[nimbius]

the only app ive seen balk at bootloader status (to date) is google wallet. Using a phone to pay for stuff is an opsec nightmare youd only entertain so long as becoming an integrated and saleable asset in a data brokers portfolio is a life goal. 'pm uninstall' and move on, the custom rom is still far more valuable from a security perspective than bending the knee to some bespoke ecosystem payment app (especially if you have an older device.)

the point of oem unlock, and rooting at all, is diametrically opposed to the vendors interest in nearly every facet. The vendor will bark "hackers" as a thinly veiled threat for the uninitiated, but we are initiated. what the vendor doesnt need you doing is erasing their telemetry and walled garden spyware. they dont need you developing alternatives to their store and to their apps, and they especially dont need you turning this effort into something as simple as an ubuntu installation for older phones they expect to follow the strict trade-in model of "buy a new phone every year"

arguably Asus refunded the purchase because this person isn't playing by the rules and being a good consumer.

[lxgr]

> Using a phone to pay for stuff is an opsec nightmare

Do you mean "privacy nightmare"? Security-wise, Google Pay beats using your physical card since it uses a device-specific number that can't be skimmed by terminals and reused online.

> the custom rom is still far more valuable from a security perspective than bending the knee to some bespoke ecosystem payment app (especially if you have an older device.)

I'd argue that it only makes sense if you have an older device that's otherwise not receiving any more security updates.

[kaszanka]

AFAIK it only beats magnetic stripe cards, not EMV chip cards

[lxgr]

EMV chip cards still contain your card number and expiry date.

Skimmers would need a way to also learn the CVC2 from the back of the card to use it at most (but not all!) online merchants, but that's feasible using a small camera or a waiter/cashier accomplice doing the skimming.

With Google Pay and Apple Pay, and similar mobile wallets, that number is never shared during payments (and in fact not even stored on the device).

[jjmarr]

They do, but you can't get the card number from reading the chip. The protocol is a challenge-response one based on a private key stored within the chip.

https://en.wikipedia.org/wiki/Chip_Authentication_Program

You need to read the entire card number + cvc2 + expiry date with your camera. That's not skimming, that's just taking a photo of the card.

[lxgr]

No, you can most certainly get the card number and expiry via the chip and even over contactless, as it’s a vital part of transaction routing/processing. There are Android apps that can do it.

[jjmarr]

If I could I'd delete my original comment since I did more research and you're right.

https://stackoverflow.com/questions/14861908/apdu-command-to...

[worewood]

Yeah, and it's easily solvable with a sticker or a dremel to scrape the number off

[lxgr]

You can't dremel it out of the chip, though.

[M95D]

Any responsible user will learn the CVC, like any other password, and then erase it from the card.

[didntcheck]

I can certainly remember mine from repeated use, but I can't say I've ever heard of someone erasing it

[catlikesshrimp]

I have done it since many years ago

[lxgr]

That seems like a lot of extra effort for something that's arguably not your opsec problem, but that of the card payment industry.

In the end, you'll always have to enter it on payment websites anyway.

[paulryanrogers]

Bank apps, Netflix, and Disney+ also won't work. There are spoofing measures though I've been burned by unlocking and rooting too often to try again, at least not while my devices are still under warranty.

[mmh0000]

My solution

* use bank website for the one bank that requires it, otherwise I got a new bank account without silly fake security.

* thepiratebay has everything Netflix and Disney does and it works anywhere

[catlikesshrimp]

I always use websites when possible instead of installing yet more spyware disguised as a useful app. My bank, however, has the TOTP built in the app. You can't make a transaction without the phone app connected to the internet.

[Vilian]

you can't use magisk to remove tho root and make it work?

[catlikesshrimp]

I meant to emphasize that they force us to install their app. I can't use the website without installing the app, missing the point of using the website.

[luuurker]

Magisk + a few modules and most apps should work. The warranty part, this depends a lot in the country, but at least in Europe I don't think they can deny repairs just because you unlocked the bootloader.

[zappb]

Commercial copyright interests will always seek to maximize their control over the devices that play back copyrighted stuff. Banks at least have more legitimate security concerns since they involve the end user getting screwed rather than the copyright holder.

[jjmarr]

I'm in Canada and I can literally just tap the card itself on the reader. Every card has this ability and it can't be skimmed.

[SanDiegoSun]

There are many demonstrations of contactless cards being “skimmed.”

Unless you store it in a wallet with a faraday cage, this is a laughable opinion to express.

[jjmarr]

It's not the same as traditional card skimming since you can clone the magnetic stripe you skimmed onto another card and buy things with it.

If you grab data from a tap transaction, you can't use that data to perform another tap transaction.

[cqqxo4zV46cp]

Your claim that using a smartphone for payments is a privacy(?) nightmare sounds quite baseless.

The more pertinent factor is probably the fact that you’re using an operating system built by an advertising company.