I’m lucky my banking app works (GrapheneOS), as it’s now requiring 2FA with the app anytime I login on the browser. Can’t use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).

(Meme in comments)

  • vodka@lemm.ee
    link
    fedilink
    English
    arrow-up
    27
    arrow-down
    2
    ·
    9 months ago

    The app for my bank DNB (Norway) doesn’t work on my LineageOS phone, but it works on my GrapheneOS phone. I wonder if they’ve added the graphene keys, because it just suddenly started working a while ago, though might be some GrapheneOS magic

    • Chewy@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      38
      arrow-down
      1
      ·
      9 months ago

      The hardware attestation feature is part of the Android Open Source Project and is fully supported by GrapheneOS. SafetyNet attestation chooses to use it to enforce using Google certified operating systems. However, app developers can use it directly and permit other properly signed operating systems upholding the security model. […] Direct use of the hardware attestation API provides much higher assurance than using SafetyNet so these apps have nothing to lose by using a more meaningful API and supporting a more secure OS.

      https://grapheneos.org/usage#banking-apps

      My banking apps work on GrapheneOS, so I guess they are using hardware attestation instead of SafetyNet. LineageOS won’t pass hardware attestation because it doesn’t support locked bootloader.

    • cyberwolfie
      link
      fedilink
      English
      arrow-up
      4
      ·
      9 months ago

      In what way does it fail on Lineage? My local banking app fails on CalyxOS - seems to pass the security checks (judging from init messages when opening the app), but get a nondescriptive error when trying to log in.

        • cyberwolfie
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Ah, then there could be a different issue with my banking app. Maybe there’s a hope I can solve it then. I just assumed it the custom ROM that was the issue. Then again, maybe they just don’t bother letting me know the reason… :)

          • vodka@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            It used to be possible (probably still is) to use magisk to get around it for my bank, but I stopped caring after the EU did some laws forcing interoperability between banks so I can just use my other banks app to access the accounts for that bank.

            Might be worth looking into!

    • uzay@infosec.pub
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      2
      ·
      edit-2
      9 months ago

      LineageOS doesn’t spoof safetynet and play integrity, GrapheneOS does afaik. So that’s most likely the reason

      See below

      • vodka@lemm.ee
        link
        fedilink
        English
        arrow-up
        7
        ·
        9 months ago

        GrapheneOS doesn’t either. It does Android Hardware Attestation instead of SafetyNet. It has never, and will never spoof SafetyNet.