I just had an encounter of the turd kind with a banking app that I want to share.
I’m in the process of migrating to a new degoogled phone (GrapheneOS) and upon installing the app in question via Aurora Store, it gave me an error message, saying it had not been installed from a “trustworthy” source. It would, therefore, refuse to start and tell me to install it from the Play Store. (For anyone curious: it’s the Consorsbank app, and the issue is well-known at this point.)
In spite of being on GOS, I was faced with the prospect of
- installing Play Services Framework (sandboxed or not, I don’t want that shit)
- installing the Play Store (sandboxed or not, I don’t want that shit)
- logging in to the Play Store (I definitely don’t want that shit!)
only to run a damn app.
I eventually used USB-debugging and ADB to trick the app into thinking it had been installed from the Play Store. LINK to the ADB command, translated into English
So even though everything is running fine now, this doesn’t feel like a victory. For the first time in a long while, I feel I have come head to head with a piece of tech that was not just maladapted for my janky way of running things and just needed some tinkering. This was outright malicious, refusing operation and trying to force me to use services I want nothing to do with. It only gave me the option to either give in or walk away and stop using their services. Now, I don’t mind doing that for non-essential things. I don’t have big tech-owned messengers, I don’t have social media (save Lemmy) and all the other stuff people these days feel they cannot live without.
Banking, however, is a different kind of beast. Banking is essential. Second factor authentication is usually done via apps these days. And if this kind of thing becomes normal for banking apps, and Google keeps locking down Android so hacks like the above won’t be accessible any more, things are looking grim.
Tonight has left me with more questions than answers. Is Android still the ‘right’ ecosystem? What are the alternatives if this thing becomes more wide-spread? How do we combat this? Put pressure on banks to keep technologies open? Revert to physical second factor generators, until those become phased out by banks as well?
Frankly, I don’t see how that improves security or privacy over putting your banking apps (and all the yucky Google software) in a different user profile, separate from all of your more sensitive stuff.
Also, shelling out another $ 500 for yet another device you’ll be lugging around just to have compartmentalisation - isn’t that still giving up and accepting their demands to use their services on their terms? Personally, I don’t want my bank to be able to soft-pressure me into using Google services. I don’t want companies and countries to just assume and accept Google’s monopoly. I don’t want essential functionality like banking to get even more dependent on American big tech, at a time where it has become painfully obvious that this dependence exposes us to the most vile forms of extortion. I want to get away from that. And I want us all to away from that.
It is bad. We should fight against the corporations and agencies that want to strip us of our privacy, and avoid using services that insist on invasive measures whenever possible. But the way things are going, especially living in the US, does not exactly inspire my optimism and my mind wants some certainty against all the what-if scenarios. Perhaps I should frame the separate device solution as my stopgap if we reach “rock bottom”?
I won’t pretend to be an expert on how much isolation a separate device provides over a user profile, but it does give me peace of mind in the case of my work phone, which I only have powered up at the workplace and never connect to the same network as my other devices. Not everyone has the privilege, but I repurposed my old phone which otherwise would have sat idle for this purpose.