I just had an encounter of the turd kind with a banking app that I want to share.
I’m in the process of migrating to a new degoogled phone (GrapheneOS) and upon installing the app in question via Aurora Store, it gave me an error message, saying it had not been installed from a “trustworthy” source. It would, therefore, refuse to start and tell me to install it from the Play Store. (For anyone curious: it’s the Consorsbank app, and the issue is well-known at this point.)
In spite of being on GOS, I was faced with the prospect of
- installing Play Services Framework (sandboxed or not, I don’t want that shit)
- installing the Play Store (sandboxed or not, I don’t want that shit)
- logging in to the Play Store (I definitely don’t want that shit!)
only to run a damn app.
I eventually used USB-debugging and ADB to trick the app into thinking it had been installed from the Play Store. LINK to the ADB command, translated into English
So even though everything is running fine now, this doesn’t feel like a victory. For the first time in a long while, I feel I have come head to head with a piece of tech that was not just maladapted for my janky way of running things and just needed some tinkering. This was outright malicious, refusing operation and trying to force me to use services I want nothing to do with. It only gave me the option to either give in or walk away and stop using their services. Now, I don’t mind doing that for non-essential things. I don’t have big tech-owned messengers, I don’t have social media (save Lemmy) and all the other stuff people these days feel they cannot live without.
Banking, however, is a different kind of beast. Banking is essential. Second factor authentication is usually done via apps these days. And if this kind of thing becomes normal for banking apps, and Google keeps locking down Android so hacks like the above won’t be accessible any more, things are looking grim.
Tonight has left me with more questions than answers. Is Android still the ‘right’ ecosystem? What are the alternatives if this thing becomes more wide-spread? How do we combat this? Put pressure on banks to keep technologies open? Revert to physical second factor generators, until those become phased out by banks as well?
I need the app for 2FA. I have yet to encounter a bank that will accept TOTP for 2FA. Where I am, all banks use either pushTAN (through proprietary mechanisms, yuck) or SMSTAN (double-yuck). If I could use TOTP/Aegis for 2FA with my bank, I’d have spared you my OP. 😎
Really living up to your full name between this post and comment. I’d be hopping mad if I needed a Google-sanctioned device to access my bank too! It doesn’t even work from a desktop?!
Nope. While asking for a second factor is the sane thing to do for something as sensitive as banking, banks around here do not offer TOTP. (I’d LOVE to have that in my Keepass the way you seem to have; care to share where/which banks do that?)
Some banks here do offer a physical device as a fall-back for old people without a smartphone. These are basically just token generators or primitive code scanners. I’ve considered going full “old man yelling at clouds” and getting one of these. But then it’ll live in my drawer and I just know there will be situations where I urgently need it and not have it on hand.
Personally I think you should go “old man yells at clouds” at them, but maybe those devices have a keychain ring on them? Make it slightly less painful if you do?
Heck, maybe you can have both at once
I’ve made it work for now. If they terminally break it, I’ll probably switch banks, and let them know exactly what broke the camel’s back for me. But if all of them start doing it, I’ll have to do it like gampa. ;)
Thank you so much for the details! So many of us keep hearing that people need bank apps to work and I have always been curious for the technical details.