I have been in a similar situation actually, TOTP was working fine with a nice open source, encrypted solution I had spent hours putting together, then one day they changed the rules. Thankfully I didnt end up needing the app, but this is an issue for people in the situation where a sudden change like this happens.
So if some of that stuff in the apps, like “libfacebook” included a low level hardware escape to embed itself, wouldn’t embed into the Librem 5 itself?
I’m curious about this as well. Interesting if Purism could comment. I dont know if the L5 has IOMMU support that might be a way to mitigate it, though there are some “trivial” exploits if interrupt remapping is enabled (see also 1, 2, 3, 4)
I am also curious about the potential danger when flashing the phone from a non-free device, if it can ever really be trusted again 0.0 (though purism does seem to have a secure boot implementation using the pgp smart card)
You also mentioned you are paying a pretty penny for the server, could you possibly in some sort of headless mode, or I think some remote desktop solutions allow you to take a screen shot, so you could get a screen shot of the code sent too via some channel instead of logging in and actually interacting with the app (or some other scripted solution to get the code) making a less performant server tolerable or avoiding the need to actually render anything. Also I think waydroid is designed to be able to run a single app
Im also a bit surprised it does not come with microg by default
Compared to the Vanilla android, this variant seemed sickly and made alert sounds with constant notifications quite literally making a “wee woo wee woo” sound to tell me that Google does not approve of Librem 5.
My server is in the “cloud,” a nonfree thing in a nonfree cloud that unlocks a nonfree login
You are my sarcastic paranoid bretherin, your hilarious and appreciated.