Revolut, McDonald's, and Authy have banned the use of GrapheneOS.
Revolut, McDonald's, and Authy have banned the use of GrapheneOS.
Guide on using remote attestation in a way that's compatible with GrapheneOS.
cross-posted from: https://slrpnk.net/post/15995282
Real unfortunate news for GrapheneOS users as Revolut has decided to ban the use of 'non-google' approved OSes. This is currently being posted about and updated by GrahpeneOS over at Bluesky for those who want to follow it more closely.
Edit: had to change the title, originally it said Uber too but I cannot find back to the source of ether that's true or not..
Google has ruined Android by closing it up.
EU needs to step in and force Google to open it up.
While at it, go for Apple's monopoly as well.
I don't think it's a coincidence that the shittiest companies are those, who enforce Google's broken and monopolistic "Play Integrity" API. Revolut has connections to Russia, McDonalds supports the Israeli genocide in Palestine and Authy has always just been a massive piece of shit, not even allowing users to export their TOTP seeds. These are three companies I would NEVER even consider using anyway.
And "Play Integrity" API actually does NOTHING, absolutely NOTHING for your security as an end user.
You use an outdated, unpatched Android version with multiple severe, publicly known exploits on an insecure device?
Google doesn't give a single fuck.
You use the newest version of Android with all the patches applied on Google's own hardware, with a locked boot loader and a hardened operating system?
That's not allowed by the "Play Integrity" API.
It's only purpose is to serve Google's monopolistic business interests.Hear hear!
Seems like my time to move away from Authy. Any drop in alternative for iOS? Ideally I could export services and load them back, not manually adding/removing 1 by 1. Even if I can't though, suggestion still welcomed.
Paid Bitwarden or self-hosted 2FAuth. Its very lean so you could probably do it on a free Oracle cloud VPS and never pay. Or put Vaultwarden on a PikaPod for very little money per month.
I swear I am so close to jumping into the void of mainline linux on phones.
The only main issue is device drivers, but I would be fine happily extracting them from android or making new ones. Modern Android is a complete full stack POS.
This is actually good, see it as an enrichment of your life. The only sad thing is Revolut though.
As an alternative to Authy I recommend Stratum (previously known as Authenticator Pro) https://apt.izzysoft.de/fdroid/index/apk/com.stratumauth.app
This due to its compatibility with Android wear (companion)
Can anyone who has used both Aegis and Stratum compare them?
Small OT: In the article it's mentioned also the app "IO" (italian for the english word "I"). There are also other important italian apps not working without play services. The serious thing is that that apps are almost mandatory to do the ordinary public administration bureaucracy. We can say that the italian state forces its citizens to use a smartphone with Google Play Services installed. This is no sense.
modern fascism in action... state and corporate fusion. however, WHY DA FAQ would Italian state do this for the benefit of a foreign corporation....
I get US part of NATO but wtf
The italian government is full of fascists at the moment, but for me its more like tech ignorant laws. To make an example this is a comment of mine about piracy shield; I think that story can well explain the ignorance of italian government in tech related stuff.
Oh great, I guess I'll have to change my payment info for everything now. Fantastic.
Authy has been utter garbage for a long time and if you ever needed a reason to migrate away then now is as good as ever.
Do you have a replacement you would recommend?
Well pick anyone listed in this AlternativeTo list but I recommend Aegis
Why would anyone load an app from McDonalds? You want to give them elevated access to your most personal data for a few dollars of coupons?
What are they taking from you that's worth more than the discounts they are giving you? Because they are definitely making a profit, or they wouldn't be doing it.
We are definitely in the era where people think discounts before user privacy. I bet most of people downloading the Mcdonald app do it exactly because of cheeper prices and easy of access.
just had medium fries and coke. i and many i know use the mc D app because of the discounts it gives when i order through my app.
just had medium fries and coke. i and many i know use the mc D app because of the discounts it gives when i order through my app.
just had medium fries and coke. many people i know, including myself, use the mcd app because of the discounts it offers when ordering through the app. however, i am under the impression that since i use an ios device and have the option to decline being tracked by the app—which i very eagerly press "no" to—i am on the safe side. am i?
just had medium fries and coke. i and many i know use the mc D app because of the discounts it gives when i order through my app.
This sounds like an antitrust legal problem...
The GrapheneOS team is already talking to regulators: https://grapheneos.social/@GrapheneOS/112539378681400395
Odd timing considering I've banned McDonalds, Revolut and Authy from my phone.
Just to be clear, they banned all custom roms, not only graphene.
It's crazy how they can just do illegal things because they have so much money...
Do I own my phone or not??
Most ROMs like LineageOS and CalyxOS drastically weaken the security of Android, so that would actually make sense. GrapheneOS has far better security than AOSP, the Stock Pixel OS, or basically every other version of Android that you would find pre-loaded on a device. https://grapheneos.org/features#exploit-protection
But like, why?
Fuxk u
He makes a solid point
Time to switch away from Auth I guess. Not even using GrapheneOS cause I have a Samsung phone, but this is not acceptable
Give Aegis a try, it is great.
Authy is no good anyway. Keeps codes hostage with no way to back them up. So many great open source alternatives
same. i wish i could run graphene or something similar on my moto G stylus. I wish my Pixel 6, 7 and 6a didnt all have defects. the 7 was my favourite.
This makes me want to use GrapheneOS more. If the dataminers don't want you to use it then it must be doing something right.
Too bad it only runs on Google's phones...
FYI, grapheneOS devs added a list of apps to their wiki:
https://grapheneos.org/articles/attestation-compatibility-guide#apps-banning-grapheneos
OK McDonald's, I will not use your most cost effective ordering method. I guess I will just have to order my 10 individually custom cheeseburgers at the counter instead. I might have to have e the order read back, and change my mind about a few burgers.
As a former employee... That does nothing. Crazies that spend 15 min to order some fries were common.
If you go at rush hour it can be annoying to the employee and other customers, but at the end of the day nobody will remember and you would have spent 20 min and 10 dollars (which is 9 dollars material profit for MacDonald).
Just. Don't. Go. To. Macdonald's.
Just. Don’t. Go. To. Macdonald’s.
Best advice on the menu
I don't know about other places but they haven't had a counter for years round here. They have big screens that you go up to to order and pay, then you get a number and pick it up when called. Even if you wanted to do this, no one is going to listen to you trying to order at the kitchen.
Entirely different country, but they still have a counter in addition to the screens; the counter is for when you want to pay cash
that's just screwing with the workers though, and the workers sure as hell is not going to get paid extra for your custom order
This viewpoint is so stupid.
The cashier is paid to take orders, whether they take 1 long obnoxious order or 3 small orders, it's the same shit.
People are so swept up in 'kindness and support' (internet circlejerking), they think that the fact you inconvenienced some 17 year old, representing a massive corporation, as a fuck you to the company that employs them, you've committed some moral sin against your fellow man.
Can Graphene add a feature to run in emulation mode to allow apps to believe it's on an unrestricted OS?
Unfortunately, this is probably because of the apps started using the Play Integrity API, which is a hardware-based attestation and can only be faked in two ways that GrapheneOS isn't interested in:
- you can fake an older device that didn't support hardware attestation yet, or had a broken implementation
- or you can try getting leaked vendor keys and emulate the crypto with those until they get revoked
This surprises me because McDonald's app is hands down the worst app I've ever encountered in the history of all Android apps.
It's is sluggish, ignores touches/taps half the time, doesn't adhere to Android best practices for flow, crashes a lot, errors a lot, etc.
But OK McDonald's. Fuck off.
It's almost as if a clown programmed it
I can add that it requires location permission (even when you attempt to search manually with zip or city). What a shitty, dystopian timeline we are experiencing when we're mandated to run privacy invasive spyware, just to get a fucking discount on nugs.
Would not updating Revolut keep the app compatible as long as you don't sign out?
If so, don't update the app and write down the build number of the last app version which worked on GrapheneOS. That way you would have a bit more time to sort things out.
They constantly force you to update or the app won't work. I was already having issues with Revolut on GrapheneOS so I just closed my account and switched to Wise. The Revolut app was a bloated mess anyway.
Yupp thinking about doing the same, but want to wait a little to see if wise decides to do the same..
Guess I'll have to follow suit, because I'd love to switch to graphene OS
McDonalds? Uber?
They both have fully functioning webapps btw.
Right people who install various apps like McDonalds apps etc, are these even typical to GrapheneOS users? I'd think most would avoid superfluous data stealing apps.
I've been thinking of switching the GrapheneOS. I certainly enjoy my privacy, and are taking steps to move to sources that don't harvest my data. Outside of YouTube and android I've completely degoogled myself, even replaced Maps with magic earth and OsmAnd. I even swapped full time to linux a handful of months ago as a gamer with a VR interest. But I'm not so hardcore to not use any service that might sell my data. I still use vanilla firefox, food ordering apps, and discord for example. So while I'm not someone who goes to extreme lengths to protect my data, moving over to GrapheneOS doesn't seem like a huge inconvenience compared to the gains you get.
Sorry but it seems I might have been mistaken by calling out Uber on this one. Thought i read about Uber during this but I cant find back to it. Have changed the title.
What do you mean webapp? Isn't the app that you install a webapp? And isn't a website not an app because you dont install it?
PWA - Portable Web App, Apple was going to make this the primary way to run apps but then decided an app store and private stuff was more profit and their support for it tends to be on the suckier side, but has gotten better over the years. You install a PWA in your browser by either "Install" or "Add to home screen" or something like that depending on browser and device being used.
This is very bad news, because this means any app that wants your data could do the same.
On the other hand, it makes it easy to find which apps aren't to be trusted with your data.
Also very obvious when an app or website have an US and an EU version. You just know they buttfuck the Americans because no rules.
Even Apple had to make two versions of iOS.
Maybe graphene will find a way into duping those apps to think you have a regular android phone?
Err, you could firewall an app from your data in Private Space or Shelter for older Android versions. That should work on any Android device.
the problem here is not the banks or apps, the problem is Google Play Integrity API, which is supposed to enforce to run apps in secured phones and it is used to ban secured ROMs such as GrapheneOS and it allows to run apps on outdated phones without security patches.
which is supposed to enforce to run apps in secured phones
The point of the Google Play Integrity API is to ensure that the user is not in control of their phone, but that one of a small number of megacorps are in control.
Can the user pull their data out of apps? Not acceptable. Can the user access the app file itself? Not acceptable. Can the user modify apps? Not acceptable.
Basically it ensures that the user has no control over their own computing.
If you install GrapheneOS, you do not need root, so GrapheneOS is in control of the phone not the user. The key here is if GrapheneOS is secure enough to be certified by Google Play Integrity API. is it security or other issue? perhaps Google is not supporter of FOSS ROMs, perhaps it is not fun of how GrapheneOS removes permissions to Google Apps, ...
If it is not security, this is a kind of monopoly to control which ROMs are allowed to run apps.
Can the user access the app file itself? Not acceptable
This is possible on any Android phone, no root or custom rom required
Oh, the banks and regulators are to blame. Especially in Europe.
Find me a PSD2 bank bank that doesn't require a phone number
In this case, thanks to regulation, it seems GrapheneOS team is talking with European Commission about this problem with Play Integrity API https://fosstodon.org/@[email protected]/113623767380032309 and the only hope is a movement of the regulator against this policy of Google.
Webapps everything you can like I do with Firefox and ublock origin. Fuck these assholes.
Not for Revolut. App only.
They do have a web app, it’s just very feature limited https://www.revolut.com/blog/post/introducing-the-revolut-web-app/
Can I simulate another OS environment for these kind of apps?
womp womp.
I can't prove it, but I'm 99% sure Lyft did the same thing. Had a perfect rating (and was even a driver at one point), and they banned me without explanation right after I switched to GrapheneOS.
Emailed them a few times asking for the reason, and they refused to tell me.
_"Legally, we cannot release any additional information except that we found your account to be violating our Terms of Service.
We will be in touch if we are able to reopen your account in the future."_
There's absolutely nothing else that they could've misconstrued as "violating the Terms of Service."
If Uber's going down the same path, no more ride-sharing for me I guess. ¯_(ツ)_/¯
Its machine learning fingerprinting. They lost the ability to fingerprint you, a flag was raised, and you're b&
When this happens to half your accounts, that's when you know you're winning at not being tracked
There's always traditional taxis I guess
There's no reason a company couldn't release the info legally unless it was under something like AML (anti money laundering) laws and you were flagged as a criminal. They legally can't disclose why in that case.
Using a different OS isn't reason enough, if they were telling the truth about the legal restrictions.
Uber still works under Lineage. Can't imagine what the heck they are trying to block
No idea. Gonna try to stick to the web app instead and hold off updating the native mobile app for as long as possible.
A valid excuse may be that they want to prevent GPS spoofing
Do the web apps not still work? I’ve booked Uber eats from a computer in the past, I’m imaging the phone browser version might still function. I don’t have lyft in my country to know tho.
I'll have to try next time and report back. Honestly don't use ride sharing too often. I prefer the train.
So, uh, the next version of GrapheneOS will probably come with some Android OS version spoofing tech that solves this - if there isn't something on F-Droid already.
I mean remote attestation is cryptographically secure (unless there's some temp implementation vulnerability).
Apparently, they don't need my business. Acceptable.
Well that's bad. I've been using revolut for years now.
Does anyone have a suggestion for a new bank that's operating under european law?
Most banks restrict custom ROM and root access devices for security purposes. Same with MFA apps. I get it. From an IT security perspective, restrictions on software compatibility limit the number of failure points. Even if you find a custom OS that is more secure as an OS, it is installed through opening up your device to security risk and there is no real requirement for you to close up that security risk afterward. My company has made the same choice to restrict supported platforms for our services.
McDonald's app restricting the OS is probably some security decision they made because it's more secure even when they probably don't need it though.
It's not your job to secure my device. It's your job to provide the service I'm paying you for.
N26 maybe?
Lol I spent a week going back and forth with Revolut support in august. I could sign into the app but it would always ask me for a "selfie" verification and every time support would say its a super dark selfie.
Eventually I decided to try a stock ROM and it just worked and I realised what was happening so I transferred all of my money out and deleted my account.
Most local banks here are terrible at making apps, some even require a separate device that looks like a calculator to use online banking, so hopefully they wont follow suit anytime soon
require a separate device that looks like a calculator to use online banking
To be fair this actually provides a very high level of security? At least in my experience with AIB (in Ireland) you needed to enter the amount of the transactions and some other core details (maybe part of the recipient's account number? can't quite recall). Then you entered your PIN. This signed the transaction which provides very strong verification that you (via the PIN) authorize the specific transaction via a trusted device that is very unlikely to be compromised (unless you give someone physical access to it).
It is obviously quite inconvenient. But provides a huge level of security. Unlike this Safety Net crap which is currently quite easy to bypass.
Those little boxes are just a bit of hardware to let the smartchip on the smartcard do what's called challenge-response authentication (in simple terms: get big long number, encode it with the key inside the smartchip, send encoded number out).
(Note that there are variants of the process were things like the amount of a transfer is added by the user to the input "big long number").
That mechanism is the safest authentication method of all because the authentication key inside the smartchip in the bank card never leaves it and even the user PIN never gets provided to anything but that smartchip.
That means it can't be eavesdropped over the network, nor can it be captured in the user's PC (for example by a keylogger), so even people who execute files received on their e-mails or install any random software from the Internet on their PCs are safe from having their bank account authentication data captured by an attacker.
The far more common
two-way-authenticationedit: two-channel-authentication, aka two-factor-autentication (log in with a password, then get a number via SMS and enter it on the website to finalize authentication), whilst more secure that just username+password isn't anywhere as safe as the method described above since GSM has security weaknesses and there are ways to redirected SMS messages to other devices.(Source: amongst other things I worked in Smart Card Issuance software some years ago).
It's funny that the original poster of this thread actually refuses to work with some banks because of them having the best and most secure bank access authentication in the industry, as it's slightly inconvenient. Just another example of how, as it's said in that domain, "users are the weakest link in IT Security".
In Germany they're called TAN generators if you want to learn more
Crazy how the response is to completely gaslight you about what the real issue is
That's pretty typical when its a low level machine learning algorithm that flagged the account. Usually the support rep legitimately doesn't know, and you'll get stuck in an infinite loop
fuk em keep using it
If you log out of your account it's said you can't log back in.
take your money over to their competitors
Is this not a sign of the true intentions on both sides of the dilemma here!?!?
Let us go to the end. We cannot afford to carry on in fear of these bans. Let the lines be neatly placed and the sides chosen wisely. If sustained profits are desired, the walled-gardens must come down.Vote with your dollar and vote again with your data. Wary, but never afraid is the motto privacy comrades!
Agreed. Leave immediately to other services, and tell them why you're leaving. It might not make a dent, but you'll be doing the right thing at least.
I use Authy under a separate work profile on graphene with no issues 🤔
I use Aegis.
But when did you set Authy up? I don't recall when Authy made the change, but it wouldn't kick you out. It would, however, prevent you from signing in a new device. So if you lose your phone, you might lose access to those tokens...
Oh ok. Yeah it was a while ago. Will have to switch to something else soon then.
Guess you won't be for much longer 🤷 I'd bare careful with logging out.
Revolut seems to continue working as of now on my PIxel 7. I'm transferring the money out just in case. Any idea when are they going to stop them from working?
Stops working if you log in and out of your account. At least this is what GrapheneOS folks stated on BlueSky.
Next update
Use the websites whenever you can. That's what I do at least. Although I had to stop using Lyft entirely, because they stopped supporting rides from their website apparently. And that leaves just Uber. I actually left my bank for a similar reason. It supported my phone just fine, and it worked without Google Play Services, but the website wouldn't let me do everything that the app would, and the app required that I have Aurora Store to download their banking app from the Google Play Store, and I wanted to get away from that, so I switched banks so that I could use the bank website instead. From what I can tell, you run into this kind of stuff a lot with FinTech apps. But if you use older banks, like Discover or Wells Fargo or things like that, they tend to work better. Maybe because they're not up with the newest technology, LOL.
Yeah Revolut is also the kinda app that is almost only a mobile app, not much you can do with their website, last i checked.
Correct. This is the reason not to use Revolut.
Choose Wise instead.
Revolut was the one I was looking at if I'd switch to Graphene.
lol, I've observed the same.
Fancy "Digital Wallet" thingy is absolutely decked out in Root detection, meanwhile my older, physical bank's app doesn't give a fuck.I've never been too fond on the idea of a 100% digital bank so no loss for me!
Banks seem to be hit or miss, happy that mine works. Would rather switch Banks than use a stock Rom, though.
All the Uber stuff works in Browser, both eats and their fake taxi stuff.
Not having a subtle reminder to eat at McDonald's is probably better for you.
Honestly, if your app could be a website, and includes services not on your website, fuck you, I'm gonna go to the competition.
man, and i was gonna switch to graphene this christmas. if every app can just ban my OS, i might have to rethink this. i would use the website but they restrict so many things to apps now…
Well, switching to GrapheneOS shows that you don't care what those companies do, and that you're willing to fight. It means those companies lose one more customer. The more people that use GrapheneOS, the more companies will be forced to support it.
I was about to switch bank because for a few days my current one (inadvertently) blocked it on grapheneOS. We sent them a few emails and they fixed in less than a week.
TBF, this is the first time I've encountered an app not working - and it was before this. It's just because of Google push towards monopoly via their Play Integrity API that's ruining this.
play "integrity" should be considered malware, any program that deliberately does something the user doesn't want it to should.
Use a browser like Native Alpha or Hermit, which present a website like an app.
And if you use Bitwarden/Vaultwarden for your passwords, it can be pretty seamless.
It always seems that with finance we take 2 steps forward and 1 step back. That's why Bitcoin will never stop existing.
Well, Google is known for destroying its opposition.
This has very little to do with Google. Custom OS's in general are being restricted by these apps, not Graphene in particular. All custom OS's and root access devices are inherently less secure, even if they are privacy focused OS's.
In IT this is called a zero trust. You don't trust anything you cannot verify yourself. And a user installed OS is not something anyone can verify other than the installing user. Obviously for your own security you have your own zero trust policy if you are using something like Graphene, but these companies aren't making it more secure for you as a user, they're covering their asses in case there are holes in security they cannot account for.
If a business makes it too difficult to use them I just use someone else. I'm sure they understand that but are making a killing at the expense of other people.
There will come a day when there are no alternatives. Ive hit this in many places (EU banks, dating sites, etc)
Their loss.
3 shites dropped.
I haven't switched my phone yet, but will do so soon. Does anyone have experience with compatibility layers on phone, akin to wine? I unfortunately cannot go without my public transport apps, and they're android or IOS only. I've looking into postmarket OS, but open for suggestions.
You can use Waydroid on PostmarketOS to install Android apps. It basically runs a full VM for you.
What public transport apps if I may ask? Most of Western Europe and especially Germany present no issues and even have OSS options, same with Finland.
Thanks for the input, i realise it's been a while since I checked this! ÖBB Scotty, ÖBB Tickets (could forgo this one) and SBB mobile. I also need Digitales Amt (official government app for things like signing contracts without printing them, ordering your election materials to a different address than usual, checking your medical info etc). Do you happen to know whether that would work?
I just switched, looks like uber is working for me
Wait until the next update.
I think we gonna start learning who actually can't handle not getting your data finally.
Also microg v sanboxed gps debate might get resolved
also as a former driver I just want to say DOWN WITH THEIR ECONOMIC TERRORISM!
I'm a microG guy, so I use Calyx. I wish graphene supported microG.
Uber driver
It stopped working in April or May I think so that's interesting
Anyone tried waydroid or android in an emulator for these type of apps ?
Oh yeah that's an insta-ban. And even the waydroid app devs say their security is atrocious and you shouldn't use it for banking.
The list of apps that want to invade your privacy populates itself?
Are there any checker apps to see which of user's installed apps have this? Looking up "Play Integrity API" only finds the checkers for the phone itself...
Just run PWA instead no?
It's a mobile app only. The web interface is strictly for managing your account, last I checked.
For Revolut? Unlikely, their website forces you into using the app.
The others sure, i guess, but i don't see the user overlap.