this post was submitted on 11 Jan 2025
87 points (100.0% liked)

GrapheneOS [Unofficial]

1830 readers
28 users here now

Welcome to the GrapheneOS (Unofficial) community

This feed is currently only used for announcements and news.

Official support available on our forum and matrix chat rooms

GrapheneOS is a privacy and security focused mobile OS with Android app compatibility.

Links

More Site links

Social Media

This is a community based around the GrapheneOS projects including the hardened Android Open Source Project fork, Auditor, AttestationServer, the hardened malloc implementation and other projects.

founded 3 years ago
MODERATORS
KindnessInfinity@lemmy.ml
maade@lemmy.ml
akc3n@lemmy.ml
treequell@lemmy.world
87
GrapheneOS Play Integrity Usage Notifications Coming Soon (grapheneos.social)
submitted 1 week ago by KindnessInfinity@lemmy.ml to c/grapheneos@lemmy.ml
11 comments fedilink hide all child comments
 

We've implemented a system for notifying users when apps use the Play Integrity API. This will help users determine which apps are banning using a non-stock OS. Some of these will still work if they only enforce basic integrity rather than requiring a Google certified device running the stock OS.

Using Play Integrity is an incredibly anti-privacy and anti-security practice despite being wrongly portrayed as a security feature. The notification will include a link for leaving a rating and review for the app via sandboxed Play Store to make it very convenient for people to send complaints.

App developers can implement support using standard hardware-based attestation and allowlist the GrapheneOS signing keys if they insist on checking device integrity. There's a guide for this at https://grapheneos.org/articles/attestation-compatibility-guide. There's no good excuse for only permitting a device/OS licensing GMS.

Most apps using the Play Integrity API are enforcing the device integrity level. This enforces having a device licensing Google Mobile Services with the stock OS. It has no issue with a device behind on patches by a decade. Strong integrity level checks for the same thing via hardware attestation.

We may also add a way to block the Play Integrity API with a per-app toggle if we determine this helps improve compatibility due to some apps still having a fallback to other approaches. Spoofing device integrity level is possible but increasingly problematic and will get worse.

you are viewing a single comment's thread
view the rest of the comments
[–] highduc@lemmy.ml 22 points 1 week ago (3 children)

I'm glad they're trying to fight it, because if banks apps enforce "play integrity" I'm guessing that'll be a nail in the coffin for Graphene.
With the reviews however I don't think we'll be able to make much of an impact. Revolut already has 1 star from me, can't give it any fewer I'm afraid.
And I think so few people use Graphene that the banks can just ignore us.

[–] sic_semper_tyrannis 14 points 1 week ago (3 children)

I've been using GrapheneOS for a few years now and simply log into my bank via my web browser. Sure I can't depoit checks remotely but I don't understand why this is such a deal breaker for people

[–] unskilled5117@feddit.org 12 points 1 week ago* (last edited 1 week ago) (1 children)

I don‘t know where you are from, but the EU requires banks to use 2FA for login even via a browser. This is commonly implemented via a banking app, where you grant permissions for login/payments. So it is a huge dealbraker when those apps are not working on GrapheneOs

And before anyone goes blaming the EU as it‘s fashionable right now: mandatory 2FA for banks is a good idea, this is entirely Googles and the banks fault.

[–] sic_semper_tyrannis 3 points 1 week ago (1 children)

Is the 2FA a ToTP? Here in the US it seems like most banks use SMS 2FA which is terrible. You say you can still use the 2FA on the web browser so that doesn't make sense to me why it's a deal breaker.

[–] unskilled5117@feddit.org 4 points 1 week ago (1 children)

The second factor is the app on your phone. It‘s not Totp. When you log in somewhere or make a transaction it will send a notification to the app asking you to confirm.

When you open the bank account you get a letter with a code to register in the app, which authorizes it to receive the notification.

[–] sic_semper_tyrannis 3 points 1 week ago

Gotcha. That's unfortunate

[–] propter_hog@hexbear.net 8 points 1 week ago (1 children)

It's a big deal breaker when your bank is online only. Mobile deposit is the only way I can make a deposit.

[–] ParetoOptimalDev 3 points 1 week ago

Move banks, leave feedback why you left.

[–] piracysails@lemm.ee 6 points 1 week ago

My bank removes features from the website and only makes them available through the app.

[–] monovergent@lemmy.ml 3 points 1 week ago

My plan if something like that happens to me is to get a normie Android with a removable battery (like the Samsung xcover pro) and only ever power it on if I need to use those apps. Granted, not everyone wears pants with 6 pockets.

[–] KindnessInfinity@lemmy.ml 1 points 1 week ago

Let's hold out hope that the banks or those who they get their libraries from will move towards officially supporting GOS or stopping with Play Integrity