Unfortunately, even if LOS supports my device (it does), it's not a viable solution anymore for me as a primary smartphone OS (even though I really appreciate some of its features -- used it for years on previous phones) due to SafetyNet.
- Google Pay will stop working.
- My banks' (multiple) primary apps and pushTAN solutions will stop working.
and that's two of the most important things I use my phone for nowadays. (Forced) bank MFA and payments. Also for voluntary MFA with andOTP of course, because I'm not against MFA, just idiotic pushTANs.
Ironically, devices which haven't had security fixes in 1 year (thanks for nothing, Sony) will also pass safetynet, and the mentioned apps' vendors will still deem them "secure".
Android security past device release remains a joke. Solutions like LOS exist to keep devices running well past the pitiful life span OEMs allow for, but they have become unviable.
> Ironically, devices which haven't had security fixes in 1 year (thanks for nothing, Sony) will also pass safetynet, and the mentioned apps' vendors will still deem them "secure".
Yeah, that's what always got me - they'll act like rooting your phone or installing a custom ROM makes it "insecure", but then turn around and act like a phone is secure running an arbitrarily old stock ROM that's little more than a pile of known vulnerabilities. I even hit this with a company I worked for - they could not grasp the idea that my phone with a current patch level could possibly be safe, because I had root on it... while seeing no problem with my having root on my company laptop and all of our servers. Yeesh.
On some phones we can pass the SafetyNet test by using Magisk. Enable Magisk Hide for the apps that use SafetyNet. Sometimes you also need to add the Phone app to Magisk Hide (not sure why) and/or "hide" the Magisk app with the built in toggle.
Obviously it's not something everyone wants to deal with, but both my banking app and Google Pay works on my Asus Zenfone 6.
I could be a weird outlier here, but smartphones are now cheap enough that I carry 2 (used to have 3 but I dropped one of them and smashed the screen). This means I can physically separate applications, plus run Lineage on one of them with "real" Android on the other. The newest phone I have is some Honor (Huawei) phone that cost £130.
There are two such methods left in Germany, chipTAN and photoTAN which (can) use seperate, external generator devices which you can buy. If you have multiple banks however, like I do, it's mixn'match. The last method left is smsTAN, which is insecure by default, and it's the first being phased out right now.
The move towards more elaborate TAN setups is due to PSD2 EU regulations; banks usually choose the way their lawyers deem watertight and product management considers acceptable in terms of cost, although especially on the lawyer side, interpretations of current law still differ. Which results in different PIN/TAN flows even between the major players at the moment.
In many countries, all banks are moving towards apps that require Google Play Services and passing Safety Net. (And a diverse ecosystem of "credit unions" is a USA-specific thing.) Banks are phasing out other means of 2FA like code cards or code calculators, and expecting all customers to have an Android or Apple phone.
I’m not sure credit unions’ tech is diverse, anyway. I’ve noticed some of their online banking sites look like different themes of the same software. So it wouldn’t surprise me if the apps are the same, so eventually the base vendor will push SafetyNet or w/e and all credit union apps will then require it.
That's obviously a stupid move by those banks. And if you think so too, you should point it out to them. Your bank is unlikely to read HN (hah!), but they are commercial institutions and some of them might even listen to their customers.
No, this was actually a pretty reasonable and expected move on the part of the banks. They realized that providing code cards or code calculators to customers represented a expense that very few customers in our modern age were taking advantage of, and so they discontinued those programs. I love my LineageOS Android phone and I also own a PinePhone now, but come on, let's be reasonable and admit that we are so tiny a minority of customers that we don’t matter to banks.
Sure, it's an expense, but it's one that provides actual security. Instead of this "it runs on a phone and google says it's secure"-nonsense. Banks know people's phones rarely get updated.
When I started using online banking in what must have been 1997 or so, I accessed the bank using a browser, client side certificate and a passphrase. It seems like ever since then, security has steadily declined in favour of "ease of use". Which rubs me the wrong way, because we really should have increased the ease of use of security instead!
Fortunately my bank app & Revolut works on my Lineage OS phone. Google Pay won't work tho. I use Lineage for MicroG, so I can even install apps from Play store. I wouldn't be able to use LOS without it.
Indeed. It's not even just banking apps - even my TSP's app refuses to run on my Samsung phone now that I have tripped its Knox counter. It's just a lazy and convenient approach to prevent tampering.
Very much OT, but maybe it’s worth a shot... I wasn’t able to do a full backup of my Galaxy (encrypted, stock, unrooted) so installed TWRP. Now I’m stuck in the infamous boot loop and can’t get out. Knox is tripped.
I kind of really need to get in to get some files in there. Should have known better but it’s a bit frustrating that it was precisely trying to perform a backup that made this happen. Can’t find stock firmware anywhere and even if I did I’m not sure if it’s possible to flash it without wiping ...
- Google Pay will stop working. - My banks' (multiple) primary apps and pushTAN solutions will stop working.
and that's two of the most important things I use my phone for nowadays. (Forced) bank MFA and payments. Also for voluntary MFA with andOTP of course, because I'm not against MFA, just idiotic pushTANs.
Ironically, devices which haven't had security fixes in 1 year (thanks for nothing, Sony) will also pass safetynet, and the mentioned apps' vendors will still deem them "secure".
Android security past device release remains a joke. Solutions like LOS exist to keep devices running well past the pitiful life span OEMs allow for, but they have become unviable.