Librem 5 - online banking app and other m.mobile websites

For years now 10 to 1 a website only allows for downloading in the iOS or Google Store. Having only two OS platforms organizations like banks have a relatively easy task to accommodate the majority of people AND unlike PureOS these platforms are very likely to be cooperative on the DPS2 implementation and data mining opportunities that come with it, hence organizations like banks will try to prevent security and privacy aware PureOS from entering the market let alone offering any app to normies like me, who will be left no other choice than the options @kieran pointed out for us. This is a serious potential violation of user privacy, for now the user still has to agree to that, it is just a matter of time people will consider DPS2 a fact or will be pushed by banks for whatever reason.

As @wimdows pointed out, at least for Europeans, new legislation will be effective and it appears the banks do not seem to care, no room other than the mainstream/established OS

If Purism wants PureOS to be generally accepted by normies and organizations they tend to do business with, PureOS Store should be on Purism’s road map to be pushed and be presented besides iOS and Google Store on websites, be accepted as a full OS platform and have regular download and interactions through a dedicated app.

If Purism wants to successfully implement and facilitate NFC payment methods, the users (normies) should be able to check their balance on that same phone just by using an online banking app. Period.

Edit: Typo

Thank you @Dr.Lambda for elaborating on the user-agent strings. In Windows Edge for mobile devices I have not found a way to change that on my Lumia 950. Microsoft no longer supporting the mobile platform as of next December I guess that makes it kind if irrelevant. For Librem 5 however, especially for normies like myself, I’d like to see a permanent solution for online banking by default upon delivery of the phone/PureOS store, rather than individuals struggling to get the online banking working they were accustomed to when they were still on the iOS or Android platform.

I think this right here is a flaw in the thought process. Moving away from something you don’t like because of whatever your personal reason should come with the understanding that you are choosing to change and in turn… Well you’ll have to deal with change.

Now this doesn’t mean that there shouldn’t be a goal of ease of use, which I’m quite certain is the goal for banking from the Librem 5, but it does mean that the expectation should be set that it will likely be different.

Short term, all early adopters of any technology should understand that the ease of use piece may not be there yet as it is early in the process.

I understand the desires, but I also know that upon delivery of the original windows phones (using this example as what you currently have is essentially the final revision and far from revision 1) online banking wasn’t possible without significant tinkering as well as many other “normal” functions, some of which weren’t working by revision 3…

My goal here is not to dissuade, but rather to suggest resetting expectations.

2 Likes

Thanks, I really appreciate your objective approach and I guess you’re right. Moving away from an established platform to another needs for lowering the bar when it comes to expectations. I was looking for an alternative OS for quite some time and to me PureOS looked like a gods gift and I truly admire Purism’s work and the community efforts to make this work.

Personally though, switching from Lumia 950 to Librem 5 phone still doesn’t seem to solve the online banking problem I’m currently facing along with some others. And like with Windows Store (abandoned by almost every website) I’m afraid many common used apps will not be accessible without going through the hassle I experienced with W10 for mobile devices. I don’t mind to own a phone in a niche market, fully supporting an underdog stepping forward when it comes to privacy and security. But before switching to Librem 5 I need some reassurances that essential sites will in fact work for me me, not constantly thinking I need to get a workaround to make it run, otherwise I might as well stick to my Lumia 950 (if it wasn’t for the safety and security aspects if the L5) and I’m pretty sure many potential buyers feel the same.

1 Like

Some banks plan to offer an authentication terminal/equipment, which is not cheap approx 40€/$, and which can only be used for one bank. If you change your bank you have to buy the proprietary shite from the other bank.

They consider it as TFA!

2 Likes

A “desktop view” mode or hack for the web browser might be the best option, as mentioned by others above.

There might be a way of running Android in a VM, but VM support for the i.MX 8 is probably still a work in progress, and might not be enough to run Android. Once it runs Android, the next problem to overcome is sharing hardware, such as the camera. Of course, VMs will consume a lot of memory. 3 GB is barely enough to share, but you should be able to do basic stuff in both the host and guest operating systems at the same time.

There is https://www.anbox.io , but it does not have maintained releases for ARM, just x86. Also, it does not support Google Play, so if your application needed Google services, then it would not work. There might be ARM support here https://github.com/anbox/anbox/issues/1206 but not many developers seem to be supporting this. Maybe developers who use the Librem 5 might be interested in helping with an ARM port. There might be a way to install Google Play on this, but it will not be supported by the official project, as the Play store is not open source. Again, if applications require access to certain hardware, then they might not work.

Continuing the discussion from Apps you want on the L5:

If Librem 5 wants to be appealing to non tech savvy potential customers and purism will be providing the accompanied store for Librem users, people will expect a watertight solution for mobile banking. I totally agree developers should focus on the priority list.

In order to end the discussion whether or not online banking will be working of the bat, I can imagine it is not to much trouble for those having access to a dev kit to collectively log into their own banking account, doing a quick check and report back if they succeeded (+name bank), especially when it comes to European banks due to the very restricting new legislation on that continent. Like willing people like @maximilian is doing in his app testing thread, I presume there are quite a few others with dev kits willing to do a 5 minute test, it would be interesting to see what they will come up with.

Proving easy access to online banking will most definitely reassure potential customers like myself who are into the Purism /Librem philosophy and concept in buying but are still on the fence about pre-ordering one. Current most heard cons in the decision making process like being more ‘expensive’, ‘bulkier’, etc compared to mainstream smartphones providing x number of RAM compared to ‘only 3GB RAM’ arguments will then turn out to be almost non-existent.

Edit: Added link to @maximilian 's thread

2 Likes

(copied from Apps you want on the L5)

Having confirmation and tests for European banks in particular (browser URL -> redirected to m.mobile) would still be much appreciated. Not ordering one before an official announcement banking URL’s/apps will work in Europe.

Besides the ‘basics’ that is worked on by developers, banking apps are one of the most used, one would expect these to be considered essential for Librem 5 to be accepted not only by early adopters. Failing to get those working upon delivery will be a miss. Better have it tested now.

1 Like

I was about to say something about this, but someone else beat me to it.

To go a little further here, this seems like it would be flat out illegal. Locking access to their own online banking behind some Android/Apple native software is one thing, and could potentially be “OK” if they advertise that when starting an account or setting up online banking with them.

Locking out online payments with the card, now that’s another thing entirely. My bank, NatWest, wanted me to enter a code sent via SMS when I last placed an order for computer parts - so they require 2FA for online purchases (perhaps of at least a certain size). That sounds like it would get beaten down hard if someone pointed a lawyer at it. Mandating that people use one or another specific type of phone in order to buy things online, let alone the problems arising if you don’t have a signal, seems like it really should not be allowed.

EDIT: to clarify my point here, the (potential) issues with not being able to use online banking and online purchases are not a fault of the device, they’re a fault of the law.

3 Likes

Copied from Apps you want on the L5

I’m just now realizing that the online bank (which doesn’t suck) that I’m with now only allows the initiation of scheduled check payments by mail with their mobile device app. I’m going to have to jump through a hoop of an Android (or iOS) emulator to do this in the future.

I’m going to be a two device person for a while so it’s not urgent, but I can see how a money movement app on a mobile dev would be important. I guess I could do some weird trick between two banks to pull off online payments without a mobile app, but having a PureOS app that worked like GooglePay would be a solution, and (I assume without justification) since it would work on any Linux system it might pull in developers from the general population instead of just Purism.

1 Like

With Open Banking being a thing, in theory some organisation could be set up to create a FOSS mobile banking app that can be used with any bank, subject to regulation by law. (Is Open Banking an EU-wide thing, or just a UK thing? I can’t figure it out.)

There seem to be a mixture of issues being discussed:

  • The problem of Android and iOS apps being made mandatory by banks
    • Not a universal problem, but a big problem for anyone affected
    • Not all banks allow authentication with a stand-alone authentication device
    • Of those banks that allow authentication with a stand-alone authentication device, not all provide the device free of charge
  • The ability to access online banking websites on a mobile device
    • It will definitely at least be possible to convince the bank’s web server to give you the desktop site
    • But if you have to fiddle about with settings to get it to work, it’s not good for people who want it to just work
    • The desktop site might not work well on a small screen
    • The desktop site might still require the use of an app or a separate authentication device for some tasks.
  • A banking app is a desirable feature in its own right
    • Not everyone wants to carry around a separate authentication device
    • Tighter integration with hardware features is possible with an app than with a website
      • The Librem 5 doesn’t have some of the hardware features that might make an app particularly useful, such as NFC for contactless payments and biometric authentication.
      • It does have a smart card reader though
    • UI optimised for phone use
2 Likes

To play Devil’s Advocate for a moment though, when you operate any bank account, you agree to terms and conditions that are designed to avoid fraud, keep your account secure, minimise your and the bank’s financial risk - and those measures will change over time according to whatever is current ‘best practice’ (and unfortunately you also implicitly agree to any terms and conditions that are designed to follow the law in the relevant country, no matter how unreasonable). Keeping your account secure, avoiding fraud and financial loss, and 2FA are all good things in and of themselves.

It is a fault of the implementation.

As @patch says above, an open banking app for 2FA would be a good implementation - as it means you wouldn’t need a different app for each bank and you could run it on just about any operating system.

A bank could however also argue that it does not want you to run the 2FA app on the computer from which you are doing the actual internet banking, because otherwise you lose the benefit of the second factor.

1 Like

I certainly would like to have secure accounts in my bank and secure communication but it seems a bit stupid to carry around two computers/phones. At home the communication is working very well with confirmation using my mobile phone and Bank-ID app or something like that. Generally I dislike apps because the companies are using them to track your every move but considering the necessity to secure bank transfers I am willing to use a public app - not one made by a specific company. The Swedish Bank-ID is not bank specific but a cooperation between several banks which is better even if it is not perfect.

4 Likes

Not having photo TAN apps on Librem 5 could be the killer for the phone itself. I can accept not to use youtube or any other social media apps except for messengers and banking apps. So important to have for example the photo TAN app. I cannot imagine using any phone without it. Then again, I need a second “real smartphone” to carry with me again for my important and daily things to do. That actually should be clarified in advance.

3 Likes

I have been quite UK-centric. It did not occur to me that an app that works with multiple different banks might be the way things are already done in some countries. We don’t have TAN, exactly.

Searching for the words “phototan implementation” out of curiosity, I found some developer and API documentation for the ‘Berlin Group’. However, this documents how to use an API to do things like initiating a payment that might require authentication using a photoTAN app. I don’t know precisely what the API is for. Perhaps it is useful for someone wanting to write a banking app. It doesn’t seem to help if you want to make a photoTAN app though.

This page, which I haven’t looked into in any depth, seems to suggest that photoTAN apps on phones are a step backwards in security compared to previous TAN schemes, and are not necessarily true 2FA.

1 Like

I use GnuCash, which includes functionality to sync directly to your bank accounts. I had only just started using that functionality when all of my banks and credit unions discontinued support for the API (they said it cost them too much and had too few users). I can’t find any banks which still support it, which is too bad – I was looking forward to using it on my L5.

I still use GnuCash, but now I need to download OFX files from the bank and import them into my GnuCash ledger.

2 Likes

Hi Patch,

first of all, I am not talking about “photo TAN app for all” (would be convenient though). I am just talking about “downloading the photo TAN app of our bank”.

And secondly, I neither support of photo TAN nor do I think it is the best way to do it. The thing is,
because of this “https://en.wikipedia.org/wiki/Payment_Services_Directive”, we have actually only two choices: photo TAN app or TAN generator. And the last option is really inconvenient. If Librem phone has no solution for it, we need to use an external TAN generator. Because the third alternative would be “to go to a bank directly or don’t transfer money at all”. The option to receive TAN by SMS is maybe possible but not all banks offer it or going to support it in the future.

1 Like

Will the Librem5 be running on 100% free software? Is the unreleased Librem5 already running on 100% free software?
My friend at Apknite told me: Yes. But can I please get a confirmation on this? I’ve tried looking by myself, and haven’t found anything concrete.

The Librem 5 runs PureOS, which has the Free Software Foundation’s Respect Your Freedom certification.

I understand that there is no universal solution, other than being able to run arbitrary Android apps. I was just making the point that there might be some low-hanging fruit to pick if some banks are already using interoperable standards that third-party app developers could implement.

This topic has sent me down a rabbit hole reading about TAN and other authentication schemes. I found a project for generating chipTAN flicker codes, and a paper denouncing security flaws in the card reader system used in the UK. The flicker code project referenced FinTS, which appears to have some standards documentation. (I don’t suggest that any of these things solve the problem, but hopefully the links are useful to someone, or interesting, at least.)

1 Like