[second_brekkie]

I live in Korea. In my experience pretty much everyone I know uses banking apps which you can do everything through, not online banking through a browser.

You would hope that these would be somewhat more secure as this may have required a 're-write' as the article suggested.

Though even with mobile apps you sometimes have to install some 3rd party 'anti-virus' software that probably amounts to spyware. But hey you can either lump it or leave it.

They do at least try to make you feel like it's secure. To set up mobile banking you need at least 3 different passwords and need to perform 2fa 3 times as well.

They have 'front end' security too, such as each time you enter a pass code the keyboard is in a different arrangement.

[flotzam]

There's a curious absence of Korean banking apps on this GrapheneOS compatibility list:

https://privsec.dev/posts/android/banking-applications-compa...

Does it mean none are usable on a modern clean Android? Or is there a total Samsung monoculture? Something else?

[ponorin]

I live in Korea and run the latest GrapheneOS on Pixel 6. I have 6 different banking apps (Citi, IBK, Woori, etc.) installed and all of them work flawlessly. I also have a few government apps running and they work as well. There are definitely some apps that don't run on it (Donbaekjeon, Busan's local payment app being one) but overall they work.

[ponorin]

fyi, yes, samsung monoculture is very strong. No foreign phone brands, especially Chinese, have gained significant market share (except apple ofc). Samsung with their 70% market share has been the undisputed champion in S. Korea for probably the whole post-iPhone era, even in the budget segment. Romming community does exist here and quite vibrant for its size but Samsung pumping out literal truckload of phone models (not to mention their carrier-locked variants which are more common like in the US), Knox (ew) and general public sentiment against modifying their devices means it's not really visible.

[flotzam]

Thank you for these comments!

It's great to hear that the compatibility situation isn't that bad in Korea. Have you considered submitting the apps to https://privsec.dev/posts/android/banking-applications-compa...? Otherwise people might make the same mistake as me (look at the list and assume it's impossible to use an alternate OS)

[ravel-bar-foo]

Korean banking apps usually are disabled in rooted Android, probably because in rooted Android the integrity of the binary cannot be verified.

[yjftsjthsd-h]

See, usually when I run into claims about rooted Android being less secure, I point out that they have no problem with regular laptops that the user has root/admin on, but in this case I suspect they try to DRM control of that, too...

[ravel-bar-foo]

It's definitely about full device control. How else would the mandatory "anti-keylogger" software work?

[flotzam]

GrapheneOS is not rooted though. Are all of them doing SafetyNet checks too, not just root checks?

[ponorin]

I don't think korean banks run safetynet. They roll their own checks with varying levels of strictness. Most of them were fooled by Magisk Hide, but not all.

[themoonisachees]

Which is funny because rooted android users can easily make any app believe it isn't rooted. Had to do that recently with the French identity app.

[veeti]

No one uses GrapheneOS in Korea?

[flotzam]

Could be, but why? Pixels aren't officially available in Korea, but that banking app compatibility list has user reports from 19 other unofficial countries.