[logdahl]

Of course :^) I'm close to jumping ship to GrapheneOS, but as a Swedish resident I really need our digital id services, digital mailbox, and banking apps. I have seen their page on app support, but I am slightly afraid its not up to date / will break any time. I guess the solution is to use one banking android phone and one GrapheneOS for everyday use.

[wolvoleo]

I just have an old phone for all the banking stuff. And I use degoogled phones for real stuff. I don't need my bank when I'm out anyway.

Not using grapheneos though because pixels are expensive in my country. Also, I disagree with them on some points, like rooting. I don't think me having access to root makes my phone less secure. Obviously it should be secured properly so only I can use it, but that can be done. After all even an unrooted phone still has a root account and runs stuff as root, you just can't access it as a user. That means the OS vendor (grapheneos in this case) has more access rights on my phone than me (how else are they going to install updates), to me that's not right.

I just want to be able to inspect what is going on on my phone. What apps are storing about me on their private storage, and to be able to add root CAs so I can MITM their traffic to inspect it.

[prophesi]

I believe GrapheneOS would only be an issue if the Swedish gov decides on using the Google Play Integrity API instead of Android's hardware attestation API (and requiring their apps to whitelist GrapheneOS's keys). So their stance doesn't really change much in terms of how banking apps currently work with GrapheneOS.

[microtonal]

The Play Integrity API even works on GrapheneOS, but will only pass basic integrity (which is enough for most, but not all banking apps). It doesn't pass strong integrity, which does remote attestation. If your bank does that, ask them to add remote attestation for GrapheneOS as well.

[prophesi]

For most apps, yes, they won't require the MEETS_STRONG_INTEGRITY check in the Google Play Integrity API. But if your apps _do_ choose to use that Google Play Integrity API for a strong integrity check, then they won't be able to whitelist GrapheneOS's keys for it to pass. Unless you can convince Google to whitelist them.

Thus it's best if they use Android's hardware attestation API instead, as you can then decide to whitelist GrapheneOS to pass that strong integrity check.

[kungp]

BankID, Swish and Swedbank's app work fine for me on GOS so I say go for it :)

[lawn]

Kivra, BankID, Sparbanken, ICA banken, Nordea, LF, Swish, Fortnox and more works perfectly well for me.

I still keep my old phone around with BankID just to be safe, but so far I haven't had any issues.

[Tistron]

What do you mean here? Isn't bankID limited to only one device?

[lawn]

No, you can have multiple. At least with the banks I've used (currently sparbanken).

[Itoldmyselfso]

https://privsec.dev/posts/android/banking-applications-compa...

So far it has only gotten better over time, so risk seems minor if your bank is listed as supported.

[lbschenkel]

Another Swedish resident here, using GOS for around 5 years.

So far all the dealbreaker stuff works (BankID, Swish, bank apps, transport apps, etc.) which is great.

That said, I also work in Denmark and need the Danish apps. And the situation in Denmark was the same as Sweden... until one day it wasn't. For example, MitID flipped a switch one day and started enforcing Play Integrity. It became impossible to activate MitID on a GOS phone. And it kinda became the new normal in government or -adjacent apps.

Therefore, I dread the day this might happen in Sweden too. Let us see what will happen with the digital wallet app that the government will launch to compete with BankID. I am afraid there is a good chance that they will tread the same path... I hope I am wrong about that.

[surgical_fire]

Likewise, my plan will be to have GrapheneOS as my "real" OS, and a cheap secondary phone for banking app and whatnot.

[wolvoleo]

Exactly, works pretty well for me!

[buckle8017]

Sounds like your issue is with your government.

[amarant]

It's not an issue, we're just spoiled. It's such an amazing convenience that anything else seems like a huge and unnecessary hassle.

There is actually more a second MFA provider that is accepted almost everywhere, including the tax authority. I forget it's name and I've never tried it, so I can't say too much, but presumably it provides similar functionality as BankID

[Tistron]

It's called Freja. It's also possible to get a special hardware device to do the bankID dance, which is great to have if your phone breaks, as having that device will make it possible to provision a new bankID without visiting a bank office.

[girvo]

Do the banking apps have features that the (mobile?) websites do not? Genuine question, I have no frame of reference for Swedish banks

[amarant]

He's referring mostly to BankID which is a very secure MFA solution designed for banking purposes(all banks in Sweden accept the same mfa app) the inbox app is probably kivra, which is a email inbox which uses BankID for authentication, and is used for invoices and other "official business" mails.

There's also swish, which is instant payments to both friends and businesses. Swish also uses BankID.

BankID is also used to sign documents, file taxes, etc.etc.

Swedish society is largely built around this one official MFA solution, and having a phone where you cannot run it is a real hassle

[smilespray]

Same in Norway.

[buckle8017]

The less free states are starting to require remote attestation to send payments at all.

[izacus]

You can't login to those without app as a 2FA.

[fleebee]

I can only speak for my bank (Nordea), but they do offer a separate 2FA device you can order if you "can't use" your smartphone for whatever reason. As a solution it sucks, but technically you're not forced to use a mobile phone to login. I'd be surprised if other banks didn't offer similar fallbacks.

[varispeed]

You can have these apps on a separate device that lives in a drawer like paper documents would. We need to separate state from private life.

[debazel]

You would need to lug the device with you everywhere because BankID is used for all sort of things in Sweden. I couldn't even use a vending machine here without the BankID app.

[fc417fc802]

Why do you need MFA to use a vending machine? I thought the US was off its collective rocker but WTF is going on in Sweden?

[intrasight]

I am baffled that anyone on HN doesn't have an MFA device in their drawer.

[microtonal]

Many European banks do not replace them anymore once they break or run out of battery. Smartphones have become the default for MFA.

[intrasight]

Yes that's what I meant. An old smartphone is my device in my drawer.

[microtonal]

Ah, thank you for the clarification! Does not really work in all countries, e.g. here it is quite common at events to pay through a QR code and you need your banking app to do so.

[The_President]

Always the best way - radio off and inside a faraday pouch