884

Paying without Google: New consortium wants to remove custom ROM hurdles creating an open source alternative to Google Play Integrity (www.heise.de)

submitted 2 days ago by Argyle13@lemmy.world to c/opensource@lemmy.ml

79 comments fedilink hide all child comments

Pay securely with an Android smartphone, completely without Google services: This is the plan being developed by the newly founded industry consortium led by the German Volla Systeme GmbH. It is an open-source alternative to Google Play Integrity. This proprietary interface decides on Android smartphones with Google Play services whether banking, government, or wallet apps are allowed to run on a smartphone.

you are viewing a single comment's thread
view the rest of the comments

[-] gandalf_der_12te@discuss.tchncs.de 6 points 1 day ago

i'm just guessing here but i think that the critical requirements to be able to run banking apps securely on your smartphone are:

lockable/unlockable bootloader
quality control of the operating system to make sure it doesn't contain malware/spyware
internet connection & open-protocol banking network

the first two parts are general smartphone/laptop security and operating system integrity, which can only be done through hardware/general software developers. Like i think we need reliable hardware manufacturers but also institutions that check that open source software doesn't contain malware. Like when you run apt install some-package who says that some-package doesn't contain malware?

The third one is the only part that is actually specific to banking. That's a whole separate topic and has barely anything to do with the first two steps.

[-] grue@lemmy.world 8 points 23 hours ago* (last edited 23 hours ago)

Like when you run apt install some-package who says that some-package doesn’t contain malware?

The Debian (or Ubuntu) package maintainer says that. Having an application package available in a distro's official repository is an endorsement of the safety of that package.

This is something people need to appreciate before they go adding PPAs and flatpaks and whatnot willy-nilly.

[-] gandalf_der_12te@discuss.tchncs.de 1 points 23 hours ago

interesting.

[-] WhyJiffie@sh.itjust.works 1 points 17 hours ago

quality control of the operating system to make sure it doesn't contain malware/spyware

if uou l9ok around, you should see that is not a requirement

[-] rumba@lemmy.zip 2 points 22 hours ago

lockable/unlockable bootloader

quality control of the operating system to make sure it doesn’t contain malware/spyware

#1 without #2 is unsafe.

#2 doesn't exist in android because of apps and vulnerabilities

Apple at least makes a good run at it.

Part of androids locking shit down is to try to make their own run at it.

I honestly think we're all just going about it wrong. Make a new physical sim that is unclonable, undumpable, ultimately secure. Have it key sign financial transactions require a pin and have a physical button. If you don't touch the button and have the pin, it won't process a transaction.

[-] HubertManne@piefed.social 1 points 21 hours ago

I often wonder why physical authentication devices can't just be a usb storage device with a physical read only switch. The user keeps it read only except when interacting to add an authetication with a provider. Of course ideal it would be in person and all services would have physical locations.

[-] rumba@lemmy.zip 1 points 21 hours ago

Read only doesn't cover what's needed. You need something that holds a keys that cannot be extracted. Ideally, the institution sends it a challenge, it signs the challenge and returns it. You need the keys not to be retrievable.

[-] MonkderVierte@lemmy.zip 3 points 1 day ago* (last edited 1 day ago)

I can shop online on a fucking toaster.

[-] gandalf_der_12te@discuss.tchncs.de 2 points 1 day ago

hmm do you have a link to the product?

[-] MonkderVierte@lemmy.zip 6 points 22 hours ago* (last edited 22 hours ago)

What i wanted to say: a webshop having poor safety standards, can cost a honest customer 1000s. But nobody makes much security theater there. But for banks, you suddenly have to be not rooted, allow a virus scan, have a locked bootloader, best a face scan and a chip implant too. Despite banking apps using webview too.

[-] gandalf_der_12te@discuss.tchncs.de 5 points 22 hours ago

yeah well it's all about who carries the risks i'd say. i think that if you're willing to take the risk yourself, you should be allowed to install a banking app on any device. just beware the risk, and you need to be warned about those.