroying its opposition.
This has very little to do with Google. Custom OS’s in general are being restricted by these apps, not Graphene in particular. All custom OS’s and root access devices are inherently less secure, even if they are privacy focused OS’s.
In IT this is called a zero trust. You don’t trust anything you cannot verify yourself. And a user installed OS is not something anyone can verify other than the installing user. Obviously for your own security you have your own zero trust policy if you are using something like Graphene, but these companies aren’t making it more secure for you as a user, they’re covering their asses in case there are holes in security they cannot account for.
I had Custom OSs installed before. My bank works fine, but there are apps that require Google Apps. I’d say that’s got pretty much to do with Google.
You’re implying that Google is causing these apps to not support custom OSs. But it’s literally not true. These apps are just not supporting custom OSs because their businesses don’t want to support non-standard platforms for security purposes. Tons of banks do not support custom OSs. It has nothing to do with Google and everything to do with not trusting the user which is 100% the correct approach for cyber security.
Got it. So it’s something similar to latest security proposals like not letting me download files on Windows because they are not normally downloaded. Or visiting a website with self signed certificates. So it’s more secure.
The apps complain: “You need Google Play services to use this app”.
So it’s about security. Right. What kind of security does McDonaldss need? Does it need security for their coupons?
Besides that, I thought payment gateway provided very good security by themselves.
But let’s steer from what happens on mainstream apps a little.
Isn’t Google Wallet or Online payments insecure too? Don’t they have tons security failures also? Human security failures, like if someone robs my phone and my info they would have access to my money?
Google and the smartphone industry employ accelerometers and other methods to make sure robbers can’t get to the system. They admit themselves that the systems aren’t safe and they’re working on AI and electronic methods to avoid access to sensitive information.
Is this the security you’re talking about? Maybe we should just steer the industry another way, like those Custom OSs do. Alternatives aren’t security potential threats. They’re the solution for the problem.
Making a monopoly based on making it “safe” isn’t secure at all.
It’s not for your security. It’s for the company’s security. You’re really dense you know that. This is not about you and it’s not about Google. What I’m saying is, people suck ass. So to protect themselves from people sucking ass, they restrict access to their system to their terms. Completely fair if you ask me.
You can go cry Google bad all you want. I might even agree Google is bad. But this is not a Google thing. It’s an IT security thing. The banks and MFA providers are security first businesses. They will make the decision that protect them first and it makes sense for them to do so. If you owned a bank, there is a high likelihood you would make similar decisions that end users don’t quite understand.
As far as McDonald’s is concerned, who the fuck knows what their developers are doing. That app is trash anyways.
perhaps dial back the attitude a bit there? if you think you know better than someone (even if you’re wrong), then you should have no trouble kindly educating instead of insulting them.
you may also wish to revisit your highly questionable claim that graphene properly configured on pixel is less secure than stock rom on some random android device.
It’s not questionable at all to assume that a user rooting and installing their own OS is a security risk. That’s the entire premise of zero trust. I’m sure Graphene OS is secure and better for user privacy when configured properly. But you can’t trust that an end user will configure it properly. That’s what I am saying and have been saying since the first message. You can’t trust the user to be security minded. Ultimately, the best thing you can do as a developer or a business is support a known quantity of software and hardware configurations and that likely means only supporting OEM installed ROMs.
Just run PWA instead no?
For Revolut? Unlikely, their website forces you into using the app.
The others sure, i guess, but i don’t see the user overlap.It’s a mobile app only. The web interface is strictly for managing your account, last I checked.
