Sorry, you cannot view this.
TheDragon 🔥
@TheDragon@hachyderm.io replied  ·  activity timestamp 2 months ago
@neil

Sure it didn't just say "itself" wasn't installed from an unofficial store?

It kinda sounds like the PlayIntegrity API - recently got a similar message from the ebay app... It totally blocked using it...
Until GrapheneOS introduced a toggle to disable it in app settings 🙂

Except for the bit about your banking app, referring to a specific other app? That part sounds.... Odd 😬
Ben Tasker
@ben@mastodon.bentasker.co.uk replied  ·  activity timestamp 2 months ago
@neil

> My temptation to have a separate device solely for banking apps increases.

This is what I've done.

Unfortunately, it's not quite straightforward - at least assuming you don't want to have to *carry* 2 phones.

I couldn't move some of the apps over because the bank uses in-app notifications to authenticate payments.

But *most* of my banking apps moved to a dedicated device.

Given the choice, I'd prefer to be able to use FIDO2 with browser based banking, but it's not on the cards :(
Baz
@rahoulb@ruby.social replied  ·  activity timestamp 2 months ago
@neil Do you use a Passkey for the banking app?

It sounds like "attestation" - where the banking app can tell the secure controller, beneath the OS, which security level it requires - and the controller reports back (bypassing the OS itself).

On paper this makes sense - "do not allow secure operations on an OS that has been tampered with".

In practice, it means apps can deny service because you're running an ad-blocker or an "unauthorised" app store.
Bob Hannent
@bobdvb@mastodonapp.uk replied  ·  activity timestamp 2 months ago
@neil
I have done some work on 'app integrity' for my employer recently.
It was doing a similar thing with network scanner apps, refusing to run because they were installed.
I requested we turn off those protections. I wanted the blast radius of any protection false positives to be as small as possible.
Granted, I am just protecting streaming credentials, not banking details.
But the companies providing app protection are trying to throw everything possible in and one-upping their competitors.
Risk is relative and we should work in consultation with customers before making breaking changes.
Simon Hewison
@zymurgic@mastodon.online replied  ·  activity timestamp 2 months ago
@neil are you going to name and shame the bank for their dubious practices. There are parts of that which possibly contravene the Computer Misuse Act and various anti competitive practices. Oh. I see you also have an app installed for competitors bank? Have a different set of account fees.
Unless they open source their banking app, can they prove their app is doing no wrong when persuaded onto your computing device?
Henryk Plötz
@henryk@chaos.social replied  ·  activity timestamp 2 months ago
@neil It's a pity that contract law doesn't work like that, but surprisingly often I've found myself wanting to invoice a bank I'm using for the unnecessary hoops they make me jump through to use the services I'm already paying for.

Would be great if you could just buy a dedicated phone and send the bill, with love, to the bank. Maybe they can internally charge it to the software development cost center.
Daniel Durrans
@dan@mastodon.durrans.com replied  ·  activity timestamp 2 months ago
@neil This brings me to another thought I sometimes have… why can’t I get a demo or trial of a banking app or website before creating an account with that bank.

Often the first time you find out that a bank's digital services are crap is after you have deposited money with them.

No I don't want to login with the 10th character of my second childhood pet's name.