Comment by dijit

Comment by dijit 5 days ago

Unfortunately the parent commenter is completely right.

The attestation portion of those systems is happening on locked down devices, and if you gain ownership of the devices they no longer attest themselves.

This is the curse of the duopoly of iOS and Android.

BankID in Sweden will only run with one of these devices, they used to offer a card system but getting one seems to be impossible these days. So you're really stuck with a mobile device as your primary means of identification for banking and such.

There's a reason that general purpose computers are locked to 720p on Netflix and Disney+; yet AppleTV's are not.

yxhuvud 5 days ago

Afaik bankid will actually run as long as you can install play store (IE the device don't need Google certificate), which isn't great but a little bit better than what it could have been.

Reply View 5 replies

gcr 5 days ago

That can't be right. My onyx boox note air 2 eInk tablet lets me install the google play store by registering myself as an AOSP developer and enrolling my device's serial number or GSF identifier with Google using some Google Form that some android team somewhere's automated by now. The device has no hardware security features from what I can tell. There's no way this platform would pass muster with any bank.

Reply View | 4 replies
- VorpalWay 5 days ago
  
  At least BankId (digital ID thing in Sweden) and some of the Swedish banking apps don't care about if you are rooted on stock Android. I haven't tried custom ROMs in many years, but perhaps it is time for GrapheneOS these days.
  Now, if you want to use your phone as a debit/credit card substitute that is different (Google Pay cares, and I don't use it thus).
  Anyway, why should banking apps care? It is not like they care when I use the bank from Firefox on my Linux laptop.
  
  Reply View | 0 replies
- dotancohen 5 days ago
  
  I have the successor device, the Boox Note Air 2, and don't remember how I installed Google Play on it, it was so easy as to be not even notable. Though almost everything I use is available on F-Droid other than my fancy calendar and contacts applications.
  
  Reply View | 0 replies
- seba_dos1 5 days ago
  
  > There's no way this platform would pass muster with any bank
  "Any bank"? Although the bank I use locks NFC payments behind such checks (which is not a big loss since a physical debit card offers the same functionality), anything else still works otherwise. Most of the things are available through the website (which fits well on mobile too), and mobile BLIK payments can be done from the Android app which works inside Waydroid with microG.
  There's no reason other banks can't work the same way and it's outraging when they don't. Look around for a better bank.
  
  Reply View | 0 replies
- direwolf20 4 days ago
  
  The bank doesn't have to actually be secure, only tick certain boxes.
  
  Reply View | 0 replies

LtWorf 5 days ago

I just received by mail a card to replace my soon expiring one… (not a debt card, the one to do internet banking and so on).

However the problem is that A LOT of things only work with the mobile app.

Reply View 0 replies

ahepp 5 days ago

as you say, a lot of this stuff is already happening. Won’t it be good to have a FOSS attestation stack that breaks the iOS/android duopoly?

Reply View 19 replies

AnthonyMouse 5 days ago

Banks don't use these things because they provide any real security. They use them because the platform company calls it a "security feature" and banks add "security features" to their checklists.
The way you defeat things like that is through political maneuvering and guile rather than submission to their artificial narrative. Publish your own papers and documentation that recommends apps not support any device with that feature or require it to be off because it allows malware to use the feature to evade malware scans, etc. Or point out that it prevents devices with known vulnerabilities from being updated to third party firmware with the patch because the OEM stopped issuing patches but the more secure third party firmware can't sign an attestation, i.e. the device that can do the attestation is vulnerable and the device that can't is patched.
The way you break the duopoly is by getting open platforms that refuse to support it to have enough market share that they can't ignore it. And you have to solve that problem before they would bother supporting your system even if you did implement the treachery. Meanwhile implementing it makes your network effect smaller because then it only applies to the devices and configurations authorized to support it instead of every device that would permissionlessly and independently support ordinary open protocols with published specifications and no gatekeepers.

Reply View | 15 replies
- faust201 5 days ago
  
  Well summarised.
  Another point is (often )the apps that banks makes are 3rd party developed by outsourcing (even if within the same developed country). If someone uses some MiTM or logcat to see some traffic and publishes it then banks get bad publicity. So to prevent this the banks, devs tell anything that is not normal (i.e) non-stock ROM is bad.
  FOSS is also something many app-based software devs don't like on their products. While people in cloud, infra like it the app devs like these tools while developing or building a company but not when making end resulting apps.
  
  Reply View | 0 replies
- UltraSane 5 days ago
  
  Remote attestation absolutely provides increased security. Mobile banking fraud rates are substantially lower than desktop/browser banking fraud. Attestation is major reason why.
  I think ever compute professional needs to spend at least a year trying to secure a random companies windows network to appreciate how impossible this actually is without hardware based roots of trust like TPMs and HSMs
  
  Reply View | 7 replies
  
  garaetjjte 5 days ago
  
  >Attestation is major reason why.
  It's not. Mobile applications just don't have unrestricted access to everything in your user directory, attestation have nothing to do with it.
  
  Reply View | 6 replies
- mariusor 5 days ago
  
  Are you saying that attestation doesn't really provide any real security? Not even from the bank's point of view?
  
  Reply View | 5 replies
  
  AnthonyMouse 4 days ago
  
  If the user's device isn't compromised then everything is fine regardless of whether or not it can pass attestation. If the user's device is compromised, the device doesn't need to pass attestation to run a fake bank app and steal the user's credentials. Once the attacker has the user's credentials they can use them to transfer money regardless of whether or not they have to use a different device that can pass attestation.
  It doesn't really provide any security.
  On top of that, there are tons of devices that can pass attestation that have known vulnerabilities, so the attacker could just use one of those (or extract the keys from it) if they had any reason to. But in the mobile banking threat model they don't actually need to.
  
  Reply View | 4 replies
severino 5 days ago

Well, it depends. I can now do banking from my desktop computer because there is no way our banks can attest that we're running our browsers in their approved hardware+software stack. Of course they can already disable banking from the browser but if they choose to keep it open but require attestation in your browser when it becomes possible, I don't think it's a good thing.

Reply View | 0 replies
faust201 5 days ago

It would but how and who to run it? Ideally some one like Linux Foundation sits on the White house meetings or EU meetings. But they don't. Govts don't understand. I was once participating in a Youth meeting with MEPs - most of them have only iPhones. Most (not all) lawmakers live on a different planet.
Also IIRC, linux foundation etc are not interested in doing such standardisations.

Reply View | 0 replies
uecker 5 days ago

No

Reply View | 0 replies