643
submitted 8 months ago* (last edited 8 months ago) by lseif@sopuli.xyz to c/android@lemmy.world

I'm lucky my banking app works (GrapheneOS), as it's now requiring 2FA with the app anytime I login on the browser. Can't use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).

(Meme in comments)

you are viewing a single comment's thread
view the rest of the comments
[-] vodka@lemm.ee 25 points 8 months ago

The app for my bank DNB (Norway) doesn't work on my LineageOS phone, but it works on my GrapheneOS phone. I wonder if they've added the graphene keys, because it just suddenly started working a while ago, though might be some GrapheneOS magic

[-] Chewy7324@discuss.tchncs.de 37 points 8 months ago

The hardware attestation feature is part of the Android Open Source Project and is fully supported by GrapheneOS. SafetyNet attestation chooses to use it to enforce using Google certified operating systems. However, app developers can use it directly and permit other properly signed operating systems upholding the security model. [...] Direct use of the hardware attestation API provides much higher assurance than using SafetyNet so these apps have nothing to lose by using a more meaningful API and supporting a more secure OS.

https://grapheneos.org/usage#banking-apps

My banking apps work on GrapheneOS, so I guess they are using hardware attestation instead of SafetyNet. LineageOS won't pass hardware attestation because it doesn't support locked bootloader.

[-] cyberwolfie@lemmy.ml 4 points 8 months ago

In what way does it fail on Lineage? My local banking app fails on CalyxOS - seems to pass the security checks (judging from init messages when opening the app), but get a nondescriptive error when trying to log in.

[-] vodka@lemm.ee 5 points 8 months ago

Just goes "app not supported on rooted devices"

[-] cyberwolfie@lemmy.ml 2 points 8 months ago

Ah, then there could be a different issue with my banking app. Maybe there's a hope I can solve it then. I just assumed it the custom ROM that was the issue. Then again, maybe they just don't bother letting me know the reason.... :)

[-] vodka@lemm.ee 2 points 8 months ago

It used to be possible (probably still is) to use magisk to get around it for my bank, but I stopped caring after the EU did some laws forcing interoperability between banks so I can just use my other banks app to access the accounts for that bank.

Might be worth looking into!

[-] uzay@infosec.pub 2 points 8 months ago* (last edited 8 months ago)

~~LineageOS doesn't spoof safetynet and play integrity, GrapheneOS does afaik. So that's most likely the reason~~

See below

[-] vodka@lemm.ee 7 points 8 months ago

GrapheneOS doesn't either. It does Android Hardware Attestation instead of SafetyNet. It has never, and will never spoof SafetyNet.

this post was submitted on 07 Mar 2024
643 points (96.0% liked)

Android

27940 readers
30 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules


1. All posts must be relevant to Android devices/operating system.


2. Posts cannot be illegal or NSFW material.


3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.


4. Non-whitelisted bots will be banned.


5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.


6. Memes are not allowed to be posts, but are allowed in the comments.


7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.


8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.


Community Resources:


We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.


Our Partner Communities:

!android@lemmy.ml


founded 1 year ago
MODERATORS