[OfSanguineFire]

Banks in many countries require an Android phone for online banking. Even if they offer an online-banking website that you can access with any browser, you may still need the Android app for 2FA. This is one of a number of reasons why the PinePhone or Librem is unfortunately not a daily driver. Also, things like paying for parking or interacting with public services are moving to Android apps in some places.

[BlueTemplar]

Is that even legal ?

Banking and public services are too important to be restricted to people with smartphone ownership (even regardless of OS).

It's even more important to refuse to use them, publicly shame them, and complain about them failing at their duties.

[lmz]

Before smartphones some banks used a hardware token to authenticate web transactions, but now that is being moved to (non rooted) smartphones.

[tmtvl]

I was given a hardware device by my bank to do my online banking. If they want to move to smartphones I expect them to provide me one of those as well.

[OfSanguineFire]

One of the very reasons banks have been phasing out hardware tokens (and code cards) is because they represent a cost. Of course the bank is going to put the price of the smartphone all on customers.

[Kwpolska]

Don't most banking apps reject non-GooglePlay/unofficial-image/rooted phones?

[Arnt]

Yes, and the reasons are instructive.

When you get to the lowest level, technically, the banking apps want to store files on the phone that the user can't access.

This means that something like lineageos can run banking apps, if the phone tells the banking app what the app wants to hear. It's fiddly but can be done, and in fact it is what I do on my private phone. It also means that a platform that fundamentally gives users the right to read all the files on the phone (ie. to make a complete backup) will not be supported by banking apps, because such a platform will not let the banks do what they think they need to do.

I think this implies that such platforms can't grow beyond a niche within a niche.

[user_7832]

While I can understand Google and the banking apps' actions, it doesn't make much sense given how PCs having root is hardly every a concern for a bank. If you can do something bad with banking on a rooted device, it's probably doable on a computer too.

[OfSanguineFire]

Oh, banks are definitely concerned about PCs having root. There are even some banks that have removed their online banking websites entirely (except, perhaps, for corporate clients) and require customers to do everything through the Android app instead.

[Arnt]

My bank and my wife's bank both require 2FA. On the app, one of the Fs is having physical access to the device (the phone/app, which was vetted by the bank when the app was installed). On web browsers, these two banks don't offer any factor like that.

In end effect, the banks treat a non-rootable device as suitable as a "something you have" factor, but will not treat a rootable device as that.

[fsflover]

Which is why I was switching banks until I found one not forcing me into the duopoly.

[OfSanguineFire]

In some countries one no longer has that possibility. Not everywhere has a range of banks to choose from, sometimes mergers have resulted in just a handful of banks for a country, all of which enforce use of an Android app.

Oh, it’s fsflover, the poster with the Librem idée fixe. Haven’t noticed you here in couple of years. Your comment elsewhere here about GrapheneOS not requiring much less effort to daily drive is way off. GrapheneOS runs banking apps and, in countries that legally enforce use of certain apps for ID or payment, those apps, too. Zero hoops to jump through. Meanwhile, a Librem phone (or a PinePhone) will not work.

[user_7832]

Huh that's interesting, thanks for mentioning it. I wasn't aware of that.

[OfSanguineFire]

One of the draws of GrapheneOS is that, since Pixel phones have a relockable bootloader, that Android image will pass SafetyNet. While Google Play Services is typically required by banking apps, on GrapheneOS you can run Play Services in its own sandbox.

[RetroTechie]

They might, but app for my bank works happily on LineageOS.

Same eg. with app for a local 2nd hand site, which on startup complains that it needs the Google services... and then runs without issue (only appears to use those Google services to pinpoint the phone's location).

Imho this is 1 more reason to put alternatives like LineageOS on a phone: the more users on those, the harder it is for app developers to drop that usergroup for... well, reasons.

[seszett]

Ironically you might have to root your phone to install the necessary Magisk modules to make the app think it's on a phone running the official thing.

[SkiFire13]

Most reject phones that don't pass SafetyNet. There are ways to pass it with unofficial images/rooted phones, although I'm not sure for how long they will keep working and I think you still need Google Play.

[codedokode]

Do not use banking apps on a phone because it is not secure (there is no second factor). Use bank's website on a laptop instead.

[OfSanguineFire]

As I said, for many banks, in order to log in to the bank's website on a laptop, you need to receive a 2FA code sent through the bank’s app on an Android phone.

[mixmastamyk]

I’ve found that many times when a service says this the system will work with any OTP program. They just don’t tell you specifically. Maybe they don’t know, think it’ll confuse, and/or prefer you didn’t.

[anticensor]

Not always, some countries actually require this to be sent over a bank-specific protocol.

[mixmastamyk]

“many times” is roughly equivalent to not always.

[codedokode]

Here (in Russia) typically SMS is used as a second factor and you don't need an app. Requiring to install an app is basically requiring to buy a modern smartphone only to be able to log in.

[DANmode]

Unless you're using a Chromebook or similar device as the laptop, this is kinda out of date, if using best practices.