Librem 5 - online banking app and other m.mobile websites


#23

I think this right here is a flaw in the thought process. Moving away from something you don’t like because of whatever your personal reason should come with the understanding that you are choosing to change and in turn… Well you’ll have to deal with change.

Now this doesn’t mean that there shouldn’t be a goal of ease of use, which I’m quite certain is the goal for banking from the Librem 5, but it does mean that the expectation should be set that it will likely be different.

Short term, all early adopters of any technology should understand that the ease of use piece may not be there yet as it is early in the process.

I understand the desires, but I also know that upon delivery of the original windows phones (using this example as what you currently have is essentially the final revision and far from revision 1) online banking wasn’t possible without significant tinkering as well as many other “normal” functions, some of which weren’t working by revision 3…

My goal here is not to dissuade, but rather to suggest resetting expectations.


#24

Thanks, I really appreciate your objective approach and I guess you’re right. Moving away from an established platform to another needs for lowering the bar when it comes to expectations. I was looking for an alternative OS for quite some time and to me PureOS looked like a gods gift and I truly admire Purism’s work and the community efforts to make this work.

Personally though, switching from Lumia 950 to Librem 5 phone still doesn’t seem to solve the online banking problem I’m currently facing along with some others. And like with Windows Store (abandoned by almost every website) I’m afraid many common used apps will not be accessible without going through the hassle I experienced with W10 for mobile devices. I don’t mind to own a phone in a niche market, fully supporting an underdog stepping forward when it comes to privacy and security. But before switching to Librem 5 I need some reassurances that essential sites will in fact work for me me, not constantly thinking I need to get a workaround to make it run, otherwise I might as well stick to my Lumia 950 (if it wasn’t for the safety and security aspects if the L5) and I’m pretty sure many potential buyers feel the same.


#25

Some banks plan to offer an authentication terminal/equipment, which is not cheap approx 40€/$, and which can only be used for one bank. If you change your bank you have to buy the proprietary shite from the other bank.

They consider it as TFA!


Apps you want on the L5
#26

A “desktop view” mode or hack for the web browser might be the best option, as mentioned by others above.

There might be a way of running Android in a VM, but VM support for the i.MX 8 is probably still a work in progress, and might not be enough to run Android. Once it runs Android, the next problem to overcome is sharing hardware, such as the camera. Of course, VMs will consume a lot of memory. 3 GB is barely enough to share, but you should be able to do basic stuff in both the host and guest operating systems at the same time.

There is https://www.anbox.io , but it does not have maintained releases for ARM, just x86. Also, it does not support Google Play, so if your application needed Google services, then it would not work. There might be ARM support here https://github.com/anbox/anbox/issues/1206 but not many developers seem to be supporting this. Maybe developers who use the Librem 5 might be interested in helping with an ARM port. There might be a way to install Google Play on this, but it will not be supported by the official project, as the Play store is not open source. Again, if applications require access to certain hardware, then they might not work.


#27

Continuing the discussion from Apps you want on the L5:

If Librem 5 wants to be appealing to non tech savvy potential customers and purism will be providing the accompanied store for Librem users, people will expect a watertight solution for mobile banking. I totally agree developers should focus on the priority list.

In order to end the discussion whether or not online banking will be working of the bat, I can imagine it is not to much trouble for those having access to a dev kit to collectively log into their own banking account, doing a quick check and report back if they succeeded (+name bank), especially when it comes to European banks due to the very restricting new legislation on that continent. Like willing people like @maximilian is doing in his app testing thread, I presume there are quite a few others with dev kits willing to do a 5 minute test, it would be interesting to see what they will come up with.

Proving easy access to online banking will most definitely reassure potential customers like myself who are into the Purism /Librem philosophy and concept in buying but are still on the fence about pre-ordering one. Current most heard cons in the decision making process like being more ‘expensive’, ‘bulkier’, etc compared to mainstream smartphones providing x number of RAM compared to ‘only 3GB RAM’ arguments will then turn out to be almost non-existent.

Edit: Added link to @maximilian 's thread


#28

(copied from Apps you want on the L5)

Having confirmation and tests for European banks in particular (browser URL -> redirected to m.mobile) would still be much appreciated. Not ordering one before an official announcement banking URL’s/apps will work in Europe.

Besides the ‘basics’ that is worked on by developers, banking apps are one of the most used, one would expect these to be considered essential for Librem 5 to be accepted not only by early adopters. Failing to get those working upon delivery will be a miss. Better have it tested now.


Apps you want on the L5
#29

I was about to say something about this, but someone else beat me to it.

To go a little further here, this seems like it would be flat out illegal. Locking access to their own online banking behind some Android/Apple native software is one thing, and could potentially be “OK” if they advertise that when starting an account or setting up online banking with them.

Locking out online payments with the card, now that’s another thing entirely. My bank, NatWest, wanted me to enter a code sent via SMS when I last placed an order for computer parts - so they require 2FA for online purchases (perhaps of at least a certain size). That sounds like it would get beaten down hard if someone pointed a lawyer at it. Mandating that people use one or another specific type of phone in order to buy things online, let alone the problems arising if you don’t have a signal, seems like it really should not be allowed.

EDIT: to clarify my point here, the (potential) issues with not being able to use online banking and online purchases are not a fault of the device, they’re a fault of the law.


#30

Copied from Apps you want on the L5

I’m just now realizing that the online bank (which doesn’t suck) that I’m with now only allows the initiation of scheduled check payments by mail with their mobile device app. I’m going to have to jump through a hoop of an Android (or iOS) emulator to do this in the future.

I’m going to be a two device person for a while so it’s not urgent, but I can see how a money movement app on a mobile dev would be important. I guess I could do some weird trick between two banks to pull off online payments without a mobile app, but having a PureOS app that worked like GooglePay would be a solution, and (I assume without justification) since it would work on any Linux system it might pull in developers from the general population instead of just Purism.


#31

With Open Banking being a thing, in theory some organisation could be set up to create a FOSS mobile banking app that can be used with any bank, subject to regulation by law. (Is Open Banking an EU-wide thing, or just a UK thing? I can’t figure it out.)

There seem to be a mixture of issues being discussed:

  • The problem of Android and iOS apps being made mandatory by banks
    • Not a universal problem, but a big problem for anyone affected
    • Not all banks allow authentication with a stand-alone authentication device
    • Of those banks that allow authentication with a stand-alone authentication device, not all provide the device free of charge
  • The ability to access online banking websites on a mobile device
    • It will definitely at least be possible to convince the bank’s web server to give you the desktop site
    • But if you have to fiddle about with settings to get it to work, it’s not good for people who want it to just work
    • The desktop site might not work well on a small screen
    • The desktop site might still require the use of an app or a separate authentication device for some tasks.
  • A banking app is a desirable feature in its own right
    • Not everyone wants to carry around a separate authentication device
    • Tighter integration with hardware features is possible with an app than with a website
      • The Librem 5 doesn’t have some of the hardware features that might make an app particularly useful, such as NFC for contactless payments and biometric authentication.
      • It does have a smart card reader though
    • UI optimised for phone use

#32

To play Devil’s Advocate for a moment though, when you operate any bank account, you agree to terms and conditions that are designed to avoid fraud, keep your account secure, minimise your and the bank’s financial risk - and those measures will change over time according to whatever is current ‘best practice’ (and unfortunately you also implicitly agree to any terms and conditions that are designed to follow the law in the relevant country, no matter how unreasonable). Keeping your account secure, avoiding fraud and financial loss, and 2FA are all good things in and of themselves.

It is a fault of the implementation.

As @patch says above, an open banking app for 2FA would be a good implementation - as it means you wouldn’t need a different app for each bank and you could run it on just about any operating system.

A bank could however also argue that it does not want you to run the 2FA app on the computer from which you are doing the actual internet banking, because otherwise you lose the benefit of the second factor.


#33

I certainly would like to have secure accounts in my bank and secure communication but it seems a bit stupid to carry around two computers/phones. At home the communication is working very well with confirmation using my mobile phone and Bank-ID app or something like that. Generally I dislike apps because the companies are using them to track your every move but considering the necessity to secure bank transfers I am willing to use a public app - not one made by a specific company. The Swedish Bank-ID is not bank specific but a cooperation between several banks which is better even if it is not perfect.


#34

Not having photo TAN apps on Librem 5 could be the killer for the phone itself. I can accept not to use youtube or any other social media apps except for messengers and banking apps. So important to have for example the photo TAN app. I cannot imagine using any phone without it. Then again, I need a second “real smartphone” to carry with me again for my important and daily things to do. That actually should be clarified in advance.


#35

I have been quite UK-centric. It did not occur to me that an app that works with multiple different banks might be the way things are already done in some countries. We don’t have TAN, exactly.

Searching for the words “phototan implementation” out of curiosity, I found some developer and API documentation for the ‘Berlin Group’. However, this documents how to use an API to do things like initiating a payment that might require authentication using a photoTAN app. I don’t know precisely what the API is for. Perhaps it is useful for someone wanting to write a banking app. It doesn’t seem to help if you want to make a photoTAN app though.

This page, which I haven’t looked into in any depth, seems to suggest that photoTAN apps on phones are a step backwards in security compared to previous TAN schemes, and are not necessarily true 2FA.


#36

I use GnuCash, which includes functionality to sync directly to your bank accounts. I had only just started using that functionality when all of my banks and credit unions discontinued support for the API (they said it cost them too much and had too few users). I can’t find any banks which still support it, which is too bad – I was looking forward to using it on my L5.

I still use GnuCash, but now I need to download OFX files from the bank and import them into my GnuCash ledger.


#37

Hi Patch,

first of all, I am not talking about “photo TAN app for all” (would be convenient though). I am just talking about “downloading the photo TAN app of our bank”.

And secondly, I neither support of photo TAN nor do I think it is the best way to do it. The thing is,
because of this “https://en.wikipedia.org/wiki/Payment_Services_Directive”, we have actually only two choices: photo TAN app or TAN generator. And the last option is really inconvenient. If Librem phone has no solution for it, we need to use an external TAN generator. Because the third alternative would be “to go to a bank directly or don’t transfer money at all”. The option to receive TAN by SMS is maybe possible but not all banks offer it or going to support it in the future.


#38

Will the Librem5 be running on 100% free software? Is the unreleased Librem5 already running on 100% free software?
My friend at Apknite told me: Yes. But can I please get a confirmation on this? I’ve tried looking by myself, and haven’t found anything concrete.


#39

The Librem 5 runs PureOS, which has the Free Software Foundation’s Respect Your Freedom certification.


#40

I understand that there is no universal solution, other than being able to run arbitrary Android apps. I was just making the point that there might be some low-hanging fruit to pick if some banks are already using interoperable standards that third-party app developers could implement.

This topic has sent me down a rabbit hole reading about TAN and other authentication schemes. I found a project for generating chipTAN flicker codes, and a paper denouncing security flaws in the card reader system used in the UK. The flicker code project referenced FinTS, which appears to have some standards documentation. (I don’t suggest that any of these things solve the problem, but hopefully the links are useful to someone, or interesting, at least.)


#41

You can read about the Swedish Bank-ID on https://www.bankid.com/en/ It is a general e-identification which is used very much not only by banks but also other organizations and companies. As I understand they are trying to promote it wider within the EU. Unfortunately there is Bank-ID on File only for Windows and Mac (not Linux) and Mobile Bank-ID for Android and iOS.

A really useful solution must be international at least within the whole EU. And open, independent of Apple and other companies.


#42

I think the easiest way would be to have web apps. Once I have my librem 5 I will at any point where someone wants me to have an app tell them that I am not using android or ios and ask why they don’t implement a web app as it’s system indipendent (not platform indipdendent as it’s based on the browser as middleware like java programs are not platform indipendent as they depend on java ^^)

So everytime some enthusiast wants to program an app you should ask him if it’s not easier to program a web app as it’s life span could be longer and he or she would not even need to program for different platforms like Android, iOS, Windows15, AppleOSY or “Linux” (RPM, DEB,…).

For second factor I would think twice if a mobile phone counts as second factor if your action is performed on the mobile phone. I personally have no problems with the photo tan as the device is air gapped and dedicated to it’s sole purpose (KISS).