"debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers." - Richard Stallman, The Right to Read, 1997
I only have Linux PCs (laptops) and servers, 100% of my work and personal stuff is done there (though for work I do need to hop into MS365, Google Workspace, Zoom, etc, hooray for browsers, my final firewall between me and the walled gardens, though we can have a whole discussion on that).
For mobile, we have PostmarketOS, Phosh, Ubuntu Touch. I really must try living in them, is it on me? IDK, our government even has an identity app for iOS and Android. I should not be using it, I should stick to web. But its so much more convenient. I'm just weak, aren't I?
Maybe I should go for Ubuntu touch, with an iPad on the side or something. At least my most personal device is something I control then. Or just keep my Linux laptop handy (or make a cyberdeck!). But I want a computing platform that does not require carrying a bag. It's kinda sad. Even GrapheneOS (one of the most personal and secure mobile computing experiences out there)'s future is in the hands of its greatest adversary, the one that does not want you to have a personal computing experience.
Unfortunately no NFC Payments though, since they are only available for Google Wallet (which uses safetynet)
Now they very kindly just display a warning.
Now I have to keep my 4 year old phone with 2 year outdated Android to access the bank application. Which deemed more safe then my mobile with latest security updates. Haha
A workaround for NFC payments I've heard about for folks running OSes on their Androids that don't support that feature is a smartwatch with NFC.
And my bank's web app developer couldn't even fix their log in bug for several months. I realize, now, it's because they want to sunset their web portal.
Which is extremely annoying ... what if I don't have my mobile!!
Lazy, and greedy corporates, just trying to save their costing with shortcuts, never realizing security is never achieved by taking shortcuts.
Yes, banks* claim phones riddled with maximum severity security issues are secure. Also phones that are rooted but using magisk modules to conceal this fact, and use spoofed signatures from ancient hardware, but the most safe platform is not secure enough for them.
Go figure.
*not all, there are notable exceptions explicitly supporting secure platforms through the modern Hardware Attestation model.
Or using a bank that supports NFC payments (not using Google Wallet).
GrapheneOS Foundation raised this practice with European Commission because it unfairly penalises secure and safe competition giving instead a lie to the developers and banks that ancient, unsafe, vulnerable platforms are more secure.
Basically it’s a passive variant of smartwatch payments: you can pay with a ring, or bracelet, or a mechanical watch. The cheapest option is this plastic thingy (currently out of stock): https://eu.k-pay.com/product/mavericks
I’m thinking about implanting one into my hand :^)
Also why does a gas station app need to send notifications? :)
The irony is that they'd rather suffer losses from fraud if the fraud is less than the cost of setting up App-based TOTP and a campaign to get customers to use the app. Yet they suddenly get all in a huff about PCI compliance as CYA so they don't have to pay an app developer to figure out how to check "is phone rooted? Yes. Which OS?"
I cannot imagine a legal defense for forcing someone to accept the terms of service of Apple or Google to use their bank account.
My bank's app recently started warning me that I should "Turn off developer mode" for """security""" on every sign-in. This warning doesn't stop me from using the app yet, but I'm sure it'll get there.
It's impossibly convenient to be perfectly fair with you, however I know that my bank has stopped issuing the "BankID Card" (which was a card and pin device that allowed you to generate challenge numbers)- and now forces you to use the BankID app -- which will not run on rooted phones of course.
It's even slightly worse as the App requires NFC; so I can't keep a backup on my iPad (which is what I was doing before).
Their developers usually understand security well enough.
The problem, especially for banks, is that they're zero-risk driven, their ideal world is the one where risk doesn't exist. So instead of mitigating it they chase risk elimination (!= reduction) at any cost, while middle management needs to report that they improved something for the quarter. This results in all these kinds of stupid policies, where a 6 year old mobile, unmaintained for 4, is considered more secure than the weekly build of the community-based custom ROM running with locked bootloader signed with user-managed keys with strong protection (these days it's almost infeasible).
EDIT: to be clear, it's normally not the developers thinking up these policies, I have worked in a bank.
It shouldn't be a thing, but it is. In the Netherlands the newer digital-only banks are allowed to do this. No smartphone, no service.
The more established banks (systeembanken) do have alternatives, but realistically not using their app for login auth and transaction approval is a huge pain in the ass.
(My bank, ABN AMRO, has an app which thankfully works fine on GrapheneOS.)
Changing banks is easy when it's just about cash in a savings account. Not so easy in other cases.
I don't actually believe that. They chase risk elimination at any cost to you. If there's a significant cost to them, they're going to be all about quantitative tradeoffs.
My banks all require their own individual apps for authentication and authorization. I can use the website but to log in and authorize any transactions I need their app. Ironically this runs on my 8 year old Android 10 phone (used as a backup) so security can't be part of it.
https://grapheneos.org/articles/attestation-compatibility-gu...
I doubt very much that it is possible for this practice to be legal, i.e. to condition the services of an European bank of the existence of a contractual relationship with a third party, which is non-European.
Nevertheless, nobody has enough spare time and money to challenge legally such banks.
Now I do my operations mostly through other banks that still have browser-based online banking, but I have not closed yet my last account at such a Societe Generale subsidiary, because I have regressed to use an antique SMS-based substitute for online banking, which is good enough for that account, which I keep only for a credit card used mostly for shopping in supermarkets or the like.
On the last change my bank made me call to their hotline (even though everything else is possible to be done online) to keep using a separate hardware device - which ended up being just "so, you don't want to do it on a phone?" - "yep" - "ok, should be with you in a week or so".
I nowadays consider my phones pretty much throwaway devices - I don't have full control, I can't fully trust them. Plus they could be stolen, break when I drop it into water outside, ... - so I think it's ridiculously stupid to tie anything important to a phone as main authenticator.
Overall the usefuleness of a phone has been declining steadily - the selling point of a smart phone originally was that I have an app, and because it's a reasonably trusted device it'll store credentials, and I can use the app without logging in every time. By now most of the apps are just repackaged websites, and because of that - and because they don't trust their backends - we now have quickly expiring tokens in use in the apps as well. Most of the apps I don't use every day - and over the last few months every single one wanted me to log in again next time I used it.
Adding to that the nonsense of "there's a new app available, download that first before using" which typically doesn't add anything of value to me, and we're now at a state that not only does the typical smart phone app not offer a benefit over just using a website - it now often is even worse than just using a website.
I barely use my bank's website and could easily not use it at all and still have all the functionality that a bank provides.
In the Netherlands (and beyond) online payments (shops, Steam, etc.) are made via the IDEAL platform run by the Dutch banks collectively. That is a good thing, because payments are secure and easy, and no one needs a credit card. But that does mean using your bank's web service to approve those payments.
Using the bank's offline OTP hardware (where you insert your debit card and enter a PIN and the code generated by the bank's website for an OTP) is possible, but using the app is significantly less effort than that. There is very little point in resisting it. It's not a healthy situation, but it is the reality.
I run a Google'd OS for now but I haven't used my bank's terrible app in years and years. I use their terrible website via desktop mode instead.
(Don't know for sure, wouldn't use one myself.)
On the one hand, I approve of self-administered biohacking.
On the other hand, you might need a Faraday glove to prevent tap to pay shenanigans by folks with a mobile card reader who bump check you.
I would not do this type of biohacking myself, but if you go down this path, look into how NFC skimmers work, because that and compromised card readers and unauthorized tap to pay events on portable card readers is a threat vector. I have heard that Google and Apple are working to roll out tap to pay from card to phone and phone to phone, which could allow folks to skim your NFC device to run an unauthorized transaction.
If you install the app then you are complicit in normalizing the requirement of signing terms of service and data sharing agreements to US technology companies in order to do banking.
Be the person that demands better. Be the squeaky wheel. Call politicians and press if needed. Stop this shit now before it becomes expected for school and healthcare too.
Feel free to say you are a member of the Church of Cryptography and that installing proprietary corporate controlled apps is against your religion.
Never been asked to install an app for banking, but a health care clinic dropped me as a patient for not buying a phone that can install their app. I was the first case where a patient refused to conform. Found a new clinic who was willing to earn my business with phone and email correspondence. The original clinic escalated the case to corporate HQ when I filed a public medical malpractice complaint, and they ultimately responded by adding a webapp.
DEMAND the right to live your life without corpotech in your pocket. I am now 5 years without a smartphone working as an engineer and founder with an active social life who frequently travels and it can absolutely be done.
> roll out tap to pay from card to phone and phone to phone
It’s already here! Stripe has supported it for a while now, and I’ve seen a bunch of other payment providers have it, too: https://stripe.com/terminal/tap-to-pay
The only issue I had on GrapheneOS was that I had to play with the location permissions a bit when I wanted to copy the BankID to GrapheneOS from another phone (I've got some pictures of that in this blog post: https://www.jonashietala.se/blog/2025/08/28/ill_only_buy_dev...).
All other Swedish bank accounts I've tried have also worked great (including Swish).
Life, uh, finds a way, after all.
> Even if you do, I think it’ll take about one chargeback to get your merchant account blocked.
Well, someone's merchant account might be blocked, but carders don't necessarily use their own accounts; in fact, I would doubt that many do, but criminals are often underestimating risks and overestimating rewards. It's almost a truism at this point that folks who do crime are not usually acting rationally, but I don't want to stereotype.
> It’s already here! Stripe has supported it for a while now, and I’ve seen a bunch of other payment providers have it, too: https://stripe.com/terminal/tap-to-pay
Finally! This feature is going to help a lot of small businesses in isolated areas where mobile phones are the primary (or only) computing devices that are commonly owned. This can create virtuous cycles that are somewhat unpredictable, which should help make these markets more dynamic and competitive.
Thanks for posting that Stripe link. Here's some more tap to pay links I was able to find, eventually. The search terms match too much, so it is a bit hard to disambiguate legacy NFC payment flows that use traditional or modern terminals from the new device to device payment flows. I remember hearing about Stripe's work on this feature, but since I didn't hear much after that, so I wasn't sure if the feature had ever shipped. I'm glad that this tech is getting in the hands of end users.
Apple-specific roundup of apps and vendors that support the feature:
https://apps.apple.com/story/id1620226212
https://www.apple.com/business/tap-to-pay-on-iphone/
These two are available on both iOS and Android, in case that is important for folks: