Librem 5 - online banking app and other m.mobile websites

More and more companies and organizations do not allow users to access their website through mobile devices other than apps from Google or Apple Store.

Librem 5 is supposed to access any website, but how about those keep re-directing to mobile app URL, not offering Linux support and therefore require a native app developed by the same company/organization?

Still have to bite the bullet for the L5 pre-order, access to these kind of essential websites is important. How to make sure PureOS will be accepted by major organizations like banks and to have them offer an appropriate app in the store?

USE CASE
Online banking does support Android and iOS. My bank has abandoned Windows 10 for mobile devices. On my Lumia 950 my bank does not allow me to access the online banking account, app support for Windows devices has been removed (URL showing [object HTMLUnknownElement] and not responding).

When using the desktop URL it keeps redirecting to the URL for mobile devices (https//m.[url].com).

4 Likes

IMO, aside from the technical workaround where hopefully the Librem 5 browsers can be fully recognized as desktop and not mobile browsers… The other real solution is (the Stallman way?) to let our banks and other services know that not everyone is willing to use the iOS and Android mobile apps. And if they cannot let you access their services, it might be a good idea to take your business to another entity who will (despite them becoming more and more rare)… It’ll be a long fight :wink:

9 Likes

You got redirected because your “user agent” of your browser tells the server that you are on a mobile device. And things like which browser and operating system you use.
My user-agent for example is:
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
So i use firefox 68.0 on Fedora and so i get desktop sites.

In most browsers you can change this via addons so you seam as a desktop to the server. Would be a nice feature to have included for the L5 default browser.

Oh and the other thing is the width of the window is often used to determine if a mobile site is displayed. But there should also be way around it.

3 Likes

This.

Would be a nice feature to have in every browser.

2 Likes

user-agent switchers are also good for privacy.

4 Likes

That’s what I did and what more of us should do… let them know that you want something else! …Even if you do not like Stallman :joy:

1 Like

Thank you all for your help and information. I doubt Windows 10/Edge Mobile offers a user-agent switcher (I wasn’t even aware of so thanks for that). Librem 5/PureOS offering this possibility or set by default would be a comforting thought and along with an eventual manufacturing of covers would certainly help me and others to bite the bullet on pre-ordering the Librem 5.

user-agent switching is technologically very simple. The user-agent header is just some text that the browser sends in it’s headers. user-agent switching is just giving the user the option to decide what that text should be.

BTW Websites that use the user-agent header to decide their interface are lame. Interface should be decided based on the scouting of the user agent’s support for features, not based on some arbitrary string that is not even standardised. What if I use some niche browser they never heard of? Or a new browser that they have not put in their user-agent database? Do they really want to spend time on keeping track and updating user-agent strings? It is the support of features that determines what interface works best.

2 Likes

I’m no expert on web tech, but switching user-agenet worked for me quiet often and feels pretty reliable. But i haven’t used a a lot lately. Do you have more deeper knowledge about the state of the art methods or was this merely as statement that you consider user-agent strings not appropriate? Which sound by the way totaly right to me. I’m just interested what the actual mehtod used in the modern web is.

1 Like

User agent is a string sent to server within request headers when the browser makes requests. Its original purpose is to tell the server what kind of browser it is, so that the server “might” respond with the page that “specifically prepared” for that kind of browser.

This is designed to provide a way to balance utilizing new features of new browsers, and keeping it working on old ones.

However, browsers and sites today are all following the web standard. As a result, user agent string should be of no use. Everything that might be solved through user agent, and might be needed for a website/app to perform well, can be solved through other ways, and it is much simpler. Like media query to determine display size, polyfill to support for old versions, or it can just try to detect failures and solve it in their own way.

Browsers might still want to send it, but server should really ignore them: as long as the server is not planning to do sth evil. User agent string can be used to identify and gether information about the user (like, browser, operating system, device etc.). Some not evil companies might use it to stop their websites from working in certain browsers.

Thanks for further explanations. But its the same kind of answer. It explains how it should be done because of good reasons. But its like we shouldn’t use qwerty keyboards because they are designed for typewriters. Doesn’t means that it isn’t used widely. So i’m interested in what is actually used to determine what page is delivered. My experience is that the user-agent still matters combined with the screen size of course. Last thing where i noticed this and used user-agent manipulations is netflix on firefox linux to get 1080p and 5.1 sound. It is combined with some java script magic but the user-agent still plays a role. And i would consider netflix to have quite some team of web knowlage. But this is still anecdotal, and i’m still interested if any one has knowledge about the actual used methods on the web. What’s the most common and therefore is most likely to work?

User agent string “might” affect what ships to you, and the files shipped to you will do the rest.

It is hard to say what is the “actually used method”, different websites are built in different ways. Some websites might prepare different content for some UAs, but most websites wont. So I can only tell you “it might affect”. Anyway, it all depends on the server.

My opinion is:

User-Agent should never have existed and should not exist now.

By leaking software version information you are giving some kind of compromised or malevolent web site a free kick (assuming that the User-Agent string is telling the truth). You are telling them how to target you with malware that works on your combination of software. You are telling them which exploits have been patched and which exploits have not been patched. How dumb is that?

As others have said, it is also a privacy problem.

Part of its rationale for existing is that most early browsers had quirks that had to be worked around by the web server (content). What worked in one browser worked differently in another browser or not at all. That was particularly the case with Javascript that attempts to do more complex things. However there is a clear purity v. pragmatism trade-off there that some people won’t like.

I have seen some web sites that will not work at all unless a User-Agent string is present, even recently. So it may not be practical to suppress it completely (even though that is the cleanest option).

Minor elaboration to that … the User-Agent header in HTTP is standardised - up to a point.

The syntax to be used in that header is standardised. The token values that identify particular browsers or particular software products are not, as far as I know, standardised i.e. there is no IANA registry for them.

However it is worse than that because the official syntax for the User-Agent header allows comments and comments can in general contain anything. Comments have only the bare minimum syntax restrictions and no semantics - but of course web servers are free to apply semantics to a comment nevertheless.

For example here is my current User-Agent

Mozilla/5.0 (Windows NT 10.0; rv:43.0) Gecko/20100101 Firefox/60.0

The part in parentheses is a comment, not user agent information. The remainder is standardised syntax for user agent information i.e. 1 or more occurrences of:

product-token optionally followed by a slash character and a version-token

Needless to say that I have my browser configured to send false information for the User-Agent (resistFingerprinting option, which includes but is not limited to sending a false User-Agent).

The problem with online banking in EU is that is that from September onwards, OTP by SMS will beforbidden.
Customers will be required to use the Android or iOS application to validate their purchases, transfers, or any other transactions with their bank.
Some banks plan to offer an independent authentication terminal but require the purchase and payment of an annual subscription.

User agent can do nothing in that case.

4 Likes

THAT!
Exactly describing the problem at hand and what I was referring to in the original post.

For banking my Lumia 950 is useless now when it comes to online banking. Banks are excluding other OS and forcing their clienteles to use OS they don’t want to use or do not have acces to.

Unless PureOS is recognized by European banks there’s a fair chance Librem 5 will turn out to be useless in that regard when organizations and companies rule out PureOS.

1 Like

My bank stopped support for the Windows 10 phone app earlier this year, and it will not allow banking via my phones version of Edge either. Furthermore they will no longer send TAN’s via SMS.
They do, however, offer the possibility of using a qr-code reader that generates a numerical code after scanning a qr off of the screen. I can use this qr-reader while banking on my (Windows) tablet.

I wasn’t planning on schlepping my tablet around in order to bank on the go. And I am certainly not counting on my bank producing a banking app for PureOS (insert maniacal laughter here).

So, one reason for ordering the Librem5 was/is the hope that it will be possible to bank via its browser(s) acting as a desktop computer. (Having to use the qr-reader would be a minor inconvenience compared to switching to one of the unmentionables.)

In short, I am left with the question how this will work out…

I am used to thinking that with Linux you can do anything. But I am not so sure on this one.

1 Like

I am afraid that I will have to carry around a Android phone in Sweden because I like to use Swish for paying and it seems improbable that the banks will make a Swish app for Librem5. Also it is impossible to pay for a bus ticket in cash in some places and you must have an (Android) app just to be able to ride a bus … More problems are coming all the time and soon you will not even get food without an app. To identify yourself you also need the phone app. I use Swish to log in to my operator and even the tax office.

I think they must use platform independent apps in the future but it could take time. Earlier I could not look at television over the Internet using Linux but now they have standard video players which work on Linux too (Firefox). The OS dependent services are on the way out but it will take time.

2 Likes

What are they doing for people who do not have a mobile phone at all? Some of those are hardly the type of person who would want to use an RSA token or other cryptokey device!

What are they doing for people who do their banking on the mobile phone? (It isn’t Two Factor Authentication if the factors are one and the same.)

Nevertheless, this is a genuine problem for those that don’t want to be locked into surveillance capitalism.

3 Likes

user-agent strings are used by some websites and as a browser user it is helpful to know of them and be able to manipulate them for the sake of being able to use stupid websites. In fact my browser sends wrong user-agent strings for the sake of privacy.

But for a web developer there is normally no point in changing your website based on a user-agent header. Websites are often much better off checking for features directly which is far more reliable and requires much less maintenance.

It is just like modern querty keyboards indeed, companies should have stopped producing staggered querty keyboards because the design is inferior and outdated. But people should still be able to use those layouts so they can use stupid keyboards which have not caught up yet (i.e. almost every keyboard).

Me too, some user-agent switchers can change the user-agent randomly which is really handy.