Uncomfortable Questions About Android Developer Verification

Why is it so complex to have a foss mobile OS.

I only have Linux PCs (laptops) and servers, 100% of my work and personal stuff is done there (though for work I do need to hop into MS365, Google Workspace, Zoom, etc, hooray for browsers, my final firewall between me and the walled gardens, though we can have a whole discussion on that).

For mobile, we have PostmarketOS, Phosh, Ubuntu Touch. I really must try living in them, is it on me? IDK, our government even has an identity app for iOS and Android. I should not be using it, I should stick to web. But its so much more convenient. I'm just weak, aren't I?

Maybe I should go for Ubuntu touch, with an iPad on the side or something. At least my most personal device is something I control then. Or just keep my Linux laptop handy (or make a cyberdeck!). But I want a computing platform that does not require carrying a bag. It's kinda sad. Even GrapheneOS (one of the most personal and secure mobile computing experiences out there)'s future is in the hands of its greatest adversary, the one that does not want you to have a personal computing experience.

Do not forget Android is also a FOSS mobile OS.

That "F" (as in freedom) is certainly eroding. Perhaps not by its source availability directly (although without any drivers, what is the use?), but very much by a company trying to lock you out of all the goodies that once came with it.

Linux is 30 years old, and still it has a laughable percentage of desktop usage. Plus, the only reason it's even usable is because of the relentless work by thankless developers for reverse engineering device drivers. On smartphones this is orders of magnitude more difficult. How do you properly profile and debug a random modem in a phone? What about the cameras?

So, how can anyone expect FOSS mobile OSs to ever exist unless forced by law by the US or something?

Android is not FOSS in any sense of the word and doesn't produce any user benefits that FOSS is meant to produce.

Because of hardware standardization Linux has become a pre-competitive layer, a commodity we have decided not to compete on. And it turns out that such a commodity by definition is private, because we don't want any one party to reap all the benefits of a commodity project (we'd rip it out before using it anyway), in the same sense that we don't want want 1 company sitting on all our water consumption data for example.

So, how do we get to a commodity layer for Mobile devices? It looked like it was going to be Linux (Android), and that was Google's intention. But now they are just using their significant resources to corrupt that original idea, using their trojan horse called "play services".

The public at large only cares about convenience, not about privacy. Why don't we? How much enshitification is enough to draw that line in the sand?

Most of AOSP is licensed under the Apache 2.0 license and GPLv2 for the Linux kernel. These are FOSS licenses recognized by the FSF.

https://www.gnu.org/licenses/license-list.html#apache2

https://www.gnu.org/licenses/license-list.html#GPLv2

This is 'easily' solved by following the Apple road - focus on one or two devices. I think many FOSS enthusiasts would be happy to buy such devices.

(I am holding out hope for the phone that the GrapheneOS project is planning to make.)

I think that they are pointing at that using Android in daily life in a meaningful way requires installing Google Play Services because many apps require it.

And my point is throwing out all of AOSP because of that is throwing out the baby with the bathwater. Whatever other FOSS OS someone comes up with won't have Google Play Services built in either.

Android is a proprietary operating system developed by Google. Try running your "free" modified AOSP in the real world, on a real device, like a real person would and see how far you get before being blocked and restricted due to hardware attestation.

It's pretty obvious, it's costly to make one that is up to the level of quality of commercial ones. It's not a mistake that the 2 mobile oses are owned and created by some of the largest and most profitable companies in the world.

I know this isn’t what you meant but it’s important to remember there is some hope. Thirty years ago I was required by my CTOs to use Windows, Borland, AIX, and Solaris. Linux, FreeBSD, and Free dev environments were viewed with deep suspicion.

In 2025 you’d be viewed just as much suspicion for not building your stack on Freedom. I still have hope that we’ll get there with phones, too, some day.

Oh yes, I fully agree. AOSP is the best shot at getting an alternative OS and sandboxed Google Play (like in GrapheneOS) is a good transition method.

I wouldn't say that means it's not FOSS, it just means things being FOSS isn't enough to ensure things are good.

> How do you properly profile and debug a random modem in a phone? What about the cameras?

This is a huge factor. Mobile chip sets (CPU/SoC, crypto enclaves, GPU modems/basebands) are buried under NDAs a mile thick, and you can't just whack an oscilloscope on the bus like its 1979. Those companies treat their opaque hardware as their defense against IP theft, they'll never, ever give it up in the current environment.

And the cameras are super complex and require a bunch of DSP and AI to even vaguely work let alone do all the headline features.

Mobile OSs are very consumer focused. I have criticized the FSF for, in there lengthily argued ways, abandoning the consumer.

You have to commercialize openness if you want the muscle of the consumer to be able to produce it.

Short presentation of the basic concept: https://youtu.be/SO46oEdlkY8

Some things with massive value in excess of the cost of production cannot be pursued by capital nor bought by the individual. Your choices are government, non-profit, or something in between all three. PrizeForge aims to be between all three and to completely change how we do consumer open source, incidentally bringing billions of dollars into making it.

The Android stack, right back to the pre-aquisition "Danger" stack, ripped out everything GPL'd above the kernel, and Google has been investing in their "fuschia" project to make a non-GPL'dv kernel as well. Gradually making more and more of it proprietary was the plan.

Google is a big company and there may have been some factions pushing to make android an open ecosystem, but I don't see that that was ever the companies intent overall.

AOSP is only a subset of what makes Android, an actual mobile phone OS.

Mostly because the "web" was sabotaged. I use archlinux and my only GUI application is a web browser. On mobile, I need an email app, maps app, food delivery app and a communication app. Even whatsapp doesn't work on the web (on purpose).

If the web was enabled, app stores wouldn't be possible and you could run anything without an installation. But somewhere along the line both Google and Apple realized that this isn't really to their benefit and "walled ecosystems" are an advantage.

I could be one of the people running an ungoogled phone, but my bank refuses to have an app that runs on an ungoogled OS for "security"

You can use microG which provides a lot of Google Play Service functionality.

This has been attempted multiple times, and always fails because followoing FOSS to the letter doesn't play with how hardware industry works, and when people aren't willing to make concensions they cannot ever deliver a product the general public would replace their Android/iOS phones with.

> Why is it so complex to have a foss mobile OS.

In a way it's not. As you mention, we have several of them. But they won't have mass-market appeal until they can run the same sorts of apps that Android and iOS can run. And no, "just use the mobile website" is not an answer.

How do I deposit a check with my bank on my phone without the app? I can't; the mobile website doesn't have that functionality. How do I send someone money via Zelle without the app? I can't; the mobile website doesn't have that functionality.

How do I use contactless payments? I can't; the ability to build an app like Google Wallet or Apple Pay requires deep pockets and trusted payments industry connections that open source mobile OS developers will likely never have.

How do I use Google's productivity suite? I can't; the mobile websites aren't functional enough. How do I use Microsoft's? Ditto.

How do I use the remote-lock functionality of my car? I can't; that's only available through the Android and iOS apps.

I could go on, and on, and on, but I think you see the point. Many people who advocate for these alternative OSes don't get it. "Do you really need that functionality?", they ask. "Why can't you just do that stuff in a web browser on your laptop instead of on your phone?", they ask. "Just use a physical credit card like I do!" And then they wonder why their alternative mobile OS will never go mainstream.

People actually really care about those features and capabilities. It doesn't matter if the people who build these alternative mobile OSes don't care, or think they're stupid, or unsafe, or bad for privacy, or whatever. If you don't build what people want, they won't use your stuff.

Emulating Android sufficiently well enough to run Android apps is a decent start, but so many apps rely on Play Services and Play Integrity that it's a losing battle, or at best a cat-and-mouse game to keep things working.

On top of that, mobile chipset BSPs require financial commitments and being a Real Company. Most open source outfits can't cross that bar, and the likes of Qualcomm will be wary dealing with an organization that wants to do open source.

In 2025, we all use Windows and macOS laptops around here, Linux is something we run on cloud environments, mostly the distributions of the cloud vendors themselves, which certainly don't upstream everything.

The use of managed language runtimes, and SaaS products with low code/no code, makes the OS kind of irrelevant, and many times we don't even consider Linux on the cloud vendor, it is seen as an implementation detail, as many workloads are done via managed deployments like Vercel, Netlify, Azure Web App Service, and similar services.

> I use archlinux and my only GUI application is a web browser.

Debian here, and... yup. It's so weird to realize this. I have lots of browser windows open with lots and lots and lots of tabs open, but the only other app I have open is a Matrix client (which honestly is not that great; Element's web version has more features and better polish), and a terminal. If you can call a terminal a GUI app.

Sure, I do use native apps sometimes. A calculator app, GnuCash, VLC, some others. But they're not open all the time; they're infrequent-use apps. And a lot of my VLC use has been replaced by streaming on the web.

It's incredibly sad.

So the real question is: Why are people so social and pleasant, and why are companies so egoistic (and I mean egoistic in the cancer/parasitic/enshitifying way, not in the Ayn-Rand/social/We-are-all-equal way).

Is it the lack of deep, DNA encoded morality? What are we going to do about this? What is the DNA of an organization anyway?

How, as a society can we take away these stimuli that make it so natural to consume individual freedoms when we grow our tribe-size?

Maybe we need more freedom, more freedom to say: "F-this I'm out of here, I just like the set of rule of this other society better." Maybe we are still too constrained. By our ways of generating income, by our countries, continents and ultimately our planet. We have 1 lifetime, we have to make do with what we find.

> For mobile, we have PostmarketOS, Phosh, Ubuntu Touch. I really must try living in them, is it on me? IDK, our government even has an identity app for iOS and Android. I should not be using it, I should stick to web. But its so much more convenient. I'm just weak, aren't I?

Don't forget GrapheneOS, LineageOS and other de-googled FOSS Android Versions

Write them. My bank's app had safetynet, but they disabled it and now it is usable over GrapheneOS.

Unfortunately no NFC Payments though, since they are only available for Google Wallet (which uses safetynet)

Foss people are on the spectrum and so never understand the common man. Simple as that I guess.

Money

I have been running AOSP-based LineageOS and now GrapheneOS for more than a decade now. While some apps are restricted to Google-certified operating systems, most are definitely not. I can use my countries eID apps and my banking app without issue. The only thing not working is nfc payments (since they are limited to Google Wallet)

Are you aware of the PinePhone and Librem 5? As others have said, it's already been tried.

I bought a PinePhone, and after a few too many show-stopping issues (not being able to receive a call for a scheduled job interview was the last straw), I went back to using LineageOS without gapps. I'm not a developer either, just a fairly technical user, so when the device wasn't working, all I could do was report bugs, and things weren't improving fast enough. I haven't checked on progress in a while now. postmarketOS seemed like the one to follow, and they do also support some beefier devices like the OnePlus 6T, but then you'd miss out on the PinePhone's ability to easily remove the battery and to boot off the SD card in addition to eMMC.

I also felt a bit bait-and-switched that the PinePhone Pro came out not too long after the original and then everyone seemed to switch to that one. It reminded me of the awful Gemini PDA and how quickly they rushed out a successor without fixing any problems.

It's the ecosystem. Without an ecosystem there will be less adoption and consequently less investment in the OS. Where I stay, so many services offered exclusively through Android/iOS apps with no alternative. Even government services are slowly excluding the web and becoming app only. There is an implicit expectation from everyone that one will have either an Android/iOS device and this only becomes stronger with time.

I don't know how many people realize but what can result from this can be very dystopian and is scary. But the best possible outcome from this I hope is that some day a wise government realizes how much of daily life is dependent on two corporations and passes regulations to standardize app runtimes. You should be able to publish applications that can run on any OS. Only then we'll see competition in the OS market.

Isn't AOSP developed behind closed doors, with infrequent code drops & zero community participation ?

Good luck building anything on top of that & keeping it in sync long term.

Even if Google would stop open sourcing AOSP, I think it would be much easier to fork AOSP than to start a new Linux-based FOSS mobile operating system from scratch

Obviously even maintaining AOSP yourself requires a huge effort and a lot of people would need to donate development time/money.

Well the nice thing about the spectrum is that we are all on it and that we draw imaginary lines ourselves.

All wisdom aside... I think you're right. I takes a certain grit to start to appreciate the ultimate effect of software freedom culture and licensing. Never mind the the whole philosophy.

It's like explaining CRISPR (yeah I'm a biologist) to a normie... Ok, so lets start with what DNA is... proceeds to guide someone through a lifetime in the molecular biology field....

> For mobile, we have PostmarketOS, Phosh, Ubuntu Touch.

Why are you only listing DEs and not operating systems? (You also missed SXMo and more.) There are many more operating systems [0] and two working GNU/Linux phones, Librem 5 and Pinephone. Why people are ignoring them on HN?

[0] https://pine64.org/documentation/PinePhone/Software/

My bank used to block VPNs “for security reasons.”

Now they very kindly just display a warning.

I mean, that's a choice. Most of my activity is still native apps, because I hate web apps and avoid them like the plague. I don't doubt you could do the same, but you have chosen to use web based options - which, to be clear, is totally fine! But it's not the way it has to be.

There are mechanisms which make firms more social: cooperatives. In another world, public infrastructure such as android would be owned by a cooperative of it's users. Instead, users are tenants of infrastructure owned by others, always vulnerable to the owners changing the deal

The problem is that it's difficult for cooperatives to raise capital: they can issue debt, but not equity (because the definition of a co-op is that it is owned by members (usually customers and employees )-and no-one else). But debt is not really risk capital in the same way as equity and doesn't enable bold initiatives and innovation.

> Why is it so complex to have a foss mobile OS.

This is not too hard. What is hard is to trust it enough. A FOSS OS, by definition, allows to install whatever software, and allows for modification of itself. It is built to overcome limitations, not impose them. In this regard, it's a perfect tool for a criminal who wants to circumvent security measures, because these are limitations. It's the same problem as with cheaters in online games, only with more than games on stake. Banks and payment systems want guarantees of integrity and protection, including protection from user's actions.

A FOSS OS also assumes that the user values the freedom, and is competent in its technical aspects. This is emphatically not true about many users. They choose iOS because it's locked down and thus they cannot inadvertently do something they don't understand, and can't be bothered to learn. More importantly, their grandmother cannot do something she doesn't understand but scammers persuade her to do.

It's a bit like driving on public roads. If you want to drive yourself, you have to reveal your identity and obtain a license. If you want the hassle, take a bus, but buses only go along their routes. Letting unlicensed people drive cars where they see fit was found unacceptably dangerous for everyone eround. Maybe mainstream mobile software development will follow this model, too :(

at the mercy of Google, yes.

My bank blocks my mobile with Lineage OS, and it's not even possible to login to the web site without the mobile app. Absolutely pathetic.

Now I have to keep my 4 year old phone with 2 year outdated Android to access the bank application. Which deemed more safe then my mobile with latest security updates. Haha

GrapheneOS and SailfishOS focus on a narrow set of devices and they can keep up with hardware support. I agree that you have to make concessions in terms of allowing proprietary firmware blobs and opaque baseband hardware. You also have to choose your hardware wisely (e.g. GrapheneOS can/could piggyback on Google's driver work).

I was just saying that you can make the problem more narrow by not trying to support every device out there. Start small and pick your battles (which probably means using AOSP and using sandboxed AOSP).

I think the main issue of many previous attempts was what typically happens in the FLOSS community: there are N attempts rather than one coordinated attempt (Ubuntu Touch, Plasma Mobile, PostmarketOS, PureOS, etc.) and everybody is targeting different hardware. It's similar to how the Linux desktop got fragmented, though it's even more problematic for mobile, since the usage is probably 1/1000th of Linux desktop usage.

It’s costly, but those two companies also operate in a hierarchical manner (like the military or a feudal kingdom) which makes decision-making and accountability much easier. The FOSS world has been rife with petty agree-or-fork squabbles, often over relatively abstract philosophical concerns about license language.

Don’t worry, the PinePhone Pro is now EOL while the original one will go on for 2 more years!!!

As Microsoft how is it so difficult to have a mobile os

These aren't GNU/Linux, they have to follow Google's development strategy. It's like fighting with Chrome by using Chromium.

> after a few too many show-stopping issues (not being able to receive a call for a scheduled job interview was the last straw)

When was it? There are no complains from people daily driving both phones in the last couple of years AFAIK.

Gas station app I use asks to turn VPN off every launch (even when it is disabled)

PostmarketOS is, as the name implies, an OS. And I don't think OP was trying to make an exhaustive list.

The point is, there's plenty of "competing" options, but hardly anyone uses them.

last time I walked into the bank to do something, they tried to peddle their app. I giggled and said no, their developers don't understand security.

my phone is rooted and their app won't work.

Why does a gas station need an app?

> The FOSS world has been rife with petty agree-or-fork squabbles, often over relatively abstract philosophical concerns about license language.

You cannot say that. This means we have thousand half-baked projects to choose from, and choice is good. At least this is what I was told.

Bonus/loyalty programm

As far as I am concerned a Raspberry Pi 4G/5G/LTE-edition would be 50% of getting there.

All this is true about Linux on desktop, though my bank still allows me to log in to online banking.

At least for now.

I'm not aware of any major issues this has caused.

The trust isn't the issue. Google and Apple has made DRM easy for these companies to integrate, and therefore they do it. There isn't more to it than that.

> Unfortunately no NFC Payments though, since they are only available for Google Wallet (which uses safetynet)

A workaround for NFC payments I've heard about for folks running OSes on their Androids that don't support that feature is a smartwatch with NFC.

Unfortunately, I can say with 100% confident, the customer service of my bank will not freaking understand what is a rooted phone, or LineageOS ...

And my bank's web app developer couldn't even fix their log in bug for several months. I realize, now, it's because they want to sunset their web portal.

Which is extremely annoying ... what if I don't have my mobile!!

Lazy, and greedy corporates, just trying to save their costing with shortcuts, never realizing security is never achieved by taking shortcuts.

This is irremovable tension - FOSS in its ideals is democratic, yet it can never succeed in democratization. This is why I think preaching freedom and agency is a bad strategy for the FOSS, even if its members believe them.

Interestingly, we are, and have been, at a point were you can publish applications that run on any OS for a while, with PWAs.

There are very few software examples, that couldn't be distributed as PWAs, including secure things like banking, etc. With WASM in the mix as well, theoretically the sky should be the limit.

Even more interestingly it hasn't happened - mainly because Apple and Google haven't got behind PWAs for obvious reasons, so the app ecosystem just doesn't exist. It's hard to see how this will changes, when mobile operating systems are dominated by two players, with very obvious incentives to make things worse for consumers but better for themselves, by grabbing as much control of the apps on their system as possible.

> In 2025 you’d be viewed just as much suspicion for not building your stack on Freedom.

Tell me you live in the web bubble without telling it.

Law is no longer interested in giving freedom to people

>I'm not aware of any major issues this has caused

Decades of desktop malware used to drain bank accounts are not a major issue?

You'd need to make a case that proprietary OSes such as Windows or MacOS lessen the issue compared to FOSS OSes such as Linux. I doubt it considering that Windows is / was known to be the worst offender here.

In any case my bank has not banned the use of Linux to do homebanking. Why? Because there isn't a easy to plug-and-play API to do DRM and remove consumer rights. This is largely for historic reasons, but there is no reason a FOSS mobile OS couldn't work.

Look inside the kitchen of Microsoft or Google. It is comparable to all the FOSS world petty squables and pfiefdom wars.

You can even see this into the abominal products they release, rife with frankesteinian cobbled together bits and pieces from different 'orgs' trying to grab a piece of the (tr)action and the wild inconsistencies in the UX.

> It is built to overcome limitations, not impose them. In this regard, it's a perfect tool for a criminal who wants to circumvent security measures, because these are limitations.

None of those limitations actually provide any security.

In order to use your bank's mobile app, you need your bank login credentials. It does not matter how secure a bank app on your phone is or whether it requires some kind of attestation because the attacker is going to get the victim to type them into a fake app or the attacker's web page which don't require any such thing and aren't even necessarily on the same device. And then it does not matter what kind of device you require the bank app to be installed on, because the attacker will get one of those and use the phished credentials in it.

There is no security value in requiring things that are useless.

> A FOSS OS also assumes that the user values the freedom, and is competent in its technical aspects.

This is not an assumption at all. The user is not required to write their own software or install anything from outside of a trusted repository. The value of the OS to such people is that someone else can write that software, and then as it matures it makes its way into the trusted repository.

But if mere mortals can't do that, if kids need an ID and a credit card in order to learn and experiment and hobbyists hit friction and spend their time on something else, then those things are killed in the cradle and never exist to begin with. And then instead of free software made by the people who wanted to use it, you're left with only apps made by predatory for-profit corporations and scammers that make it into the official store because their scams are profitable.

> It's a bit like driving on public roads. If you want to drive yourself, you have to reveal your identity and obtain a license.

It isn't a public road, it's your own phone.

It's even better than that. Banks (for example Revolut) consider several years old phones, running ancient OS (last I checked they allowed A10) without security updates for some 7 years, so riddled with zero-click/RCE vulnerabilities, but they do not allow GrapheneOS, which is currently the safest OS in mobiles (on par/beating iOS, depending whom you ask).

Yes, banks* claim phones riddled with maximum severity security issues are secure. Also phones that are rooted but using magisk modules to conceal this fact, and use spoofed signatures from ancient hardware, but the most safe platform is not secure enough for them.

Go figure.

*not all, there are notable exceptions explicitly supporting secure platforms through the modern Hardware Attestation model.

It doesn't matter if it's only some apps if those apps are critical. MyGov in Australia for example requires Play Integrity or it crashes. Your government's app does not... for now.

The grip of Google, Microsoft and Apple are tightening. Microsoft's TPM requirements for Windows 11 are ostensibly for security, but they're also a mechanism to enforce hardware/software integrity and authentication. Google wants to extend their integrity APIs to Chrome and I doubt Microsoft would object to implementing something similar.

Soon enough computing and the web may end up segregated, with there being devices authenticated and controlled by a central authority and those that are not. In a lot of ways this is already the case, I can't access the 4K Netflix streams I'm paying for on Linux because of DRM and using anything other than stock Chrome can often get you flagged for annoying captchas. But it can get so much worse than that.

Because PC is an American thing but phones are not. Obsession for standardization, modularity, and cross-compatibility are rather unique American cultural traits that aren't nearly as strongly manifesting elsewhere. "Fits right in" is quintessentially American thing.

The entire unitized jet engines on Boeing aircraft drops right off and swaps right into another host, sometimes even to different types of aircraft. PCI soundcards come off a i386 PC and go straight into PPC Macs. AR15 pressure bearing parts don't merely interchange between examples from different time and place but its grip and stock mounting patterns are becoming a industry standard of its own. Early Tesla battery packs come apart into bunch of 18650s and could reassemble into new packs(though it's a big no-no due to RUD risks). Meanwhile, Prius power units or front seats are for Prius only; it won't go into dozen different Toyota models, at least without substantial parts changes, modifications, and reconfiguration. Bugatti Veyron uses its own custom tires that aren't even forward or backward compatible with their own successor.

Same for phones: .apk runs everywhere, Linux do not, cameras don't interchange, internal connectors don't fit together, LCDs specific to anything are default unobtainium. microSD cards works on everything, but the moment you look away, Huawei invents a new incompatible format for absolutely no reason. Apple "reinvents everything" every time but internal organizations of components are stable at macroscopic levels for few generations unlike most other manufacturers.

It's openness of PC that is unique and precious, not closed nature of everything else being odd and inconvenient.

Precisely. Google pixel, Garmin watches, even Samsung watches.

Or using a bank that supports NFC payments (not using Google Wallet).

GrapheneOS Foundation raised this practice with European Commission because it unfairly penalises secure and safe competition giving instead a lie to the developers and banks that ancient, unsafe, vulnerable platforms are more secure.

Because the baseband chipset protocols and drivers are extremely patent encumbered. Any FOSS project will have to rely on on proprietary blobs for this part, and licensing deals from the existing patent holders, Quallcom. Nokia, Ericsson etc. .

You can see this is sort of adverserial to the FOSS way of doing things.

More likely getting data on your usage in some part, or most likely, pushing notifications reminding you about the particular brand, so you'll keep spending the money there.

It’s likely incompetence than malice. Chances are they’ve had a lot of customer complaints because some popular free VPN interferes with their app, and adding a blanket warning about VPNs is easier than trying to figure out why it’s not working and fix it.

That's a very clear vision on how to solve this kind of funding/cooperation problem outside of government and mission-focused nonprofits. And incidentally would be an existential threat to surveillance capitalism should it reach critical mass.

BTW your password-based signup flow isn't working (on iOS Safari at least).

Microsoft has the problem that nobody likes them or trusts them, which makes it hard to get people to use their platform in a context where they're not the default.

The parent started their message with "Why is it so complex to have a foss mobile OS", which is not wrong but pretty misleading, as there are many existing mobile OSes that work quite well.

You do have the option to change your bank when they consistently do dumb stuff you don't approve of. Shopping around will probably get you a better savings rate anyway.

> Emulating Android sufficiently well enough to run Android apps is a decent start, but so many apps rely on Play Services and Play Integrity that it's a losing battle, or at best a cat-and-mouse game to keep things working.

This is where antitrust laws are supposed to come into play. Play Services are a pain but in principle you can implement alternatives to them. It's the attestation stuff which is aggressively anti-competitive -- literally setting up a system with the primary function of excluding competing implementations from compatibility.

We can't let corporations get away with the fraud that competing with them is a security vulnerability.

In all fairness, a FOSS mobile os does for the most part work. Banking is pretty much the only big mainstream acception here. Most other exceptions are games with aggressive anti-cheat, or app simply not distributed outside a closed down store like Google play.

The licensing should (in theory) have FRAND terms and so might not be impossible. Couldn't someone just create their own chips? In the worst case, could someone be able to come up with a new protocol and start a new network (assuming they had the money?)

AOSP has yearly releases for the new major versions, but you can contribute code upstream.

> They choose iOS because it's locked down and thus they cannot inadvertently do something they don't understand, and can't be bothered to learn. More importantly, their grandmother cannot do something she doesn't understand but scammers persuade her to do.

For what it's worth scammers have zero problems scamming grandmothers with Apple computers and iphones.

Nothing says "obsession with standardization" like being one of only three countries on Earth that can't figure out that water freezes at 0 and boils at 100.

> Because PC is an American thing but phones are not.

I don't really understand what you're talking about here. Android and iOS are American companies. American culture is John Deere locking down their equipment. Anti-consumer laws, pushing IP laws onto the rest of the world by treaty, being overly litigious, these are all American culture. I think the culture you're thinking of is nearly dead in a shell of corporatism.

The PC was a pretty unique event due to a confluence of historical factors that all came together in a certain way. It wasn't the way of things before, and it's been slowly moving away from how it was, and it's not really got anything to do with being American or not.

Yeah, the fragmentation is the main issue, however Firefox OS is a proof that even a single device doesn't work if there are no concessions, and the only thing left are unintesting hardware for the general public.

Fidesmo Pay is another option, though the bank support is limited: https://fidesmo.com/consumer/fidesmo-pay/

Basically it’s a passive variant of smartwatch payments: you can pay with a ring, or bracelet, or a mechanical watch. The cheapest option is this plastic thingy (currently out of stock): https://eu.k-pay.com/product/mavericks

I’m thinking about implanting one into my hand :^)

Then the app gets no notification permissions.

Also why does a gas station app need to send notifications? :)

> Why are people so social and pleasant, and why are companies so egoistic (and I mean egoistic in the cancer/parasitic/enshitifying way, not in the Ayn-Rand/social/We-are-all-equal way).

It's specifically publicly-traded companies, because they cease to be controlled by real people who can make a human decision when there is a trade off between a marginal increase in profits and not being schmuck.

These are the same banks that very often have no app-based MFA login, and refuse to do anything other than send me an SMS TOTP.

The irony is that they'd rather suffer losses from fraud if the fraud is less than the cost of setting up App-based TOTP and a campaign to get customers to use the app. Yet they suddenly get all in a huff about PCI compliance as CYA so they don't have to pay an app developer to figure out how to check "is phone rooted? Yes. Which OS?"

Yeah, the idea that people using iOS can't do something dangerous that they don't understand is absurd. They get scammed all the time.

Unfortunately, not an option right now. Setting up foreign currency payout is difficult in my country, a lot of paperworks needed, we don't even have PayPal. Also, the previous autocratic government, that was forcefully expelled after a bloody movement, left most of the banks in ruin. So not a lot of options left.

On the cyberdeck note, I think the dawn of mobile computing is superseding smart phones and I rather move to flip phone + mobile Linux and keep them distinctly separated

I have never heard of a bank that has a hard requirement of a mobile app. Certainly none of the major banks like Wells Fargo or Chase require one. I do not own a phone and managers at times have to come up with undocumented fallback methods, but there is always a way.

I cannot imagine a legal defense for forcing someone to accept the terms of service of Apple or Google to use their bank account.

Nobody was talking about GNU. Most don't care if the userspace utilties are gnu coreutils/libc or musl/busybox for example.

AOSP is free and open source software.

> Your government's app does not... for now.

My govt's app did, but after bugging them a lot they removed safetynet.

> I have never heard of a bank that has a hard requirement of a mobile app

My bank's app recently started warning me that I should "Turn off developer mode" for """security""" on every sign-in. This warning doesn't stop me from using the app yet, but I'm sure it'll get there.

In Sweden we use BankID (there is a similar service with the same name in each Scandinavian country).

It's impossibly convenient to be perfectly fair with you, however I know that my bank has stopped issuing the "BankID Card" (which was a card and pin device that allowed you to generate challenge numbers)- and now forces you to use the BankID app -- which will not run on rooted phones of course.

It's even slightly worse as the App requires NFC; so I can't keep a backup on my iPad (which is what I was doing before).

They don’t care much about security as long as it doesn’t cost them much.

> I giggled and said no, their developers don't understand security.

Their developers usually understand security well enough.

The problem, especially for banks, is that they're zero-risk driven, their ideal world is the one where risk doesn't exist. So instead of mitigating it they chase risk elimination (!= reduction) at any cost, while middle management needs to report that they improved something for the quarter. This results in all these kinds of stupid policies, where a 6 year old mobile, unmaintained for 4, is considered more secure than the weekly build of the community-based custom ROM running with locked bootloader signed with user-managed keys with strong protection (these days it's almost infeasible).

EDIT: to be clear, it's normally not the developers thinking up these policies, I have worked in a bank.

> I have never heard of a bank that has a hard requirement of a mobile app.

It shouldn't be a thing, but it is. In the Netherlands the newer digital-only banks are allowed to do this. No smartphone, no service.

The more established banks (systeembanken) do have alternatives, but realistically not using their app for login auth and transaction approval is a huge pain in the ass.

(My bank, ABN AMRO, has an app which thankfully works fine on GrapheneOS.)

Yep. My thoughts exactly. Seems like everyone here is forgetting about those two.

There is also the issue that other factors can keep you tied to a bank. Like having a mortgage there and getting a discount on home owner insurance for it, as well as getting a discount on the mortgage interest for banking with them.

Changing banks is easy when it's just about cash in a savings account. Not so easy in other cases.

> So instead of mitigating it they chase risk elimination (!= reduction) at any cost,

I don't actually believe that. They chase risk elimination at any cost to you. If there's a significant cost to them, they're going to be all about quantitative tradeoffs.

Yes, that's what a "bonus/loyalty program" is.

BankID works great on GrapheneOS fortunately.

Really? I never even installed the play store because it didn’t work on LineageOS.

I guess I absolutely need the play store to get BankID on the phone- so I’ll try that now with my Pixel 7.

> I have never heard of a bank that has a hard requirement of a mobile app

My banks all require their own individual apps for authentication and authorization. I can use the website but to log in and authorize any transactions I need their app. Ironically this runs on my 8 year old Android 10 phone (used as a backup) so security can't be part of it.

It's their security and not your security, don't mix up

You can't run AOSP on any existing hardware. Except maybe Pinephone and Libem 5, and only in theory.

Also, you should read all the good arguments on HN why you shouldn't use Chromium even though it's technically FLOSS.

> But they won't have mass-market appeal until they can run the same sorts of apps that Android and iOS can run

Waydroid allows me to run Android apps on my Librem 5.

> How do I deposit a check with my bank on my phone without the app? I can't; the mobile website doesn't have that functionality

So switch the bank to one not forcing you into the duopoly?

This is a very misleading wording. FOSS is enough for everything unless a monopolistic megacorp forces you into their proprietary software (and your government stays silent).

OSI layer 4 and up of Android/iOS are pretty well standardized, below pioneered by Nokia-Siemens are complete mess. Phones before iPhone sometimes had apps. Most of them used Java and lots of them needed model-specific ports due to model-specific bugs and quirks in JVMs. Compatibility of Linux is entirely dependent on stability of PC platform, and Linux itself offers little compatibility or modularity, just source level consistency with past self, unlike predominantly American platforms such as Windows.

When Google does it, of course, same apk files and NDK binaries just run on every models of every make as if always worked that way.

American companies appear to be the worst offenders in the world when it comes to breaking compatibility and right to repair, and this isn't to say those anti-consumer changes are okay at all, but I do think the reality is that, you can't break something that never existed, and it exists a lot more commonly in American things than in things from elsewhere.

Interesting. Does this mean that it is using a lower level of Play Integrity API checking (ie not hardware attestation), or are they using the open hardware attestation API (which... exists but is almost never used)?

https://grapheneos.org/articles/attestation-compatibility-gu...

If banks were to offer PWAs, they would probably demand something like Google's Web Environment Integrity proposal - or would be convinced by Google that they need it.

In Europe there are, e.g. at least some subsidiaries of Societe Generale, which have closed their Web sites on which their online banking services were previously available, and which refuse to provide their mobile apps otherwise than through the Google Store.

I doubt very much that it is possible for this practice to be legal, i.e. to condition the services of an European bank of the existence of a contractual relationship with a third party, which is non-European.

Nevertheless, nobody has enough spare time and money to challenge legally such banks.

Now I do my operations mostly through other banks that still have browser-based online banking, but I have not closed yet my last account at such a Societe Generale subsidiary, because I have regressed to use an antique SMS-based substitute for online banking, which is good enough for that account, which I keep only for a credit card used mostly for shopping in supermarkets or the like.

It is quite possible that you still may be able to obtain it by annoying them - in some cases provisions related to supporting disabled peoples can prevent them from fully getting rid of it.

On the last change my bank made me call to their hotline (even though everything else is possible to be done online) to keep using a separate hardware device - which ended up being just "so, you don't want to do it on a phone?" - "yep" - "ok, should be with you in a week or so".

I nowadays consider my phones pretty much throwaway devices - I don't have full control, I can't fully trust them. Plus they could be stolen, break when I drop it into water outside, ... - so I think it's ridiculously stupid to tie anything important to a phone as main authenticator.

Overall the usefuleness of a phone has been declining steadily - the selling point of a smart phone originally was that I have an app, and because it's a reasonably trusted device it'll store credentials, and I can use the app without logging in every time. By now most of the apps are just repackaged websites, and because of that - and because they don't trust their backends - we now have quickly expiring tokens in use in the apps as well. Most of the apps I don't use every day - and over the last few months every single one wanted me to log in again next time I used it.

Adding to that the nonsense of "there's a new app available, download that first before using" which typically doesn't add anything of value to me, and we're now at a state that not only does the typical smart phone app not offer a benefit over just using a website - it now often is even worse than just using a website.

and yet their website works fine on my desktop Linux using a browser...

:-) Yeah. Only SSO was working because while email would double my users, I was doing an experiment and looking for at least some signs of life. Doubling nothing would be useless.

Turns out, some new enrollments topped up their accounts and dropped off before the final step that makes it show up on the home page, so now I know it's something, and something is worth doubling.

> existential threat to surveillance capitalism

Should I buy a gun? I'm an American.

Bunq comes to mind, I'm guess N26 and Revolut are similar, app first "fin-tech" banks.

Because it's actually your telco's phone. They're the one that has the license to run the baseband computer and RF transceiver. The 'pad' computer device is sort of yours. But there's no legal way to have ownership of a cell phone unless you yourself bid for and get the RF spectrum and set up your network in a way that accomplishes the FCC coverage and timing requirements. Then run your own telco for your phone. Basically, impossible.

Smart phones try to limit and firewall the interface between the two but tight integration is required for energy efficiency. So a smart phone, or a cell phone, can never be yours. They aren't good choices for doing computing and this legal reality is becoming more and more obvious with time.

That sounds like it's a hard requirement for checking your bank balance/etc over the internet. Can't you just not do that and phone them up or go in person or read the monthly sent paper balances? Or just keep track yourself... A bank without a physical location is something I'd steer well clear of.

I barely use my bank's website and could easily not use it at all and still have all the functionality that a bank provides.

"Why is it so complex to have a foss mobile OS."

What does "foss mobile OS" mean

(a) installed on a portable form factor,

(b) integrates with a cellular modem. or

(c) all of the above

For discussion purposes, assume "portable" means pocket-sized and battery-powered

When the RPi first came out I remember a blog where someone had rigged up a makeshift battery making RPi portable. At the time, HN commenters seemed impressed. Today, I connect a "phone" to an RPi running NetBSD^1 and use the phone as a battery

1. Linux provides wider assortment of drivers NB. I'm not using NetBSD to make phone calls

Today there are

non-portable VoIP phones with PoE, and

portable cellular modems running OpenWRT

Tomorrow, who knows

Convenience and control are mutually exclusive; this seems unlikely to change. Choosing the later over the former is personal preference. Every user is different

Trying to control a "phone" might be a waste of time, an exercise in futility, especially when it is running a corporate OS. Whereas controlling a gateway running an OS of the user's choice might prove to be relatively easy. Phones provide convenience, not control

> Should I buy a gun? I'm an American.

No, that's unnecessary. Nobody will be taking you that seriously.

> some new enrollments topped up their accounts and dropped off before the final step that makes it show up on the home page

Did they actually put money in?

Yeah, there were two streams that I tried so far. Interestingly, PrizeForge itself initially got $105, a $100 and a $5 enrollment. The UI was even shittier. I took one look at that $100 and knew I've got to f&*#ing go.

So, for a second experiment, I was actually running a stream for Emacs (yeah, yeah, I know, I know). They managed to raise all of $10 for themselves. The premise was to pay out a weekly prize for whoever developed something cool. Super simple.

There's so little data, but it very clearly, very, very clearly seems to say the enthusiasm is for PrizeForge to get good more than it was to use PrizeForge for something else.

And I'm going to keep expanding in various directions because there's no way I'm oriented yet, but it's not nothing. It's terrible UX, terrible everything, but just clearly enough on top of something.

Paper balances and visiting your local branch are mostly a thing of the past. Calling them is an exercise in extreme patience. My bank all but discontinued actually visiting them except for certain specific things.

In the Netherlands (and beyond) online payments (shops, Steam, etc.) are made via the IDEAL platform run by the Dutch banks collectively. That is a good thing, because payments are secure and easy, and no one needs a credit card. But that does mean using your bank's web service to approve those payments.

Using the bank's offline OTP hardware (where you insert your debit card and enter a PIN and the code generated by the bank's website for an OTP) is possible, but using the app is significantly less effort than that. There is very little point in resisting it. It's not a healthy situation, but it is the reality.

You can create your own chips but you will have issues obtaining a license to use spectrum in some countries. Often, licenses for spectrum where the device is licensed instead of the end user, require the device itself to comply with spectrum use requirements....since the user isn't licensed.

Windows Mobile was great and people loved it at the time. Most people I knew in 2007/2008 were laughing at how the iPhone was an expensive toy phone because you couldn't even install apps or use MS Exchange.

Of course, the problem for MS was that Apple (and Google) quickly closed those gaps, and they just simply had better overall products.

'their security' in what way? Is an app more likely to be exploited than a web browser?

If you're going so far as to install Lineage, couldn't you take the small step further and download alternate browsers to change the user agent? (Unless the default Lineage browser can do this already.)

I run a Google'd OS for now but I haven't used my bank's terrible app in years and years. I use their terrible website via desktop mode instead.

To tell you the gas prices are low?

(Don't know for sure, wouldn't use one myself.)

???

No. microG is an ABI-compatible replacement for Google libraries, just like wine is a replacement for Win32 APIs.

> Windows Mobile was great and people loved it at the time.

But that wasn't the problem.

The iPhone and Android became popular because they were, respectively, good and "good enough" but free, and both Apple and Google had a good reputation at the time. Users were willing to buy those phones and developers were willing to make apps for them because they didn't expect those companies to screw them. The screwing only happened after they were no longer the underdogs and the network effect was already established.

Microsoft doesn't cast as an underdog and everybody expects them to screw you as soon as they get the chance, so not enough people were willing to give them the chance.

They could have overcome that to their own benefit if they would have bound their future selves from enshittifying the platform. Don't make "Windows Phone" under a proprietary license, make an actually open source Android fork which is an open platform like Windows instead of a closed one like iOS, but provide seamless integrations with the Microsoft cloud services instead of the Google ones. Write code that makes it work as well with Windows PCs as iPhones do with macOS. Make two phones yourself: a $999 Surface Phone with iPhone-quality hardware and a $199 one with basic hardware but nevertheless 12 years of security updates to get the low end of the market, provide something for kids/students and make it cheap for developers on the fence to get a device with your platform and make apps that integrate with your cloud services. You're not trying to sell an operating system, you're trying to take Apple's margins on the high end hardware and Google's cloud services revenue from the mass market.

But that's not what they did, and getting people to trust them with a closed platform wasn't in the cards.

> I’m thinking about implanting one into my hand :^)

On the one hand, I approve of self-administered biohacking.

On the other hand, you might need a Faraday glove to prevent tap to pay shenanigans by folks with a mobile card reader who bump check you.

I would not do this type of biohacking myself, but if you go down this path, look into how NFC skimmers work, because that and compromised card readers and unauthorized tap to pay events on portable card readers is a threat vector. I have heard that Google and Apple are working to roll out tap to pay from card to phone and phone to phone, which could allow folks to skim your NFC device to run an unauthorized transaction.

In 2007 or 2008, defining "users" in this context isn't that straightforward of an exercise.

Apple and Google might have had a good reputation with consumers who were using feature-phones at the time... but they both had bad reputations with most existing smartphone users at the time. Those users were primarily business business users or power users who had requirements that weren't met by most of anything that Apple or Google was putting out at the time. RIM and Microsoft were building the smartphones that were most trusted at the time.

The mass consumer market for smartphones really didn't exist until Apple took phones in that direction. Before that, they weren't entertainment or consumer-focused devices, they were productivity devices.

iOS and Android, by their second or third release, were already better products than Windows mobile 6.5, both for entertainment and productivity. That's the reason they won. Neither of them were "free" to users -- and in fact the devices that they ran on were more expensive than Windows Mobile devices. People were only willing to pay more for these devices because they were doing something entirely different than what Windows Mobile did. They were consumer smartphone devices -- a new category of device that didn't exist.

This is not to be confused with Windows Phone -- which failed because it was way too late to market, way too far behind in ecosystem support, and didn't solve any new problems.

> ...stream for Emacs...

> ...terrible UX, terrible everything...

I think I accidentally enrolled for emacs and can't unenroll on the site. I guess I'll have to finally start using emacs now

The point in resisting it is to waste their valuable time on whatever the worst appless methods are, so they are forced to improve the efficiency to keep profits high if enough people do it.

If you install the app then you are complicit in normalizing the requirement of signing terms of service and data sharing agreements to US technology companies in order to do banking.

Be the person that demands better. Be the squeaky wheel. Call politicians and press if needed. Stop this shit now before it becomes expected for school and healthcare too.

If you install the app then you are complicit in normalizing the requirement of signing terms of service and data sharing agreements to US technology companies in order to do banking.

Feel free to say you are a member of the Church of Cryptography and that installing proprietary corporate controlled apps is against your religion.

Never been asked to install an app for banking, but a health care clinic dropped me as a patient for not buying a phone that can install their app. I was the first case where a patient refused to conform. Found a new clinic who was willing to earn my business with phone and email correspondence. The original clinic escalated the case to corporate HQ when I filed a public medical malpractice complaint, and they ultimately responded by adding a webapp.

DEMAND the right to live your life without corpotech in your pocket. I am now 5 years without a smartphone working as an engineer and founder with an active social life who frequently travels and it can absolutely be done.

The hardware and boot process for every phone is different, and some vendors block users from installing other OSes. Then most mobile apps are proprietary, and some of the apps only allow you to run them on official Google builds of Android, via attestation.

https://grapheneos.org/articles/attestation-compatibility-gu...

Hey at least customer support is still pretty good when I can twiddle the database for each one. Shoot something to support@prizeforge.com.

Oh I see your username. You were over the subreddit. Welcome aboard.

It is possible, but very unlikely. You’ll need to know where my chip is (I guess for an average thief an implant is not the first idea of where to look for an NFC card), and then get quite close to me to pull this off. Even if you do, I think it’ll take about one chargeback to get your merchant account blocked.

> roll out tap to pay from card to phone and phone to phone

It’s already here! Stripe has supported it for a while now, and I’ve seen a bunch of other payment providers have it, too: https://stripe.com/terminal/tap-to-pay

There are only so many things you can actively fight. I can choose to actively pursue a number of topics and be the annoying squeaky wheel there, but not everything. This is one topic I cannot invest more time in, and which won't yield any significant returns even if I did. There are a number of topics where my voice can still make a difference, I focus on those.

Yes.

The only issue I had on GrapheneOS was that I had to play with the location permissions a bit when I wanted to copy the BankID to GrapheneOS from another phone (I've got some pictures of that in this blog post: https://www.jonashietala.se/blog/2025/08/28/ill_only_buy_dev...).

All other Swedish bank accounts I've tried have also worked great (including Swish).

More likely to tell you to come in and buy a half price slushie, and hopefully grab a bag of chips too. Which is probably where they make their real profit.

I have no idea, but I've never gotten the "this app is using Play Integrity" warning with BankID so maybe it doesn't use Play Integrity?

> You can't run AOSP on any existing hardware. Except maybe Pinephone and Libem 5, and only in theory.

What do you mean? I can run AOSP on Google Pixel devices for example.

> You can see this is sort of adverserial to the FOSS way of doing things.

Example of the real-word problems with creating a FLOSS phone: https://puri.sm/posts/breaking-ground/

> It is possible, but very unlikely.

Life, uh, finds a way, after all.

> Even if you do, I think it’ll take about one chargeback to get your merchant account blocked.

Well, someone's merchant account might be blocked, but carders don't necessarily use their own accounts; in fact, I would doubt that many do, but criminals are often underestimating risks and overestimating rewards. It's almost a truism at this point that folks who do crime are not usually acting rationally, but I don't want to stereotype.

> It’s already here! Stripe has supported it for a while now, and I’ve seen a bunch of other payment providers have it, too: https://stripe.com/terminal/tap-to-pay

Finally! This feature is going to help a lot of small businesses in isolated areas where mobile phones are the primary (or only) computing devices that are commonly owned. This can create virtuous cycles that are somewhat unpredictable, which should help make these markets more dynamic and competitive.

Thanks for posting that Stripe link. Here's some more tap to pay links I was able to find, eventually. The search terms match too much, so it is a bit hard to disambiguate legacy NFC payment flows that use traditional or modern terminals from the new device to device payment flows. I remember hearing about Stripe's work on this feature, but since I didn't hear much after that, so I wasn't sure if the feature had ever shipped. I'm glad that this tech is getting in the hands of end users.

Apple-specific roundup of apps and vendors that support the feature:

https://apps.apple.com/story/id1620226212

https://www.apple.com/business/tap-to-pay-on-iphone/

These two are available on both iOS and Android, in case that is important for folks:

https://squareup.com/us/en/payments/tap-to-pay-android

https://www.paypal.com/us/business/pos-system/tap-to-pay

It's not AOSP, it contains a lot of proprietary blobs.

Online banking in the browser is hardly a new invention. It works fine, today.

The only noticeable difference between most apps and websites nowadays is offline capability and deeper system integration.

Native apps have been dumbed down so hard there is barely anything left not taken care of by browsers.

Late 2021, IIRC.

Well, to add insult to the injury, this bank does not allow website login without the mobile app. Which is absolutely infuriating. I did mention that on my comment :-)