Revolut is specifically banning GrapheneOS by checking for the build machine hostname and username being set to grapheneos. We've changed these to build-host and build-user. Combined with another change, this allow our users to log in to it again until they roll out Play Integrity API enforcement.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
There's no legitimate excuse for banning using a much more private and secure operating system while permitting devices with no security patches for a decade. Meanwhile, Revolut's shoddily made app tells users they're banning GrapheneOS because they're "serious about keeping your data secure".
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
Revolut's app will stop working against once they start enforcing having a Play Integrity API result showing it's a Google certified device. This is not a security feature but rather anti-competitive behavior from Google deployed by apps like Revolut wanting to pretend they care about security.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
Revolut uses a bunch of shady closed source third party libraries in their app and it's one of these libraries banning GrapheneOS. These libraries are a major security risk and put user data at risk of being compromised. Revolut is not taking user security seriously at all and is cutting corners.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
There's no legitimate reason for any app to ban GrapheneOS users. It has the full standard security model and massive security improvements. There's no logic in banning GrapheneOS. It makes no sense for them to ban anything when they permit a device with no patches for 10 years. It's performative.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
GrapheneOS fully supports standard Android hardware attestation for verifying the hardware, firmware and operating system along with the app that's using it. See https://grapheneos.org/articles/attestation-compatibility-guide. If apps insist on checking device integrity, that's the only way they should do it.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
Play Integrity API checks that Google's monopolies are supported through devices licensing Google Mobile Services and integrating their browser, search engine, advertising, etc. It's anti-competitive and clearly illegal. Multiple governments are taking regulatory action and are in contact with us.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
Revolut insecurely checks the ro.boot.verifiedbootstate property and forbids it being yellow, which means a locked device with an aftermarket OS that's being cryptographically verified by the firmware. They permit it being orange, which means an unlocked device with any OS.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
They're specifically banning having a device that's locked with an aftermarket OS rather than banning having an unlocked device or an aftermarket OS in general. Similarly, they're specifically banning the value grapheneos for http://ro.build/.user/ro.build.host.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
Both of these things and other similar insecure, useless checks are being done by several different SDKs. Revolut's app is full of sketchy, insecure third party libraries. They certainly don't take security seriously as they claim in their message about banning GrapheneOS.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
@GrapheneOS do these include @BMWK / @Bundesregierung and/or @EUCommission ?
=> More informations about this toot | More toots from kkarhan@infosec.space
@kkarhan @BMWK @Bundesregierung @EUCommission We can't talk much about it.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
@GrapheneOS understandable as of now tho I'm shure you'd be able and.willing to testify under oath how #Google flexes their dominance as a weapon re: #IntegrityAPI...
@BMWK @Bundesregierung @EUCommission
=> More informations about this toot | More toots from kkarhan@infosec.space
@GrapheneOS
I wish you the utmost success in getting this anti-competitive and customer-harming practice banned.
@kkarhan @BMWK @Bundesregierung @EUCommission
=> More informations about this toot | More toots from quincy@chaos.social
@GrapheneOS
I wish Canada would regulate... well, any of this stuff.
=> More informations about this toot | More toots from TheZorse@hear-me.social
@GrapheneOS I think you were in talks with the European Commission about the monopoly tactics of the Play Integrity API. Any piece of news?
=> More informations about this toot | More toots from zako@fosstodon.org
@GrapheneOS good. Fingers crossed!
=> More informations about this toot | More toots from staticnoisexyz@infosec.exchange
We've fixed both of the ways they're banning GrapheneOS for our next release. Since third party SDKs are what's being used to do it, our hope is that this fixes a few other poorly written banking/financial apps doing similar stuff to ban aftermarket operating systems.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
These are the full set of changes fixing Revolut's ban on GrapheneOS:
https://github.com/GrapheneOS/platform_build/commit/bcd027b1273db32d6361092c635bf52a5d08c0e7
https://github.com/GrapheneOS/platform_build_soong/pull/24/commits/cc62edd5c3af000a6089fe2cceef10b9458f8aae
https://github.com/GrapheneOS/platform_system_core/commit/971110e37d73b5acb6e806b62146dcdcb29277b2
https://github.com/GrapheneOS/platform_frameworks_base/commit/5c85337ba0c4f5e40811a5a753754f7ccc2bc72f
https://github.com/GrapheneOS/platform_frameworks_base/commit/29c31dcdb5f826f1032a1a4da4dc584dbee8f01d
Other banking apps banning GrapheneOS will need to be retested after the next release.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
@GrapheneOS@grapheneos.social I love how that first commit reusing Pixel stuff could in theory force them to ban pixels entirely or ban specific build dates and times
=> More informations about this toot | More toots from lexi@catgirl.center
@lexi We have no issue making further changes if needed. They can successfully ban GrapheneOS if they really want but there's no reason we need to allow them to do it in such a ridiculous way. Our hope is that they aren't competent enough to ban GrapheneOS in the near future and it will take them time to finally move to the Play Integrity API. Ideally they could be convinced to stop, or at least to use hardware attestation with GrapheneOS in the allowlist per https://grapheneos.org/articles/attestation-compatibility-guide.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
@lexi We just temporarily deleted our response because we wanted to repost it with more information and several platforms don't see edits we make, that's all.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
@GrapheneOS@grapheneos.social Fair enough, i forget that sometimes. Guess im still used to centralized social media
=> More informations about this toot | More toots from lexi@catgirl.center
@lexi A lot of people view our account through a Nostr bridge since we don't have a Nostr project account yet, which we need to get around to setting up at some point. Many people don't realize it's not a native Nostr account but rather bridged so we'll need to deal with that when we make an account there and maybe get the person doing the bridge to unbridge it after a final post about the native account.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
@GrapheneOS LOL... Will this work?
=> More informations about this toot | More toots from Feakster@fediscience.org
@Feakster It works fine, we've tested it. We plan to include some additional unrelated changes before our next release, which might be significantly later today in around 16 hours or so.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
Due to these changes, Revolut works with our latest release that's currently in the Alpha channel and will reach the Beta channel very soon:
https://grapheneos.social/@GrapheneOS/113895124919882463
Should be in the Stable channel within 24 hours.
We also added a Play Integrity API notification + per-app menu.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
Users are already reporting that other banking apps which were previously detecting and banning GrapheneOS are now working properly. This is what we anticipated since Revolut is using insecure 3rd party SDKs for this which are likely used by other banking apps for the same thing.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
@GrapheneOS thanks for all your hard work!
=> More informations about this toot | More toots from hobbsc@social.sdf.org
@GrapheneOS It reminded me of my registration on Zen. Of course, I was refused to create an account, citing "security reasons" after a long correspondence with them. I looked into the file and logs, from what I realised they use the IDRnD library, which also uses the scottyab's rootbeer library, which received its last update 4 years ago and root checks using it are outdated, as there are false positives and magisk bypassing.
=> More informations about this toot | More toots from flashbackdealer@mastodon.social
@GrapheneOS They do battery probing via modempowerprofile with wrong options and outdated features, attempt to covertly obtain bluetooth adapter information without requesting permission, use drm info and obtaining other properties. They are unhappy with insufficient collection of analytics and advertising data, cause no potential profit from profile sales.
=> More informations about this toot | More toots from flashbackdealer@mastodon.social
@GrapheneOS holy shit, sounds like a good reason to move to anything other than Revolut. I've moved banks for less.
=> More informations about this toot | More toots from nathan@alphapuggle.dev
@nathan @GrapheneOS I refuse to do #OnlineBanking for way less bs!
=> More informations about this toot | More toots from kkarhan@infosec.space
@GrapheneOS Honestly, I'm not sure applying those "fixes" is a net-win. Short term it'll unblock those apps, and maybe the Play Integrity API will be regulated away in a timely manner, but they'll just switch to something else, e.g. like the GameBoy did: Check for the presence of a trademarked logo, string, or proprietary app being present that you are not allowed to distribute... Long term, the only winning move is not to play. Let those apps not work, if they so desire.
=> More informations about this toot | More toots from lpwaterhouse@ioc.exchange
@lpwaterhouse We can document all their actions against us and take legal action against them. The clearer they make it that they're going out of the way to ban GrapheneOS, the easier it is to win a lawsuit. How would they justify the ban? It's a far more secure OS and they permit an OS with no security patches for 10 years. Europe has market competition laws they're violating. Apps doing it for Google with their Play Integrity API instead of Google doing it themselves doesn't make it legal.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
@GrapheneOS You have way more trust in the legal systems of the world than I do. But it's your nerves and energy; Just make sure to keep in mind that those and future "fixes" MUST not negatively affect security, too many projects make unwelcome trade-offs for nebulous reasons like UX or interoperability with proprietary shit, ok? ;-)
=> More informations about this toot | More toots from lpwaterhouse@ioc.exchange
@GrapheneOS @lpwaterhouse +9001%
=> More informations about this toot | More toots from kkarhan@infosec.space
@GrapheneOS this brings back memories of when #Vivaldi felt compelled to change their default User agent string because poorly designed websites were putting up barriers for alternative browsers.
https://vivaldi.com/blog/user-agent-changes/
=> More informations about this toot | More toots from S_Paternotte@vivaldi.net
@S_Paternotte @GrapheneOS meanwhile I see #OpenAI literally using falsified #UserAgent|s and #DDoS'ing clients at work so hard I have to ban entire ASNs and /10 networks just because they ca't be assed to respect the robots.txt and refuse to accept beibg given 403 errors.
-Needless to say banning #GrapheneOS which are by far the most security-focussed and most diligent in terms of #Aftermarket-#Android-#ROM|s whilst not banning #outdated Android versions is like banning a "#SecureBoot|ed" #UbuntuLTS or #OpenBSD installation and going out of one's way to brick #Wine whilst still supporting #WindowsXP in 2025!
=> More informations about this toot | More toots from kkarhan@infosec.space
@GrapheneOS I think banning #Aftermarket - #ROMS, espechally #GrapheneOS, is a hostile, anti-consumer act that should be prosecuted as there is no legitimate reason for it.
=> More informations about this toot | More toots from kkarhan@infosec.space
@kkarhan@infosec.space @GrapheneOS@grapheneos.social exactly! i literally said out loud, something like "if i made a country, this would be illegal"
=> More informations about this toot | More toots from tauon@possum.city
@GrapheneOS instead I'm vonvinced this violate #EU #DigitalMarketsAct and #DeviceFreedom as per @EUCommission ...
=> More informations about this toot | More toots from kkarhan@infosec.space
@GrapheneOS@grapheneos.social if they specifically ban grapheneos, i'd specifically spoof the values for revolut
=> More informations about this toot | More toots from tauon@possum.city
@GrapheneOS using vandium to access your revolut account, should work also ? One way to move around the ban
=> More informations about this toot | More toots from nounoursfaisdeschoses@mastodon.social
@nounoursfaisdeschoses Their site barely has any functionality and requires using the app somewhere.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
@GrapheneOS I have not had issues with Revolut in gOS, gotta thank the team for the hard work.
=> More informations about this toot | More toots from nahtosama@mastodon.social
@nahtosama @GrapheneOS is it fixed? I was just about to migrate to graphene but have suddenly known this revolut issue. Does it work?
=> More informations about this toot | More toots from fri@veganism.social
@fri @nahtosama It works fine but they blocked logging into the app from GrapheneOS. We've fixed it and it will be included in our next release. It doesn't impact users who were already logged in. Same thing applies if they extend the check again: it probably won't impact people who are already logged in.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social
@GrapheneOS @nahtosama thank you very much!
=> More informations about this toot | More toots from fri@veganism.social
@GrapheneOS Have you guys tried to contact seon.io about it?
=> More informations about this toot | More toots from nat@blahaj.pl
@nat We don't know which SDK is doing it. We've looked at the disassembled code and it doesn't appear to check ro.build.user / ro.build.host. It does check for the device running the stock OS and is likely part of what is banning GrapheneOS. There's no point contacting any of these companies aside from serving them with a lawsuit.
=> More informations about this toot | More toots from GrapheneOS@grapheneos.social This content has been proxied by September (3851b).Proxy Information
text/gemini