Not to mention, play integrity is being used a some sort of "anti cheats" by bank apps and other essential services. Even some government apps in the EU, essentially forcing you to be spied on by google.
The worse part is that, you can do all of those functionality with a browser on linux (or Android), yet to use them as Android apps on a device without gapps (even if jt's not rooted and with locked bootloader) is not allowed. Make this make sense.
> Even some government apps in the EU, essentially forcing you to be spied on by google.
The same in India. I can't use even the government weather app and the disaster alerts app without signing in to google play.
Seeing that this malpractice (of forcing the users into Google's surveillance net) is widespread among seemingly unrelated agencies like banks and government agencies of several nations, I would really like to know who is peddling this draconian scheme among them.
I want to send some angry rants to the app owners/developers and ask for those malicious peddlers to be permanently banned from further interference in cyber security matters of these institutions.
I would not be surprised if Google is sponsoring a lot of this efffort targeting young devs, and "teaching about security". They basically positioning their services as "authenticators" of truth, despite it 100% being cat and mouse game still.
That really makes sense though if you think about it. When a company has an annual revenue that would put them around the 43rd largest country by GDP, they could very well begin acting more like a state. States spy and states claim to be the arbiters of truth.
Play Integrity and Play Services are two different things.
Play Integrity is a remote attestation scheme by which apps can ask the OS to prove to a remote server that it is unmodified. It allows apps to refuse to run on devices with root or third-party ROMs.
Play Services is a set of libraries and APIs for things like network-based location, push notifications, and advertising. Nearly all Android phones include it, and users of third-party ROMs can add it at install time (but not later) with packages like MindTheGapps. There's an open source substitute called MicroG that allows most apps to run without it.
> Play Integrity and Play Services are two different things.
You're right in your elaboration, but I didn't mention which one it is. My primary concern is that it forces me to log in to my play services account, which I haven't agreed to so far.
> There's an open source substitute called MicroG that allows most apps to run without it.
It's not for the lack of trying and I probably wouldn't even be complaining if it had worked. Phones are getting harder to root these days, much less install a custom ROM. Everyday feels like the ecosystem is tightening around us.
moto g15 in hand, deguggled as much as possible right out of the box, no guggle accounts or big tech apps, bank through a browser, but there is defintly a lot of outright fraud as to bieng able to turn off google apps, it is an arcane procedure to turn off notifications, insisting that nothing will work without "play store" installed, though it is clear that going to a linux phone will become the only way to avoid adversurvielance security and tracking from taking over my device completly.
keep in mind that our techno facist elite did provide the "intel" that led to ICE bieng sent to a particular area code in minaipolis, where they executed a mild mannered chearfull poet, who's last words, somehow knowing, were, "i dont hate you".
"tech" is central to whatever comes next
Get a phone that runs GrapheneOS (second-hand Pixel 7 or 8 will do fine). Run apps that do not require it without Google Play Services and run apps that do require Google Play Services with the sandboxed Google Play Services. That will constrain the data that can be collected a lot.
(Yes, there will still be issues if you use apps that require Google's remote attestation, but at least in Europe, many banks etc. do not require it.)
Yeah India, because a lot of people are having their lives ruined by scammers everyday. Get off your fucking high horse, it literally protects users. Before you start judging, do a simple search. It's not one off cases.
The scamming problem is a fault of the government. It's trivial for a national government to make rules forcing banks to become able to reverse wrongful transactions. That'd stop scammers cold. If your government doesn't do this, and instead transfers the responsibility to the client, it's because the government doesn't care for the people.
Oh Please! Can't protect the users without forcing them to log on to Google and subject themselves to surveillance? That too even for the weather and the emergency alerts? Give me a break! And stop ruining the discussion with your misguided condescension and nationalist rhetoric.
I do not have a smartphone and have had no problem being a customer of multiple top banks. They strongly _encourage_ you to use apps, but if smartphones are against your unspecified religion, alternative paths always appear.
In EU? For internet banking you need a mobile phone or a dedicated hardware token (thing you own), as part of the Strong Customer Authentication (SCA) requirement under the PSD2 regulation: https://ec.europa.eu/newsroom/fisma/items/658958
I know in some countries (UK, Germany, Switzerland, Austria) they're used to hardware tokens already since they were in use long before PSD2. But I seriously, seriously doubt banks in e.g. Poland specifically implement support for hardware tokens issued to very few annoying customers who refuse to use an app but otherwise want internet banking.
This is untrue in reality. Literally I used more than 5 banking apps, and few investement ones (including 1 in the US). I could log in to all of them through a browser, using a phone number 2FA, or a proprietary authenticator of the bank (a physcial device). Never a bank forced me to use their app to login. It's an option though (and a convenient one). If that end up ever to be the case, I am for sure not using a google phone to do so. iPhone it is.
And here is the funny part. On my A13 Android (fully rooted, BL UL, custom ROM) I can totally bypass play integrity, using the keybox method. There is literally no way for google to patch this. I am yet to get it working on A16, mainly for lack of time to tinker, also because OP15 has no sources released yet to build ROMs for it, which is the main motivator for me to use an Android phone.
The takeaway is this: Google promotes "Play Integrity" (PI) as a working solution against "tempered devices" (ie. because god forbid you have sudo access on your device). Yet, it's easy (albeit a bit complex as you have to know the right telegram groups) to bypass it. PI gives the illusion of security, yet in reality it counter-solution exists. Real bad actors would have 0 issues doing what they want to do, the real impact is deterring users from open source roms like Lineage, simply because their bank app wouldn't work, which imo is Google plan all along masquerading as security feature. Google's main business is ads, and hosts based ad blocking is extremely easy once rooted.
Their recent moves align well with this (slow rollout of open sourcing, QPR2 is still not out yet, antagonizibg 3rd party stores like f-droid), all in the "name" of security.
Interesting. I just moved to Android from iOS with the idea of eventually switching to GrapheneOS, but was scared that my apps will randomly stop working as soon as Google catches up with the hacks. From what I heard it's a cat and mouse situation, they patch things, then android community finds a way. I do not want to find myself in a situation I need to use my bank or government app and fail because Google just caught up with the hack.
So what you're saying is that you can have it permanently 'fixed' with no shenanigans like that?
Between what the law says and what actually happens there's sometimes a gap.
I'm in the EU and currently I do online banking with 3 banks without using any app, i.e. thru a laptop browser. The 1st literally lets me stay logged in with a simple cookie, with an SMS 2FA requirement every 90 days. The 2nd additionally asks for a PIN to be entered at each session. The 3rd is a neobank and is tougher, requiring a TOTP (which I generate on the same machine, needless to say).
A 4th does require an app, and in fact can hardly even be used with a desktop OS. That bank is Revolut and I therefore don't use it and I recommend others avoid it too.
The reason this happens is because big companies get their software pen tested. Part of the pen test report will include something like “accessible from jailbroken devices.”
The pen test results get put into the ticket system as immovable entries. Engineers will question them, only to be shot down by the cyber security department who organized the pen test. The engineers will eventually accept that they cannot convince cyber to drop the issue, and implement the jail break detection.
Why does cyber mandate it? Because no one in a large company wants to accept the risk, even imaginary risk. They want to be able to say, when security is breached, “we did our due diligence. Look at the report, we implemented everything in it”
Why do firms offering penetration testing keep putting junk like this into their reports? Because their automated tools list them out and they’re getting paid to find issues. The more the better.
The Dutch ID app got rid of all trackers and such requirements last year, but they didn't go the full length and made an F-droid repo (or a government store or sth).
Google actively guiding developers to APIs like the Play Integrity API (which requires not only you register the phone with Google on a Google account, but also an untampered device, outdated or not.
I don't even root my devices, just using something like Lineage already gets you the basic-integrity Max. Not enough for many banking apps.
It's the security of the ecosystem, where the interests of app vendors are fundamental: content distributors can count on enforcing DRM, and banks are relying on the camera used for KYC actually being a camera and not a virtual device.
I really love how, thanks to China, people are beginning to see how technologically suppresive American oligarchy is and who's the reason why we can't have nice things.
It really does not need any literacy to install FF and then ublock origin. Nothing else is needed, the default settings work just fine. Do I miss something?
A large portion of users (a majority, imo) think "web browser" is a specific app they open, rather than a type of app, and don't even understand that there are multiple different ones to choose from.
You need to be savvy enough to know how to deal with the inevitable "broken" site you run across (ideally by leaving and never returning, but sometimes that isn't an option).
Ublock origin helps a lot. (While lite version fails). It's such a shame Google rolled out Manifest v3, but understandable they hate it as dangerous for their ads business.
We are doomed to start happily use a browser from the major ads company (chrome & -based ones) and think it's fine.
It's not. This Manifest V3 issue is probably just the beginning of enshittification of web user experience. It's easy to imagine a bunch of much worse scenarious.
Most people on the Internet already use that browser and think it is fine. Most people are unaware of alternatives or too much of computer illiterates to try and install another browser. We are already in that dystopian hellscape of the web.
If you want to track how many times users revisit the site, you could do that anonymously by setting a visit counter cookie, e.g. VISITS: 1, VISITS: 2, etc. This would track the user over different IPs, but since the cookie only has a counter, it doesn't tell you if two people with "VISITS: 2" set is the same user.
That's the first example I can think of off the top of my head.
reply