←back to thread

PinePhone Pro [GNU/Linux smartphone] has been discontinued

(social.treehouse.systems)
172 points fsflover | 9 comments | 28 Aug 25 16:05 UTC | HN request time: 1.338s | source | bottom
Show context
ethagnawl ◴[28 Aug 25 16:25 UTC] No.45054074[source]
This is a bummer. If there was ever a time this sort of device was needed, it's now / in the near future when Google (probably) starts requiring all Android apps to be signed by approved developers and further locks down the Android platform.

I kind of regret not buying one of these instead of a Pixel 7 but, unfortunately, I'm pretty tethered to the Android ecosystem at the moment.

replies(3): >>45055173 #>>45055533 #>>45055813 #
nrdgrrrl ◴[28 Aug 25 19:07 UTC] No.45055813[source]
You say that, but they're discontinuing it because they didn't sell enough of them. It may be the device we need, but it's not the device we're buying.
replies(4): >>45055922 #>>45055985 #>>45056123 #>>45056187 #
reorder9695 ◴[28 Aug 25 19:22 UTC] No.45055985[source]
I'll buy them once I can access all of my banks on it, that is literally the only thing holding me to IOS or Anroid at the minute
replies(2): >>45056683 #>>45056686 #
AnthonyMouse ◴[28 Aug 25 20:28 UTC] No.45056686[source]
NB: Attestation has no security value here because if the phone isn't compromised then the owner having root isn't a security problem and if the phone is compromised then the user is entering their bank login into a fake scam app that doesn't require attestation regardless of what the real one does.

But because the banks that require this are cargo culting some nonsense, they require iOS or Google Android but don't really care how old the phone is. Which means you can transfer your cellular plan to the phone you actually want to use and then just keep your existing phone indefinitely to run the bank app over WiFi or tethering.

replies(1): >>45056738 #
charcircuit ◴[28 Aug 25 20:34 UTC] No.45056738[source]
What is protecting against another app on a PinePhone from stealing your bank's authentication token?
replies(2): >>45056866 #>>45057030 #
1. fc417fc802 ◴[28 Aug 25 21:05 UTC] No.45057030[source]
What's protecting me when I do online banking in the browser, which I can do using more or less any device? The answer is that targeted attacks against the average middle to lower class individual are rare enough that there are far more worthwhile things to worry about. Such as the vast majority of banks (at least in the US) not supporting hardware tokens.
replies(2): >>45057353 #>>45058900 #
2. jolmg ◴[28 Aug 25 21:39 UTC] No.45057353[source]
> What's protecting me when I do online banking in the browser, which I can do using more or less any device?

IDK about your country, but it's also common for banks to require supplying a token from the phone's banking app in order to login via the browser.

replies(2): >>45057585 #>>45057632 #
3. AnthonyMouse ◴[28 Aug 25 22:05 UTC] No.45057585[source]
And what does that buy you? The user goes to the bank website in a compromised browser, attacker gets their password. Bank sends a code to their phone, user types the code into the compromised browser, attacker gets the code.
4. fc417fc802 ◴[28 Aug 25 22:11 UTC] No.45057632[source]
Not in the US, at least so far. If that were ever to come to pass I would be in danger of becoming unbanked. I flatly refuse to install third party proprietary software on my phone (I grudgingly accept firmware blobs for lack of a realistic alternative).

Here the majority continue to use SMS based 2FA rather than supporting TOTP or hardware tokens.

Note that TOTP can be handled by any app of the user's choosing, doesn't facilitate attestation or any other user hostile practices, and in practice means that an attack requires physical theft of the device. While the theory might differ, in practice the effective security level is equivalent to other (objectionable) schemes.

replies(1): >>45059502 #
5. charcircuit ◴[29 Aug 25 01:14 UTC] No.45058900[source]
>What's protecting me when I do online banking in the browser

Modern operating systems will protect the cookies from being stolen from other applications on the system.

replies(1): >>45064132 #
6. jolmg ◴[29 Aug 25 02:42 UTC] No.45059502{3}[source]
> Note that TOTP can be handled by any app of the user's choosing

The banks are probably using the same standard behind the scenes, but they don't allow alternate TOTP apps. There's no point where they give you a key to set it up in an alternate app.

I suppose part of the point is a lack of trust in users' ability to handle their own security, and the possibility that they may provide such a key to a compromised TOTP app.

> hardware tokens

It'd be excellent if banks moved back to purpose-specific hardware like that. Even better if it were some standard with multiple providers, like FIDO2.

replies(1): >>45061013 #
7. fc417fc802 ◴[29 Aug 25 06:52 UTC] No.45061013{4}[source]
Yes FIDO2 would be ideal. The stuff about TOTP was a digression regarding the relative security levels between the two. The extra hardware doesn't provide any practical benefit (at least IMO) for the typical person running a FOSS authenticator app on a mobile device with an up-to-date OS. Obviously if you're something like a high volume day trader then it might be a different story but the venerable $5 wrench attack still applies so even then it seems pretty questionable to me.
replies(1): >>45063878 #
8. jolmg ◴[29 Aug 25 13:30 UTC] No.45063878{5}[source]
> The extra hardware doesn't provide any practical benefit (at least IMO) for the typical person running a FOSS authenticator app on a mobile device with an up-to-date OS.

For the user (and in the context of Pinephones), the benefit would lie in getting banks out of their phones. Banks want a device that's not under the control of the user to use as 2FA. A dedicated hardware key would be a compromise for that. They used to give them out, but I pessimistically imagine that today they might prefer to lose a customer.

9. ◴[29 Aug 25 13:50 UTC] No.45064132[source]