Pay securely with an Android smartphone, completely without Google services: This is the plan being developed by the newly founded industry consortium led by the German Volla Systeme GmbH. It is an open-source alternative to Google Play Integrity. This proprietary interface decides on Android smartphones with Google Play services whether banking, government, or wallet apps are allowed to run on a smartphone.
Furthermore, a peer review process is planned, through which the consortium members will mutually check and certify their operating systems and smartphone or tablet models. “This is intended to create transparency and replace trust with traceability.”
Still doesn’t sound very open.
I should be able to tell my bank to only trust devices running an OS signed by the grapheneos key, and more importantly I should be able to tell them to trust an OS signed by my key.
Edit: I don’t mean to shit on this too hard. It might be the best next step.
I don’t get why it has to be that complicated anyway. I should be able to just give them my key, why does a OS or device vendor need to be a part of it? When I get a card I need to verify my identity somehow, times past that was me going to the bank, signing a form and showing my ID card. Fucking Tim Apple or Satya McGoogle didn’t have a role in that, why should they now?
Sidenote; I know Satya Slopella is Microsoft but I don’t frankly care to learn what the pedo in charge of Google is called.
I should be able to tell my bank to only trust devices running an OS signed by the grapheneos key, and more importantly I should be able to tell them to trust an OS signed by my key.
How do you know that your OS installation doesn’t include malware? Like there have been many cases in the last few years where
npmmodules were found to contain malware. Who says that’s not also the case in some modules that are a part of your OS?And more importantly, who is legally liable if malware actually does cause harm? E.g. malware acts on your behalf and sends your money to some criminal organization. Not only did you lose money, but now you’re a suspect of supporting a criminal organization!
Of course that issue might be alleviated if you simply don’t have any money to send anywhere in the first place. That might be a viable alternative, but it only works for some people, i’d say. Or you could also set a daily transaction limit of say $100 that you can use to buy groceries; to limit your losses that way. The limit ofc cannot be changed from your phone alone, you need to go to a bank physically to change it or sth. Otherwise malware could again change it on your behalf.
And who guarantees that your PC doesn’t have malware?
Seriously, people will gobble up all the shit served to them without a question asked or giving it a second thought.
GrapheneOS is critical of this initiative here and I think their criticism has merit. This simply moves the gatekeeper from Google to a handful of OEM’s who won’t let you use anything other than their blessed OS’s.
Has the GrapheneOS team ever, once, been supportive of ANY other custom ROM initiative? I ask this as someone with both a GOS Pixel10 and a FairPhone 6 running /e/ on my desk this week.
For as good as their security approach is, their constant shit talking of others also making efforts to free us from big tech helps no-one.
Oh the irony of using the phrase “blessed OS’s” coming from the GOS camp.
I wouldn’t characterize myself as “the GOS camp” (I use LineageOS) I just happen to agree with them sometimes, and this is one of those times.
I do imagine this response is to some degree influenced by their beef with /e/ (an OS I don’t have a high opinion of either, but for other reasons). It just seems to me that people see “not google” and think it’s a good thing, but a gatekeeper determining which OS you are allowed to use with what apps is fundamentally a bad idea even if it’s not google.
I don’t think I understand this. I don’t actually want to pay with my phone, so thats a non-problem to me, but when I can access my bank with a browser on any pc in the world, why do they need attestation on a mobile? I dont see why the requirement is inconsistent.
I think it’s rather about NFC-powered (i.e. “tap your phone”) payments. These are automatic, which comes with different security issues.
Seems like a strong argument for dedicated hardware to me. Something card shaped 😉
i’m just guessing here but i think that the critical requirements to be able to run banking apps securely on your smartphone are:
- lockable/unlockable bootloader
- quality control of the operating system to make sure it doesn’t contain malware/spyware
- internet connection & open-protocol banking network
the first two parts are general smartphone/laptop security and operating system integrity, which can only be done through hardware/general software developers. Like i think we need reliable hardware manufacturers but also institutions that check that open source software doesn’t contain malware. Like when you run
apt install some-packagewho says that some-package doesn’t contain malware?The third one is the only part that is actually specific to banking. That’s a whole separate topic and has barely anything to do with the first two steps.
I can shop online on a fucking toaster.
hmm do you have a link to the product?
