Pay securely with an Android smartphone, completely without Google services: This is the plan being developed by the newly founded industry consortium led by the German Volla Systeme GmbH. It is an open-source alternative to Google Play Integrity. This proprietary interface decides on Android smartphones with Google Play services whether banking, government, or wallet apps are allowed to run on a smartphone.
i’m just guessing here but i think that the critical requirements to be able to run banking apps securely on your smartphone are:
the first two parts are general smartphone/laptop security and operating system integrity, which can only be done through hardware/general software developers. Like i think we need reliable hardware manufacturers but also institutions that check that open source software doesn’t contain malware. Like when you run
apt install some-packagewho says that some-package doesn’t contain malware?The third one is the only part that is actually specific to banking. That’s a whole separate topic and has barely anything to do with the first two steps.
#1 without #2 is unsafe.
#2 doesn’t exist in android because of apps and vulnerabilities
Apple at least makes a good run at it.
Part of androids locking shit down is to try to make their own run at it.
I honestly think we’re all just going about it wrong. Make a new physical sim that is unclonable, undumpable, ultimately secure. Have it key sign financial transactions require a pin and have a physical button. If you don’t touch the button and have the pin, it won’t process a transaction.
I often wonder why physical authentication devices can’t just be a usb storage device with a physical read only switch. The user keeps it read only except when interacting to add an authetication with a provider. Of course ideal it would be in person and all services would have physical locations.
Read only doesn’t cover what’s needed. You need something that holds a keys that cannot be extracted. Ideally, the institution sends it a challenge, it signs the challenge and returns it. You need the keys not to be retrievable.
The Debian (or Ubuntu) package maintainer says that. Having an application package available in a distro’s official repository is an endorsement of the safety of that package.
This is something people need to appreciate before they go adding PPAs and flatpaks and whatnot willy-nilly.
interesting.
I can shop omline on a fucking toaster.
hmm do you have a link to the product?
What i wanted to say: a webshop having poor safety standards, can cost a honest customer 1000s. But nobody makes much security theater there. But for banks, you suddenly have to be not rooted, allow a virus scan, have a locked bootloader, best a face scan and a chip implant too. Despite banking apps using webview too.
yeah well it’s all about who carries the risks i’d say. i think that if you’re willing to take the risk yourself, you should be allowed to install a banking app on any device. just beware the risk, and you need to be warned about those.