cross-posted from: https://slrpnk.net/post/15995282

Real unfortunate news for GrapheneOS users as Revolut has decided to ban the use of ‘non-google’ approved OSes. This is currently being posted about and updated by GrahpeneOS over at Bluesky for those who want to follow it more closely.

  • Fuck Yankies@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    13 days ago

    So, uh, the next version of GrapheneOS will probably come with some Android OS version spoofing tech that solves this - if there isn’t something on F-Droid already.

    • Sips'@slrpnk.netOP
      link
      fedilink
      arrow-up
      0
      ·
      12 days ago

      No it won’t. Or at least they said on BlueSky that if there had been a work around for this they would have solved it already.

    • jagged_circle@feddit.nl
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      12 days ago

      I mean remote attestation is cryptographically secure (unless there’s some temp implementation vulnerability).

    • 0x0@programming.dev
      link
      fedilink
      arrow-up
      0
      ·
      13 days ago

      For Revolut? Unlikely, their website forces you into using the app.
      The others sure, i guess, but i don’t see the user overlap.

    • Sips'@slrpnk.netOP
      link
      fedilink
      arrow-up
      0
      ·
      12 days ago

      It’s a mobile app only. The web interface is strictly for managing your account, last I checked.

    • Jyek@sh.itjust.works
      link
      fedilink
      arrow-up
      0
      ·
      12 days ago

      This has very little to do with Google. Custom OS’s in general are being restricted by these apps, not Graphene in particular. All custom OS’s and root access devices are inherently less secure, even if they are privacy focused OS’s.

      In IT this is called a zero trust. You don’t trust anything you cannot verify yourself. And a user installed OS is not something anyone can verify other than the installing user. Obviously for your own security you have your own zero trust policy if you are using something like Graphene, but these companies aren’t making it more secure for you as a user, they’re covering their asses in case there are holes in security they cannot account for.

      • obbeel@lemmy.eco.br
        link
        fedilink
        arrow-up
        0
        ·
        12 days ago

        I had Custom OSs installed before. My bank works fine, but there are apps that require Google Apps. I’d say that’s got pretty much to do with Google.

        • Jyek@sh.itjust.works
          link
          fedilink
          arrow-up
          0
          ·
          12 days ago

          You’re implying that Google is causing these apps to not support custom OSs. But it’s literally not true. These apps are just not supporting custom OSs because their businesses don’t want to support non-standard platforms for security purposes. Tons of banks do not support custom OSs. It has nothing to do with Google and everything to do with not trusting the user which is 100% the correct approach for cyber security.

          • obbeel@lemmy.eco.br
            link
            fedilink
            arrow-up
            0
            ·
            12 days ago

            Got it. So it’s something similar to latest security proposals like not letting me download files on Windows because they are not normally downloaded. Or visiting a website with self signed certificates. So it’s more secure.

            The apps complain: “You need Google Play services to use this app”.

            So it’s about security. Right. What kind of security does McDonaldss need? Does it need security for their coupons?

            Besides that, I thought payment gateway provided very good security by themselves.

            But let’s steer from what happens on mainstream apps a little.

            Isn’t Google Wallet or Online payments insecure too? Don’t they have tons security failures also? Human security failures, like if someone robs my phone and my info they would have access to my money?

            Google and the smartphone industry employ accelerometers and other methods to make sure robbers can’t get to the system. They admit themselves that the systems aren’t safe and they’re working on AI and electronic methods to avoid access to sensitive information.

            Is this the security you’re talking about? Maybe we should just steer the industry another way, like those Custom OSs do. Alternatives aren’t security potential threats. They’re the solution for the problem.

            Making a monopoly based on making it “safe” isn’t secure at all.

            • Jyek@sh.itjust.works
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              12 days ago

              It’s not for your security. It’s for the company’s security. You’re really dense you know that. This is not about you and it’s not about Google. What I’m saying is, people suck ass. So to protect themselves from people sucking ass, they restrict access to their system to their terms. Completely fair if you ask me.

              You can go cry Google bad all you want. I might even agree Google is bad. But this is not a Google thing. It’s an IT security thing. The banks and MFA providers are security first businesses. They will make the decision that protect them first and it makes sense for them to do so. If you owned a bank, there is a high likelihood you would make similar decisions that end users don’t quite understand.

              As far as McDonald’s is concerned, who the fuck knows what their developers are doing. That app is trash anyways.

              • ganymede@lemmy.ml
                link
                fedilink
                arrow-up
                0
                ·
                edit-2
                12 days ago

                perhaps dial back the attitude a bit there? if you think you know better than someone (even if you’re wrong), then you should have no trouble kindly educating instead of insulting them.

                you may also wish to revisit your highly questionable claim that graphene properly configured on pixel is less secure than stock rom on some random android device.

                • Jyek@sh.itjust.works
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  12 days ago

                  It’s not questionable at all to assume that a user rooting and installing their own OS is a security risk. That’s the entire premise of zero trust. I’m sure Graphene OS is secure and better for user privacy when configured properly. But you can’t trust that an end user will configure it properly. That’s what I am saying and have been saying since the first message. You can’t trust the user to be security minded. Ultimately, the best thing you can do as a developer or a business is support a known quantity of software and hardware configurations and that likely means only supporting OEM installed ROMs.

  • Droggelbecher@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    13 days ago

    I haven’t switched my phone yet, but will do so soon. Does anyone have experience with compatibility layers on phone, akin to wine? I unfortunately cannot go without my public transport apps, and they’re android or IOS only. I’ve looking into postmarket OS, but open for suggestions.

    • anti-idpol action@programming.dev
      link
      fedilink
      arrow-up
      0
      ·
      13 days ago

      What public transport apps if I may ask? Most of Western Europe and especially Germany present no issues and even have OSS options, same with Finland.

      • Droggelbecher@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        12 days ago

        Thanks for the input, i realise it’s been a while since I checked this! ÖBB Scotty, ÖBB Tickets (could forgo this one) and SBB mobile. I also need Digitales Amt (official government app for things like signing contracts without printing them, ordering your election materials to a different address than usual, checking your medical info etc). Do you happen to know whether that would work?

        • anti-idpol action@programming.dev
          link
          fedilink
          arrow-up
          0
          ·
          12 days ago

          Don’t know and sadly my Pixel got stolen recently, but you can see if Offi or Transportr meet your needs, they’re available on fdroid.

          I guess I have bad news for you regarding the government app: https://discuss.grapheneos.org/d/253-compatibility-for-austria-e-government-app

          Anyway depending on your threat model keeping a normiephone as a decoy and mainlining something like graphene os can be a good opsec decision.

          • Droggelbecher@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            12 days ago

            Nice, thanks for the tip! Also thanks for going through the trouble of finding out for me, I appreciate it! I’m unfortunately in one of the regions where it’s specifically not available. But the second phone thing might be an option. That, or just a compatibility layer with regular old android after all.

        • granolabar@kbin.melroy.org
          link
          fedilink
          arrow-up
          0
          ·
          13 days ago

          Most EVERYTHING works unless your app dev is PoS like these guys.

          Another alternative is MicroG which might work better in light of recent development.

          How zealous are you on dumping google?

        • killingspark@feddit.org
          link
          fedilink
          English
          arrow-up
          0
          ·
          13 days ago

          Well yes and no. The point is to stop using Google. And that entails quite a few things you might expect a phone to do

        • RubberElectrons@lemmy.world
          link
          fedilink
          arrow-up
          0
          ·
          13 days ago

          You can take a look at calyxOS, it’s what I use. Android but with all Google telemetry ripped out. It’s not as resistant as graphene against a govt adversary, but for privacy, better battery (bc google stuff isn’t constantly running) and still being able to use everything, it works great.

    • m-p{3}@lemmy.ca
      link
      fedilink
      arrow-up
      0
      ·
      13 days ago

      On the other hand, it makes it easy to find which apps aren’t to be trusted with your data.

      • themurphy@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        13 days ago

        Also very obvious when an app or website have an US and an EU version. You just know they buttfuck the Americans because no rules.

        Even Apple had to make two versions of iOS.

    • dutchkimble@lemy.lol
      link
      fedilink
      arrow-up
      0
      ·
      12 days ago

      Maybe graphene will find a way into duping those apps to think you have a regular android phone?

  • ouch@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    11 days ago

    Google has ruined Android by closing it up.

    EU needs to step in and force Google to open it up.

    While at it, go for Apple’s monopoly as well.

  • tisktisk@piefed.social
    link
    fedilink
    English
    arrow-up
    0
    ·
    13 days ago

    Is this not a sign of the true intentions on both sides of the dilemma here!?!?
    Let us go to the end. We cannot afford to carry on in fear of these bans. Let the lines be neatly placed and the sides chosen wisely. If sustained profits are desired, the walled-gardens must come down.

    Vote with your dollar and vote again with your data. Wary, but never afraid is the motto privacy comrades!

    • vividspecter@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      12 days ago

      Agreed. Leave immediately to other services, and tell them why you’re leaving. It might not make a dent, but you’ll be doing the right thing at least.

  • yoshisaur@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    13 days ago

    man, and i was gonna switch to graphene this christmas. if every app can just ban my OS, i might have to rethink this. i would use the website but they restrict so many things to apps now…

    • The 8232 Project@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      13 days ago

      Well, switching to GrapheneOS shows that you don’t care what those companies do and that you’re willing to fight. It means those companies lose one more customer.

    • Sips'@slrpnk.netOP
      link
      fedilink
      arrow-up
      0
      ·
      13 days ago

      TBF, this is the first time I’ve encountered an app not working - and it was before this. It’s just because of Google push towards monopoly via their Play Integrity API that’s ruining this.

      • RobotToaster@mander.xyz
        link
        fedilink
        arrow-up
        0
        ·
        13 days ago

        play “integrity” should be considered malware, any program that deliberately does something the user doesn’t want it to should.

    • Im_old@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      13 days ago

      I was about to switch bank because for a few days my current one (inadvertently) blocked it on grapheneOS. We sent them a few emails and they fixed in less than a week.

      • A_Union_of_Kobolds@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        13 days ago

        I use a small local credit union that doesn’t appear on their supported list. It’s literally the only thing holding me back, I’m tempted to say fuck it anyway. But I wonder if it might work anyway…

    • BearOfaTime@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      13 days ago

      Use a browser like Native Alpha or Hermit, which present a website like an app.

      And if you use Bitwarden/Vaultwarden for your passwords, it can be pretty seamless.

  • mlg@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    11 days ago

    I swear I am so close to jumping into the void of mainline linux on phones.

    The only main issue is device drivers, but I would be fine happily extracting them from android or making new ones. Modern Android is a complete full stack POS.

  • HiddenLayer555@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    13 days ago

    This makes me want to use GrapheneOS more. If the dataminers don’t want you to use it then it must be doing something right.

      • Realitaetsverlust@lemmy.zip
        link
        fedilink
        English
        arrow-up
        0
        ·
        12 days ago

        It’s only officially supported on google phones because sadly those are the only ones that are not modified to fuck which makes installing and supporting other OS’es way too much work.

        Giving google money once for a device is not a problem from a privacy or security standpoint.

        • Irelephant@lemm.ee
          link
          fedilink
          arrow-up
          0
          ·
          12 days ago

          In the EU almost every phone has an unlockable bootloader, there just isn’t any roms or custom recoveries for a lot of them.

        • Samsy@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          12 days ago

          That’s correct, but not the reason grapheneOS chooses only pixel phones. It’s the level of hardware security features.

          • XTL@sopuli.xyz
            link
            fedilink
            arrow-up
            0
            ·
            12 days ago

            Also unlockable and presumably has well working builds. It’s not just graphene, but just about every Android project it there that’s best supported on pixels. Other manufacturers have a crazy variety of locking schemes and required tools. Each one is a nightmare to support.

            • orange@communick.news
              link
              fedilink
              arrow-up
              0
              ·
              12 days ago

              For GrapheneOS, it’s primarily that it’s re-lockable. That’s why other unlockable phones aren’t supported.

              The GrapheneOS install process sets new OS signing keys so you can lock the phone again and get full verified boot. However, most manufacturers haven’t implemented this feature.

              • fuzzzerd@programming.dev
                link
                fedilink
                English
                arrow-up
                0
                ·
                12 days ago

                What do you get, app/feature wise for verified boot vs. Play integrity app? Does it increase the amount of apps that work on it?

                • orange@communick.news
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  8 days ago

                  No, Play Integrity intentionally checks if it’s a Google-approved key. Android itself has an API to check verified boot and gives info on the signing key - most devs just want to know verified boot is working.

                  I feel Play Integrity has a short life ahead of if competition authorities realise how exactly it works. “Anti-competitive” is the first thing policy-minded folks think when I explain the API to them.

        • HiddenLayer555@lemmy.ml
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          12 days ago

          Wish they’d at least support Fairphone.

          If Graphene reached out to them I bet Fairphone would even actively work with them to make it an official OS option.

        • 50MYT@aussie.zone
          link
          fedilink
          arrow-up
          0
          ·
          12 days ago

          Your options are:

          Apple phone

          Bloated android phone like Samsung etc.

          Chinese android phone (xiami etc)

          Google phone with Android

          Google phone with graphene. This still looks like the best of those options.

          Or no phone? I guess people are hardcore enough that will be the option.

            • Killercat103@slrpnk.net
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              12 days ago

              Is swiftphone its own thing or did you mean shiftphone? I kinda want the shiftphone 8 myself even if they only ship to neighboring countries of mine.

            • Andromxda 🇺🇦🇵🇸🇹🇼@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              0
              ·
              edit-2
              11 days ago

              All of these are insecure as hell. Linux phones especially https://madaidans-insecurities.github.io/linux-phones.html

              Fairphone also really fucked up: They signed their own OS with the publicly available (!) AOSP test signing keys. These guys really don’t know that they’re doing, and I would trust their hardware or software whatsoever. And no, installing a custom ROM doesn’t solve this. Considering how bad their security practices are, we genuinely have to assume that there are security issues with the device firmware as well.

              /e/OS is based on the already insecure LineageOS, and it weakens the security further, so it’s not a good option either.

              None of the options you mentioned can be compared to GrapheneOS. It’s currently the best option if you value your privacy and security. You don’t have to give Google money either, since you can just buy a used device, which is also cheaper and more environmentally friendly. Google also makes repairing their devices pretty easy for consumers and even works with iFixit. Here’s a Mastodon post I recently saw about that: https://social.linux.pizza/@midtsveen/113630773097519792

              • Venia Silente@lemm.ee
                link
                fedilink
                English
                arrow-up
                0
                ·
                11 days ago

                An used Pixel, assuming I can find one in my country, still costs four (4) times what I need to shell out for a in-market Lineage compatible phone.

                Theoretical security is cute, but it has to be adjusted to practical feasibility. The most secure computer in the world is useless to you if you can’t boot it up.

                • Security-wise you’re better off using whatever OS comes with your device than downgrading to LineageOS. At least most smartphone vendors (except for Fairphone) manage to ship their Stock OS with a locked bootloader and somewhat working Verified Boot.

            • SeekPie@lemm.ee
              link
              fedilink
              arrow-up
              0
              ·
              12 days ago

              I don’t think LOS has any privacy/security improvements over the stock android?

              (IIRC) it’s even worse than stock because you can’t lock the bootloader after installation.

              Though if your phone isn’t getting official updates, it’s probably safer with LOS.

              • Venia Silente@lemm.ee
                link
                fedilink
                English
                arrow-up
                0
                ·
                11 days ago

                (IIRC) it’s even worse than stock because you can’t lock the bootloader after installation.

                That’s a problem with the phone manufacturer, not with Lineage.

                • SeekPie@lemm.ee
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  edit-2
                  12 days ago

                  Yeah, I myself am using CalyxOS, because DivestOS doesn’t support the Fairphone 5 unfortunately. CalyxOS also has relocking.

                • Not with GrapheneOS, since you can entirely disable the USB controller from the settings on a driver level, making it impossible to connect the phone to a forensic data extraction device. GrapheneOS also has a convenient auto-reboot feature, which (together with their patches to the Linux kernel and Fastboot recovery OS to include memory zeroing) erases the encryption keys from memory, putting the device in BFU state and requiring the PIN/password to unlock. This is additionally secured by the Titan M2 secure element, which makes use of the Weaver API and drastically throttles brute-force unlock attempts. https://grapheneos.org/faq#encryption

          • zerozaku@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            12 days ago

            Xiaomi has the biggest custom ROM scene out there btw despite them trying their hardest to stop bootloader unlocking. You really don’t need to have a company supporting unlocking to make ROMs for them. If they outright block it then that’s an issue.

          • ryannathans@aussie.zone
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            12 days ago

            Someone installing graphene os for security shouldn’t be trusting random second/third/etc hand hardware lol

              • XTL@sopuli.xyz
                link
                fedilink
                arrow-up
                0
                ·
                12 days ago

                Hypothetically the hardware could have been modified, but that would take some insane level of a determined attacker to be fabricating modified pixels just to sell them on the used market.

                • OrganicMustard@lemmy.world
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  12 days ago

                  It also comes with a hardware auditor, although you need another trusted graphene phone to use it. I don’t know about the details, but sounds very hard to mess with it.

                • Anivia@feddit.org
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  12 days ago

                  Yes, this would only be a concern for targeted attacks by state actors, in which case not even buying new would be safe.

                  Thinking about it, in such a scenario buying used may even be safer

                • Venia Silente@lemm.ee
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  11 days ago

                  Nothing too hypothetical nor an “insane” level of work. Didn’t Israel do just that with some beepers to blow up children?

            • Auli@lemmy.ca
              link
              fedilink
              English
              arrow-up
              0
              ·
              12 days ago

              Shouldn’t trust anything then. They could intercept your new phone and modify it. They did it for switches. But your not worth it for “them”.

  • utopiah@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    11 days ago

    Seems like my time to move away from Authy. Any drop in alternative for iOS? Ideally I could export services and load them back, not manually adding/removing 1 by 1. Even if I can’t though, suggestion still welcomed.