I’m lucky my banking app works (GrapheneOS), as it’s now requiring 2FA with the app anytime I login on the browser. Can’t use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).
(Meme in comments)
This post is against Rule 6, but I’ll leave it up this time since there are a decent amount of discussion here now.
lseif@sopuli.xyz, please remove the image when you can. You can post it in the comments.
At least they now allow passwords over 8 characters (yes, serious).
Are you 100% certain they don’t just truncate your password to 8 characters?
What, do you think banks have the money for storing all those extra unnecessary characters? MS Access databases are only so powerful.
I hate this so much!
My bank is like that and another horrible thing is that after you choose your password (which can be long and complex) you need to choose a 6 DIGIT restore code incase you forgot your password…
Why is is my BANK so bad at security??
And they all develop their own shitty app for 2FA (the lazy ones just rebrand SecureGo as their own - you still have to install all of them separately) instead of using the 15 year old TOTP standard. The latter is good enough for tiny companies like Google and Amazon but what do they know about itsec, right?
Magisk plus DenyList luckily works for my banks. Couldn’t imagine not having a rooted phone.
Beat the main purpose of GrapheneOS. Open the phone to a broad lot of security issues.
Graphene only works for Pixel phones, and I don’t want a Google device.
thats fair. device support is a major downside of GOS. but, remember: its not really the fault of the OS, as it requires a lockable/unlockable bootloader, which only pixel phones provide (at least in terms of mainstream phones). blame the OEMs like samsung
There are a ton of unlockable bootloaders. On my OnePlus that’s a matter of flipping a switch in the settings.
can it be re-locked? i may be wrong, btw. this is just what ive heard.
I don’t know, never tried that.
That’s the main issue really, as it open the possibility to manage your device for anyone getting hold of it. Probably some debug attack methods also with it.
which only pixel phones provide (at least in terms of mainstream phones)
Mainstream phones? Pixel is a smaller market share than Motorola, and Motorola has unlockable bootloaders, and lineage supports a fair number of them.
Sadly, can’t be re-locked. Would have loved to get a Motorola if it was.
I thought Google owned Motorola, but I missed the sale to Lenovo ten years ago.
Lenovo owns Motorola. Lenovo being chinese is somewhat a security risk.
@viking @PoorPocketsMcNewHold @android
Then don’t bother, there’s no GrapheneOS for you!
Only big manufacturers can really pay to control entirely the hardware inside it, and allow you to modify it. Checkout Fairphone for example. They’ve been forced to stop hardware security updates due to their chip manufacturer, who refused to continue supporting it, despite them trying to support their devices for plenty more years. This explains the choice with Google.
Yeah, that was their point.
What are the security issues? Rooted just means the potential to give trusted apps root access. Of course, if you give an app root access that you trust but is then abusing that trust and being malicious, yes it’s a security issue. But if you don’t do that, the simple fact of having a rooted phone should have no security change in any way. (Ok, except for potential bugs in Magisk/su or whatever)
If you have the UI layer able to grant root access, it has root access itself and is not sandboxed. If the UI layer can grant it, an attacker gaining slight control over it has root access. An accessibility service trivially has root access. A keyboard can probably get root access, and so on. Instead of a tiny little portion of the OS having root access, a massive portion of it does.
In the verified boot threat model, an attacker controls persistent state. If you have persistent root access as a possibility then verified boot doesn’t work since persistent state is entirely trusted.
A userdebug build of AOSP or GrapheneOS has a su binary and an adb root command providing root access via the Android Debug Bridge via physical access using USB. This does still significantly reduce security, particularly since ADB has a network mode that can be enabled. Most of the security model is still intact. This is not what people are referring to when they talk about rooting on Android, they are referring to granting root access to apps via the UI not using it via a shell.
I’m pretty sure whoever wrote that was talking out their ass. The fuck is “UI layer” on Android, or rather, what does it have to do with it xD
The actual Magisk prompt that ask you if you want to give root to such app. This UI layer.
Although, i suppose it could be countered by explicitly refusing all requests or enabling a biometric confirmation
But granting root is not done by “the UI layer”, “the UI layer” is not running with root. There is no such thing as “the UI layer” as a separate entity, an app can have a UI layer as part of its architecture, but the UI is not running on its own. Just because Magisk shows you a UI for you to grant/deny a root request, that doesn’t make it insecure. Nothing is able to interact with this prompt except the Android kernel/libraries itself and Magisk.
Only if you added an application as accessibility tool (or give it root) can it interact with anything within the UI. An app with a UI is generally not much different than an app on the command line.
It still create an attack vector, as it allows a potential extra method to get access to it, in addition of potential hardware exploits that i shared to gain root. Yes, you can minimize the risks correctly, but the user is the only real barrier against it, not the software anymore. The less potential way to exploit your phone, the better it is. You shouldn’t rely on thinking that such feature is fully attack-proof.
GrapheneOS is made by diva developers who frankly should not be trusted. “We only allow Google phones to run our OS!” as if they don’t have a backroom deal with Google.
Proove us that you can get better security while remaining able to be fully modified with other phones and brands. https://www.privacyguides.org/en/android/#divestos
Privacy Guides has a bit of a sordid history of their own diva behaviour.
Just higher standards.
Nah they’ve been accused of biases.
@TWeaK @PoorPocketsMcNewHold @android
BullshitJust logical. If you gain the privilege to modify system bits, then it just open the potential for attacks abusing root access. And it has been done already. You are just removing one step for them. https://www.bleepingcomputer.com/news/security/loki-trojan-infects-android-libraries-and-system-process-to-get-root-privileges/ https://www.bleepingcomputer.com/news/security/highly-advanced-spydealer-malware-can-root-one-in-four-android-devices/ https://www.bleepingcomputer.com/news/security/new-abstractemu-malware-roots-android-devices-evades-detection/ https://promon.co/security-news/fjordphantom-android-malware/
Non-rooted phones are just like iPhones. Ewww…
Agree, don’t get why you are being downvoted.
Heath Ledger started banking here in the year 2000. Only movie producers have debit cards right and all actors are on a cash only basis and actors are cannibals that rob and eat their prey.
I mean you all weren’t ripping or watching Hollywood movies on the internet right? Because that’s just a cheap way for producers to store things so there isn’t giant dvd and vhs recording machines. Taking up space in print shops. Printing t shirts just went on because that blonde chick in ten things I hate about you did acting as a source of income and because it was an art but she preferred real art but didn’t see selling statues as a source of income or steady income. Sometimes large durable good purchases weren’t supported in capitalism. So it was T shirt printing and that genre of music that took place during those years. They’d all run around stabbing and killing all these other people as like a cult. The world was somewhat French back then.
And simulations are just used for movie production so that actors don’t miss their cues or start eating things and robbing and killing each other on the set.
Heath Ledger is kidnapped not dead, if he didn’t die as his stage name or other self then hepatitis b does this to him, and that’s why there was glucose in Mountain Dew and potassium in everything else as a preservative and no one could really eat natural foods or supposedly natural cheeses and butter. And that’s one thing I hate about you.
sorry, what ?
This is actually something I have spent a lot of time thinking about. In Sweden, where my boyfriend lives, their BankID app is ubiquitous, and there is very little cash handling going on, additionally the fees for actually going to the bank or subsidiary to pay your bills are exorbitant.
Everybody pays their bills online using “BankID”, which is kinda nifty and works well enough if a single point of failure is your thingaling, but what if people simply choose not to get a phone, or don’t want a computer, just basic like that, what if?
It feels kind of creepy to me, I don’t know…
🚨 Improper use of meme format 🚨
🦴💥 Bone Hurting Juice detected 💥🦴
wait really? :/
I’m pretty sure panel 2 and panel 4 should have the same text
THIS MOTHERFUCKER MEMED WRONG
TOTP is not secure
What’s wrong with TOTP?
Phishable. Use FIDO2 (webauthn) with user verification (pin, fingerprint)
