Librem 5 - online banking app and other m.mobile websites


#41

You can read about the Swedish Bank-ID on https://www.bankid.com/en/ It is a general e-identification which is used very much not only by banks but also other organizations and companies. As I understand they are trying to promote it wider within the EU. Unfortunately there is Bank-ID on File only for Windows and Mac (not Linux) and Mobile Bank-ID for Android and iOS.

A really useful solution must be international at least within the whole EU. And open, independent of Apple and other companies.


#42

I think the easiest way would be to have web apps. Once I have my librem 5 I will at any point where someone wants me to have an app tell them that I am not using android or ios and ask why they don’t implement a web app as it’s system indipendent (not platform indipdendent as it’s based on the browser as middleware like java programs are not platform indipendent as they depend on java ^^)

So everytime some enthusiast wants to program an app you should ask him if it’s not easier to program a web app as it’s life span could be longer and he or she would not even need to program for different platforms like Android, iOS, Windows15, AppleOSY or “Linux” (RPM, DEB,…).

For second factor I would think twice if a mobile phone counts as second factor if your action is performed on the mobile phone. I personally have no problems with the photo tan as the device is air gapped and dedicated to it’s sole purpose (KISS).


#43

Except with web apps instead of targeting operating systems, you now target browsers and browser versions. Which in my experience can be just as bad or worse…


#44

I just read in Aftonbladet (Sweden) that the Swish payments are going to be expanded to a big part of Northern Europe (and Portugal). The system is called European Mobile Payment Systems Association (Empsa). This is not a bank specific system although you must have an account in some bank associated to Empsa. To me it is good news and I think it will be easier to have Linux supported. I hope they go for a platform independent solution. The first countries associated to the system are (in addition to Sweden) Belgium, Germany, Austria, Finland, Denmark, Portugal, Schweiz and Norway.


#45

Reference this post I wonder if there is any alternative app that will allow users to not disclose any information distributed to third parties.

As is stated in BankID privacy statement:

The information that is generated by the cookie when you use the website, including your IP address, is sent to Google and stored on servers in the USA. Google may also disclose this information to a third party if required by law or in cases where a third party processes the information on behalf of Google. Google will not link your IP address to other information it has about you.


#46

It could be that this is a part of GoogleApps, and storing the data on Google server is the only way to fully integrate with their OS. Whether it has to be in the US or could be in Europe, that is a different question.

From what I understand, they need to store the cookie to know from which website the request came, and I see that for the security reasons they need to store it to be able to track the suspicios activities. They could be disclosing it only to the law agencies when required.


#47

Anyway it is a bad statement. It should not give Google the right to send data to USA because of the bad privacy laws they have. It gives Google too much freedom to disclose information to a third party. I do not want by banking information to go outside my own bank (and the receiving bank). In fact no information at all should go to Google. I hope that EU will organise a much better privacy for banking apps (and others too).


#48

It is not right, I agree.

The thing is that they do not need to send any data to Google at all. When I use BankID app on Windows, with a dongle, cable and drivers, (Handelsbanken) I doubt they send any data to Google from Windows, but it provides the same functionality. They probably do not send any info to Apple from IPhones through BankID app. Could someone check the policy on IPhone app store for BankID?


#49

That’s crazy however I can see the UK (my homeland) going the same way unfortunately…

I’m just as guilty as everyone else for using Android Pay for everything and if we continue down this trend eventually that and apple pay will be the only feasible ways of paying.

However rumours of a Purism and Monero Partneriship could mean they have some ideas for finical transactions.

P.S my first post, I’ve been lurking without being logged in for too long :joy:


#50

The payment systems are in a state of turmoil. You do not know which one will prevail in the long run. I suppose it must be quite universal - at least working in the whole EU (and associated countries). The probability that it will spread even more is high. EMPSA is going to be important but the technical solutions for it are as yet unknown. There is a multitude of solutions available and more are emerging. Sweden i s fairly well positioned with much experience from BankID and Swish with 7 million accounts (70 % of the population). The crucial question is: Will the solution be platform independent (as it should be) ? Then it would be useful on Librem 5.


#51

“everyone else?”

I’ll NEVER use Android or Apple pay. Cash. Or conventional plastic (which is bad enough).

The convenience is not worth having Applezon track you. Just carry some frigging cash.


#52

Most of us are thinking in a paradigm where someone else controls the hardware and the operating system source code. When the open source community controls their own hardware and the OS source code, everything changes.

Even if all of the banks signed an exclusive contract with google to only do any banking on Android using a proprietary app, and to let google have exclusive access to a required banking app and the authentication keys (a worst case scenario), we would always find a way to run that app in a safe way on the Librem 5.

I can see an app like that being installed in to a secure area on the Librem 5, in to an artificial environment that the banking app believes is an actual Android OS, where all inputs and outputs to that environment are carefully controlled by PureOS. It’ll be like the people in the Matrix who would never suspect that they weren’t living in the real world. The only real thing would be your banking transactions. The OS will keep tight controls on the app and what it can and can’t see about you. Compatibility layers and random data generators would create everything the app needs (false data if necessary), to cause the illusion to them that they are spying on you. The banks and commercial interests will be guests in our world. We will not be their guests. One way or another, we will make the Librem 5 do what we need it to do in a way that keeps us in control. If nothing else, you might be able to VPN in to a rooted Android phone or tablet at home, to do banking. If that is all you use that phone or tablet for, spying on you gives them nothing.

Stopping the banks from giving your banking transaction information to commercial interests is a separate issue that would probably require interventions through the courts.


#53

You are right that it has been someone else in control especially of the hardware. But that will change now and I am prepared to pay for that change.

Yes, it is possible to handle banking that way but I hope that it would be possible to have original Linux programs handling our payments. At least in the EU there are forces working to break the monopolies and I think platform independence is a appealing thought. However, there must be technical solutions available and I hope that Librem 5 will present a possibility outside the monopolies.


#54

I would tend to agree, it is just that an increasing number of stores go cashless (experience from DE, SE and UK at least) and even busses can only be entered with credit card OR indeed mobile app.

European PSD2 does still allow for SMS based tans, I have an account with a spanish bank in DE that uses it, but banks want to abolish it, as SMS are costlier and they cannot lock customers into their banking app.

PhotoTAN/chipTan is possible with a device between 10-30€, e.g. the tanJack and a few banks in DE offer it, but many go for a similar QR-based approach which only works via their bank-specific app. In these cases there is little the Librem5 can do, and that can will not be achievable by a mobile website. I am not holding my breath for Linux support of these apps. So banking will be a problem without a 2nd device.


#55

What about an Android emulator? Maybe a polished app for L5 - just a browser with Android emulator adjusted to fit L5 screen could address several of the Android-only issues?


#56
**Can I run Android apps?** Not day 1. However there is a lot of interest in including a isolation layer that will be able to power Android applications natively, the community can pool together and either implement that functionality, or we would need to run a new campaign for this specific feature (as the stretch goal for it was not met in our initial campaign).

#57

I was saying yesterday, I read somewhere that Monero and Purism are thinking of teaming up they may be able to provide an awesome work around for this.

You buy Monero, on an app and use Librem Contactless (may need to pass through Google Pay in a sandbox) and Librem effectively pay the fiat where it needs to be. This way it always just looks like Librem is buying x and you don’t have too trust Google directly with your data.

However I’m not sure as to, the feasibility or expenses of this.

You could always do this same plan without Monero as well of course.


#58

I bought bitcoins when they were at USD 3ct, so I do consider myself a technology pioneer. But I am not counting on Monero or any other cryptocurrency to replace my online banking (and hence the need for apps) any time soon.


#59

I’m also in Sweden and curious about these things. Do you know if there is any Swedish organization pushing for these things? Something to join/support/donate to, or something?


#60

Unfortunately I do not know any organization working for this (except the banks). There is of course Datainspektionen and Finansinspektionen but I am afraid that they are not the right channels for pushing the banking and payment in a platform independent direction. And then there are the parties (???).

Personally I put more trust into the EU. As it happens I was studying together with Nicke Torvalds (yes, the father of Linus) who is now a MEP in Brussels. He has (by association) good views about computer privacy and secrecy and I try to work with him on these problems. Also the EU commissioner from Denmark Margrethe Vestager (competition) has very good views about Google and Facebook. But as you know the commission is about to change and right now everything is in standstill because of the regrettable Brexit.

We have to wait a bit before we can start pushing for new directives enhancing privacy, secrecy and platform independence. Remember that EU is a big and slow organization with a lot of different views. The directives have, however, a big impact on the whole of Europe in the long run so it is worth putting some effort in working on them.