888

Paying without Google: New consortium wants to remove custom ROM hurdles creating an open source alternative to Google Play Integrity (www.heise.de)

submitted 2 days ago by Argyle13@lemmy.world to c/opensource@lemmy.ml

80 comments fedilink hide all child comments

Pay securely with an Android smartphone, completely without Google services: This is the plan being developed by the newly founded industry consortium led by the German Volla Systeme GmbH. It is an open-source alternative to Google Play Integrity. This proprietary interface decides on Android smartphones with Google Play services whether banking, government, or wallet apps are allowed to run on a smartphone.

you are viewing a single comment's thread
view the rest of the comments

[-] Nyadia@lemmy.blahaj.zone 70 points 2 days ago

I see this topic come up often in conversations about degoogled Android and it makes me wonder what if anything I'm missing out on by just using cash/card for payments, cause not once have I been at checkout and thought to myself "man, I wish I could do this with my phone instead" but people talk about this like it's almost a dealbreaker that makes it hard for them to seriously consider switching to Graphene or Lineage or whatever.

[-] Don_alForno@feddit.org 1 points 12 hours ago

My bank uses an app as 2FA for online credit card payments. Without this app I couldn't use my cc for online shopping.

[-] 20dogs@feddit.uk 5 points 1 day ago

My bank (Monzo) doesn't even offer an alternative way to interact or sign up except through the smartphone app.

[-] als@lemmy.blahaj.zone 4 points 1 day ago

FWIW, Monzo works on Lineage OS with no gapps. I can't use google pay but I have a card for that.

[-] h_ramus@piefed.social 43 points 2 days ago

In a lot of counties banks are becoming mobile first. Want to login in the browser? Authenticate with your mobile app to approve. Don't have a mobile phone with the requisites of the bank? Well, go to the branch, take a ticket, wait and then tell them what you want to do with your money. It's not just about paying, banks are moving online authentication to be dependent on Google or Apple, whatever poison you pick.

This seems like same shit different flies. Still dependent on some centralised approval which doesn't help openness and security. We need alternatives to the duopoly but this ain't it, chief.

[-] pishadoot@sh.itjust.works 2 points 1 day ago

I've never encountered what you're describing. There's always other ways to authenticate than through a mobile app, at least from my experience, and I think I've used about a dozen different banks/credit unions over the past 15 or so years. Last credit union I cut ties with had ZERO MFA for their web portal, except on account creation. Like, no SMS, no email, nothing - just user+pass, and making sure you have the right background picture of the login screen you picked on account generation (like, a duck or a football or whatever). Completely ridiculous in 2025 (when I cancelled my account).

Regarding the OP, I think any new competition in this space right now is good, even if it ends up just being a triopoly vs a duopoly (fat chance with this thing but we can hope).

Ideally though we need an open protocol/standard that can be implemented through any manner of device software.

[-] Pirate@feddit.org 5 points 1 day ago* (last edited 1 day ago)

No offense but it sounds like you’re from the US, where banking is 20 years behind in comparison to Europe.

The other commenter is right, some banks are mandating 2FA using your phone even to log into web banking, so phone authentication is still required.

Also some EU countries have pretty much become cashless although it’s obviously still legal tender. Even some tiny village in the middle of Denmark has card readers.

[-] grue@lemmy.world 5 points 1 day ago

If this shit is what "ahead" looks like, I'm happy being "behind."

[-] Pirate@feddit.org 2 points 1 day ago

This “shit” is being pushed by the US, and we Europeans are the ones pushing back on it. Just sayin.

[-] h_ramus@piefed.social 8 points 1 day ago

Some countries are all-in on the digital transition and for a lot of things shops don't even accept cash anymore. Digital QR code transfers are preferred. Be thankful that the banks that you deal with haven't gone down this path.

2 factor TOTP exists and is secure enough for corporates to have adopted long time ago. Banks can adopt similar authentication methods but choose not to.

On the OP, not sure what the solution could be. However, going down this path seems flawed.

[-] MouldyCat@feddit.uk 2 points 1 day ago

Unfortunately there is a significant security advantage in using Google Pay or Apple Pay which no one has yet mentioned. When you make a payment with chip-and-PIN using your physical card, your real card number is exposed to the merchant. The proprietary wallet services on the other hand use a device-specific token in place of the card number.

In practice, this means that if a retailer is compromised, there’s no usable card data to steal or clone, which removes a large class of fraud that still exists with physical cards.

[-] Don_alForno@feddit.org 1 points 12 hours ago

I prefer to take the risk of a compromised vendor over all the things google will 100% do with my payment data.

[-] MouldyCat@feddit.uk 1 points 6 hours ago

All power to you friend. Nevertheless it's best to be informed, especially when attempting to make a better alternative.

[-] newtraditionalists@kbin.melroy.org 14 points 2 days ago

Right there with you. Access to my money relying on a device that needs to be charged is just stupid. I'm stranded somewhere, my phone runs out of battery, suddenly I have zero dollars. No thanks.

[-] Chewy7324@discuss.tchncs.de 4 points 2 days ago

I keep a single bill in my phone case for emergencies (be it an actual emergency or I just want to eat at some place which only takes cash).

If my phone battery runs out I'm stranded anyway, since I can't call anyone or use my public transport ticket.

[-] newtraditionalists@kbin.melroy.org 7 points 2 days ago

Im truly struggling to understand what you mean. If your phone battery runs out, and you cant call anyone, do your legs and mouth suddenly stop working? Walk to a bus/train/transport station, use your words and pay for a trip home. obviously, if your money relies on the phone battery, yes you are truly stranded. But if you have a card or cash, you are not. It's quite simple. I guess you just have no imagination and can't fathom that people existed without phones or something? I'm asking in earnest, what do you mean?

[-] NewOldGuard@lemmy.ml 13 points 2 days ago

I agree, it’s a nice-to-have but it’s far from necessary. I like having the option as a backup in case I forget my wallet, but I’ll live without it

[-] root@lemmy.world 5 points 2 days ago

I agree, with the caveat that it's very nice to be able to pay with my phone/ watch if/when forget my wallet, rather than having to go back home to get it.

[-] puntinoblue@lemmy.ml 3 points 1 day ago

I don’t use the phone that often as a debit /credit bank card but I use it for payments (bills invoices etc.), paying on line, transferring money to people and accounts, and just managing accounts. The phone app is very useful for those functions - especially if the alternative is going into a bank and queuing.

A phone OS that will not work with banking apps is not really a contemporary solution. iOS or Android are the only reliable options at the moment in the US/Europe - Iiuc Open Source Android has to sandbox Google Play for banking apps to work so that’s not viable long-term solution, as Google will only make that more difficult in the future.

Given the issues with the judges at ICC and US payment systems, building an alternative to Google and Apple is a high priority

[-] WhyJiffie@sh.itjust.works 1 points 16 hours ago* (last edited 16 hours ago)

The phone app is very useful for those functions - especially if the alternative is going into a bank and queuing.

the bank's web portal should also work for this.

if it refuses to open on your phone, try firefox and enable desktop mode for that tab

Iiuc Open Source Android has to sandbox Google Play for banking apps to work

that's not necessary but also not enough for it. the bank apps specifically check if you run a google/apple approved, unmodified operating system.

today it is not possible to pay with an open source operating system. somewhat of an exception is grapheneos, but even if you just build it from source for yourself, the bank's app will refuse operation.

and on top of that, google services are required too if you want to pay with your phone in shops.

so this is not something open source os maintainers can solve. it is a result of google engaging in illegal practices which are not prosecuted.

building an alternative to Google and Apple is a high priority

Technically... afaik most banks in the EU also support current non-android huawei phones, which have their own implementation of the play integrity service to lock you into the factory os. but huaweis are not better, probably worse.

[-] JoeMontayna@lemmy.ml 4 points 2 days ago

It's the hardware, and it feels like mobile in particular is intentionally designed to not be modular. I suspect that is by design to keep it under control of the big companies.