This is a popular thing to say, but is an oversimplification...
Call it anec-data but all my banking apps work in GrapheneOS, and I have several installed. There is one that reduces functionality if SafetyNet fails (have to do the 2fa flow every time I restart the app, can't set as a trusted device and notifications don't work) but it still works to access my account.
That said... I haven't tried to use NFC payments and do carry around a secondary iPhone 15 as my "business phone" these days that pretty much just has payment/banking apps on it, just in case one bank or another decides to suddenly nuke their app on my main phone...
After I got the screen replaced on my previous phone the fingerprint reader didn't show up, and I didn't bother to try fixing it. I hadn't specifically requested a new panel with fingerprint reader, but supposedly it could be enabled, if available, through tools Google provides for Pixels with their Tensor chips. Apps that would otherwise use the biometric authentication can fall back to a pin or pattern, but all of my banking or work benefit-related apps will not save credentials in that case, so I have to rely on my password manager which will use the PIN/pattern for authentication.
I replaced that phone with a new one and didn't bother setting up the fingerprints. It doesn't seem to bother me too much and maybe there's some small security benefit to not having the biometric authentication enabled.
I ran root on my main devices for 8-9 years uninterrupted and always got banking apps (and all others for that matter) to work with at most 40 minutes of tinkering. Ofc thats not something everybody wants todo, but since i love tinkering with tech anyway and always want root that was worth it for me (and OS updates for 7 years instead of 2, used my phone that normally only was supported up to Android 9 to android 15).
And this is with samsung devices which have tripped Knox (Funnily enough, i wanted to unroot since i didnt need it anymore once and then my samsung smartwatch couldnt connect because my device had tripped knox, so i had to root again to hide it. So their anti-root measure pretty much forced me to stay rooted)
The hardest to get working were:
S-push tan (a 2fa app for the bank "Sparkasse", their normal app is far easier to get running) and lately revolut.
but as i said, i always got it working.
Also it seems whatsapp blocks open bootloaders if you get enough warnings for using a custom modded version (A message pops up that tells you to get whatsapp from the official places, which i did) but hiding the open bootloader was enough to get that working.
Also with just root its easier than with root + Custom Rom, which was my setup.
So yea, it wont work out of the box, but its pretty simple to get working.
I haven't come across a banking app in the UK that doesn't work with GrapheneOS. HSBC insists you use the AOSP or Google keyboards but otherwise no issues.
Santander at least used to not work, I haven't tried it with the new app they launched. The old app certainly wouldn't work and I was told by customer service there was no way to access it on a phone with an unlocked bootloader.
It's crowdsourced and therefore incomplete but https://plexus.techlore.tech/ has reports of compatability with the complete absence of Google Services or a replacement like MicroG.
Here in Switzerland my experience is that the big banks like UBS and the cantonal banks tend to work, while the smaller things like McDonald's and my credit card providers tend to break because they have nonsense Play Integrity requirements.
FWIW, I use Fidesmo. Oversimplified, it allows you to copy your credit card's NFC chip into an accessory you wear. I use a ring but there are other options like bracelets or watch bands. No batteries, no devices, no wireless connectivity. It works anywhere an NFC card works, which here in Switzerland is more or less everywhere.
It requires that the card issuer support Fidesmo though. Many here do but I'm not sure what it's like elsewhere.
That's not how those NFC cards work. They are payment middlemen. They are full cards on their own and just pass on every charge to your other card. Just like Google Pay.
The way I described it was oversimplified. Technically, it's more like your credit card issuer issues a new card with the same number and installs it on the chip in the accessory.
To be able to do it, you have to authenticate with your card issuer in a mobile app, similar to how you might when setting up Android Pay or Apple Pay. The mobile app then uses your phone as a bridge between the issuer and the NFC chip in the accessory so the relevant data can be written in a secure way.
NFC payments via Google Wallet running on my Pixel Watch 3 connected to a phone running GrapheneOS works just fine. I use this regularly. (It doesn't require Google Wallet to be installed on the phone.)
At least one of my cards required Google Play Services to have the location permission when initially adding the card though.
There are different levels of anti-user checks. Some only detect unlocked bootloader and/or root. Others use the play integrity anti-feature provided by Google. GrapheneOS tells you when apps request play integrity checks, and you'll see that a lot of apps do these requests constantly, even if they don't actually block you for using an unlocked or non-vendor system (custom key but otherwise locked and not rooted like GOS).
We really need a more foolproof technical solution for this if general purpose computing on the mobile phone is to be preserved. Perhaps some type of a remote control scheme to operate on a "slave" device. Failing that, if I do need one of such apps needing "strong" integrity, I'd probably look into getting an iPhone for those.
Good riddance, no more spying, no more ads in notifications (in my country you can use banks via browser. Also, instant transfers by phone number are free).
We really need to make this into a website for 'hostile smartphones' or a 'list of smartphones to avoid', and popularize it among the normal folks. This is relevant to them even if they don't unlock the phones themselves. They could pay someone to unlock it and upgrade it - but only if the phone can be unlocked.
The manufacturers will do something about it when their hostile behaviour starts to affect their bottom line. They have been ripping us off for far too long.
I think this is living in fantasy land. Normal people aren't hyper concerned about boot loaders, sideloading or custom ROM's. There was an uptick many years past simply because this offered new functionality, but anymore there really isn't any reason to outside of small things like removing the Google Search bar from the home screen. But the amount of effort versus the result does not balance out.
Normal people just want to buy a phone and use it and they can do that today. They don't want the added complications. There is a reason Amazon is so popular and massive. The goal should be to add simplicity and not add complexity if want something to be popular.
Narrator's Narrator: "The overwhelming majority of consumers don't care about the bootloader, so the market forces do not have an incentive to keep it unlocked. This leads to the market not 'fixing itselt'. "
This isn't the 'market not fixing itself'. This is the 'market being actively manipulated and enshittified'. Don't forget that it's much easier to leave the boot-loader unlockable or even unlockable by just the owner, than it is to keep it locked and under control of a remote corporation. They went out of their way to enshittify it.
This isn't true. It's far more secure to lock the boot loader and block root than it is to leave them open. This is a basic security measure from the OEM. They didn't just wake up yesterday and go "let's mess with those nerds."
Somebody said "easier" and you said "more secure." Then, your argument that it was more secure (which nobody was discussing) is that it is "basic." Then you added an irrelevant strawman with a slur in it against the person you were arguing with.
Yes, it is more secure against the user. That is not a desirable characteristic for the user, it is a desirable characteristic for the controller of the operating system.
I can buy a smartphone or tablet that's 100% unlockable and has all the bells and whistles right now, and get it delivered in 24 hours, and not pay significantly more than average.
I think the market is working just fine. (To which people usually say "for now". Well yeah, the sun hasn't gone supernova... for now)
Yes, and heroin users can go buy fruits and veggies if they want to improve their health outlook. The fact that better alternatives exist does not mean the market will reward them, which is the point the parent is making.
if the market is not solving the problem then the natural conclusion is that it is not a problem that needs solving, pretty sad about it that not that many people care about these things.
The opposite is pretty much true when it comes to security I am generally forced to use an apple device since I can be relatively sure that my keys will be safe (not including state sponsored actors, at that point I would have bigger problems).
Now something for the market to actually solve would be poor hardware security in general making locked bootloaders serve no purpose, having strong built-in security at the SOC would diminish the advantages gained with locked down systems and would allow us to have BYOK without compromising on the general populations security.
Being able to install a new OS is not an 'additional feature'. It's the downgrade of a capability that's inherent to the device. It's the same as making a carseat heating a subscriptions service. Whether the users use it or not is entirely irrelevant.
the "ownership" framing is because bootloader locks allow vendors to unilaterally make decisions about how your device operates after you purchase the device.
Apparently the average consumer couldn’t care less, given that Apple and Samsung are among the worst options for unlocking, and still the best-selling ones.
> As a rule, almost all carrier locked devices do not allow the bootloader to be unlocked. This usually makes sense, as it would allow you to completely bypass the contract.
I don't understand how this works, why/how are a carrier lock and a device lock related? Shouldn't one be a lock on the baseband chip and the other on the main firmware?
On a lot of prepaid devices such as those from Kyocera for companies like Boost, the limitations are almost all in software configuration, because that's cheap and easy to do rather than rolling your own baseband configuration.
For years, carrier lock on iOS devices was simply a software switch. In a lot of devices, still, if you have an unlocked boot loader you can run patched baseband firmware that doesn't care that it hasn't been told the magic numbers to unlock itself.
The carrier gives you a subsidized price on the phone and then you pay for it as part of the service bill. If you can unlock it you could switch to a cheaper carrier. None of this should be allowed of course. Phones should always be unlockable.
I wonder if it might be about things like tethering, I remember for a while US carriers (AT&T I think?) used to lock it under a specific plan, but unlocking the bootloader/rooting let you bypass this limit
If you can unlock the bootloader you can generally also reflash the firmware at will on the baseband, so you can replace it or modify it to remove any subsidy/carrier locking on the baseband side.
Unlocking the bootloader will also of course let you eliminate the carrier’s bloatware that they get paid to install and load onto it, including the things that they shoved all the way into the Android “non-disableable” list.
Tracfone called this “cellphone trafficking” all the way since the 90s when people would buy their loss leaders, flash ‘em, and flip ‘em to third world markets for top dollar.
Regarding the Service in Android's four major components, please do not select the correct statements from the following [Multiple Choice Question]
1. Service must perform time-consuming operations in the main thread, otherwise it may cause stuttering
2. Among Android's four major components, Service runs in the background and definitely will not block the main thread
3. Service's lifecycle does not depend on the Activity that starts the Service
4. A Service can only be started once; multiple calls to the startService() method have no effect
5. Service can use the stopSelf() method to stop the service
Since 1,2,3,4 are wrong, but the problem asks "do not select the correct statements", you need to choose 1,2,3,4.
It show not only how hard the problem, but they also play on words. You also need to answer 13 questions in 15 minutes. And scoring more than 85 points to have a chance to unlock it.
Because the exam difficulty is too high, some people even go to official repair centers requesting a downgrade, and snatch the phone when the technicians unlock and reflash the firmware.
UPDATE: fix the score requirement and the correct answer.
Wow, that’s certification level with extra traps on top.
>Because the exam difficulty is too high, some people even go to official repair centers requesting a downgrade, and snatch the phone when the technicians unlock and reflash the firmware.
Are people that interested in unlocking despite the high friction? Honestly, I’m impressed.
I don't know how popular of unlock, but AFAIK, they want to remove bloatware (like the Scam Protection APP from government, or Advertisement APP from mobile carrier), unlock hardware restriction (higher refresh rate) and some other reasons.
Only two options (Google Pixel and Nothing Phone) for relocking Android with custom keys? https://github.com/chenxiaolong/avbroot/issues/299
unfortunately you lose access to pretty much ever banking app :/
This is a popular thing to say, but is an oversimplification...
Call it anec-data but all my banking apps work in GrapheneOS, and I have several installed. There is one that reduces functionality if SafetyNet fails (have to do the 2fa flow every time I restart the app, can't set as a trusted device and notifications don't work) but it still works to access my account.
That said... I haven't tried to use NFC payments and do carry around a secondary iPhone 15 as my "business phone" these days that pretty much just has payment/banking apps on it, just in case one bank or another decides to suddenly nuke their app on my main phone...
After I got the screen replaced on my previous phone the fingerprint reader didn't show up, and I didn't bother to try fixing it. I hadn't specifically requested a new panel with fingerprint reader, but supposedly it could be enabled, if available, through tools Google provides for Pixels with their Tensor chips. Apps that would otherwise use the biometric authentication can fall back to a pin or pattern, but all of my banking or work benefit-related apps will not save credentials in that case, so I have to rely on my password manager which will use the PIN/pattern for authentication.
I replaced that phone with a new one and didn't bother setting up the fingerprints. It doesn't seem to bother me too much and maybe there's some small security benefit to not having the biometric authentication enabled.
My bank doesn't even allow me to have USB debugging enabled
I ran root on my main devices for 8-9 years uninterrupted and always got banking apps (and all others for that matter) to work with at most 40 minutes of tinkering. Ofc thats not something everybody wants todo, but since i love tinkering with tech anyway and always want root that was worth it for me (and OS updates for 7 years instead of 2, used my phone that normally only was supported up to Android 9 to android 15). And this is with samsung devices which have tripped Knox (Funnily enough, i wanted to unroot since i didnt need it anymore once and then my samsung smartwatch couldnt connect because my device had tripped knox, so i had to root again to hide it. So their anti-root measure pretty much forced me to stay rooted)
The hardest to get working were: S-push tan (a 2fa app for the bank "Sparkasse", their normal app is far easier to get running) and lately revolut. but as i said, i always got it working.
Also it seems whatsapp blocks open bootloaders if you get enough warnings for using a custom modded version (A message pops up that tells you to get whatsapp from the official places, which i did) but hiding the open bootloader was enough to get that working.
Also with just root its easier than with root + Custom Rom, which was my setup.
So yea, it wont work out of the box, but its pretty simple to get working.
I haven't come across a banking app in the UK that doesn't work with GrapheneOS. HSBC insists you use the AOSP or Google keyboards but otherwise no issues.
Santander at least used to not work, I haven't tried it with the new app they launched. The old app certainly wouldn't work and I was told by customer service there was no way to access it on a phone with an unlocked bootloader.
You are supposed to (and GrapheneOS prompts you to) relock the bootloader immediately after installation of the new OS.
Not necessarily, I have quite a few that work.
It's crowdsourced and therefore incomplete but https://plexus.techlore.tech/ has reports of compatability with the complete absence of Google Services or a replacement like MicroG.
Here in Switzerland my experience is that the big banks like UBS and the cantonal banks tend to work, while the smaller things like McDonald's and my credit card providers tend to break because they have nonsense Play Integrity requirements.
I use GraphaneOS and have had zero issues with the ~10 bank/brokerage apps I use.
Can you use NFC payment?
Not with Google Wallet.
... What are you using instead and is it as easily triggerable by some shortcut?
FWIW, I use Fidesmo. Oversimplified, it allows you to copy your credit card's NFC chip into an accessory you wear. I use a ring but there are other options like bracelets or watch bands. No batteries, no devices, no wireless connectivity. It works anywhere an NFC card works, which here in Switzerland is more or less everywhere.
It requires that the card issuer support Fidesmo though. Many here do but I'm not sure what it's like elsewhere.
Aren't card chips supposed to not give away private keys? Or you can take anyone's card and copy it, put it back and walk away?
That's not how those NFC cards work. They are payment middlemen. They are full cards on their own and just pass on every charge to your other card. Just like Google Pay.
The way I described it was oversimplified. Technically, it's more like your credit card issuer issues a new card with the same number and installs it on the chip in the accessory.
To be able to do it, you have to authenticate with your card issuer in a mobile app, similar to how you might when setting up Android Pay or Apple Pay. The mobile app then uses your phone as a bridge between the issuer and the NFC chip in the accessory so the relevant data can be written in a secure way.
I personally use my smart watch for NFC payments. I find it far more convenient then paying with my phone.
> I personally use my smart watch for NFC payments
But not Google Wallet, and with GrapheneOS as the connected device?
NFC payments via Google Wallet running on my Pixel Watch 3 connected to a phone running GrapheneOS works just fine. I use this regularly. (It doesn't require Google Wallet to be installed on the phone.)
At least one of my cards required Google Play Services to have the location permission when initially adding the card though.
Yes, I have a Garmin watch paired with GrapheneOS.
I pull out a contactless card. No battery life worries, and much more compact.
The experience varies by country, here in Finland I haven't had a single banking app complain about an unlocked bootloader or a custom OS.
There are different levels of anti-user checks. Some only detect unlocked bootloader and/or root. Others use the play integrity anti-feature provided by Google. GrapheneOS tells you when apps request play integrity checks, and you'll see that a lot of apps do these requests constantly, even if they don't actually block you for using an unlocked or non-vendor system (custom key but otherwise locked and not rooted like GOS).
We really need a more foolproof technical solution for this if general purpose computing on the mobile phone is to be preserved. Perhaps some type of a remote control scheme to operate on a "slave" device. Failing that, if I do need one of such apps needing "strong" integrity, I'd probably look into getting an iPhone for those.
Good riddance, no more spying, no more ads in notifications (in my country you can use banks via browser. Also, instant transfers by phone number are free).
Every banking app works perfectly for me on GrapheneOS.
Insane how bad this has gotten. So few options left to truly own your smartphone
We really need to make this into a website for 'hostile smartphones' or a 'list of smartphones to avoid', and popularize it among the normal folks. This is relevant to them even if they don't unlock the phones themselves. They could pay someone to unlock it and upgrade it - but only if the phone can be unlocked.
The manufacturers will do something about it when their hostile behaviour starts to affect their bottom line. They have been ripping us off for far too long.
I think this is living in fantasy land. Normal people aren't hyper concerned about boot loaders, sideloading or custom ROM's. There was an uptick many years past simply because this offered new functionality, but anymore there really isn't any reason to outside of small things like removing the Google Search bar from the home screen. But the amount of effort versus the result does not balance out.
Normal people just want to buy a phone and use it and they can do that today. They don't want the added complications. There is a reason Amazon is so popular and massive. The goal should be to add simplicity and not add complexity if want something to be popular.
Room for new competitors!
"The market will fix itself!"
Narrator: "In fact the market did not fix itself"
Narrator's Narrator: "The overwhelming majority of consumers don't care about the bootloader, so the market forces do not have an incentive to keep it unlocked. This leads to the market not 'fixing itselt'. "
People are not and cannot be rational actors in the market owing to imperfect knowledge. Externalities are common.
This isn't the 'market not fixing itself'. This is the 'market being actively manipulated and enshittified'. Don't forget that it's much easier to leave the boot-loader unlockable or even unlockable by just the owner, than it is to keep it locked and under control of a remote corporation. They went out of their way to enshittify it.
This isn't true. It's far more secure to lock the boot loader and block root than it is to leave them open. This is a basic security measure from the OEM. They didn't just wake up yesterday and go "let's mess with those nerds."
Somebody said "easier" and you said "more secure." Then, your argument that it was more secure (which nobody was discussing) is that it is "basic." Then you added an irrelevant strawman with a slur in it against the person you were arguing with.
Yes, it is more secure against the user. That is not a desirable characteristic for the user, it is a desirable characteristic for the controller of the operating system.
I can buy a smartphone or tablet that's 100% unlockable and has all the bells and whistles right now, and get it delivered in 24 hours, and not pay significantly more than average.
I think the market is working just fine. (To which people usually say "for now". Well yeah, the sun hasn't gone supernova... for now)
Yes, and heroin users can go buy fruits and veggies if they want to improve their health outlook. The fact that better alternatives exist does not mean the market will reward them, which is the point the parent is making.
if the market is not solving the problem then the natural conclusion is that it is not a problem that needs solving, pretty sad about it that not that many people care about these things.
The opposite is pretty much true when it comes to security I am generally forced to use an apple device since I can be relatively sure that my keys will be safe (not including state sponsored actors, at that point I would have bigger problems).
Now something for the market to actually solve would be poor hardware security in general making locked bootloaders serve no purpose, having strong built-in security at the SOC would diminish the advantages gained with locked down systems and would allow us to have BYOK without compromising on the general populations security.
market is stupid concept.
It’s very common for dictators to call people stupid as an excuse for their power abuse.
GrapheneOS is working with an OEM that wants to support this (+ the added security requirements for GOS)
It's interesting because the OEM is quite likely to be in the 'Avoid at all costs!' bucket based on current information.
Being able to install a new os is orthogonal to owning a device. It's an additional feature that most users won't use.
Being able to install a new OS is not an 'additional feature'. It's the downgrade of a capability that's inherent to the device. It's the same as making a carseat heating a subscriptions service. Whether the users use it or not is entirely irrelevant.
>that's inherent to the device
It's not inherit to the device. Accepting updates signed by a specific key is inherit to the device.
the "ownership" framing is because bootloader locks allow vendors to unilaterally make decisions about how your device operates after you purchase the device.
When my mother was shopping for a new smartphone she definitely was not considering whether or not she could install a different OS on it.
Your mother's unwillingness to install a different OS doesn't mean that everyone else who wants it should be denied too.
I'm genuinely curious. What's your motivation in making up such a pointless argument/justification?
cool, When i was shopping for a new car i wasn't considering if it was a 4x4 because i live in a city with a mild climate
I hope you at least considered whether it was AWD cuz that shit is the bee's knees regardless of climate!
Apparently the average consumer couldn’t care less, given that Apple and Samsung are among the worst options for unlocking, and still the best-selling ones.
> As a rule, almost all carrier locked devices do not allow the bootloader to be unlocked. This usually makes sense, as it would allow you to completely bypass the contract.
I don't understand how this works, why/how are a carrier lock and a device lock related? Shouldn't one be a lock on the baseband chip and the other on the main firmware?
On a lot of prepaid devices such as those from Kyocera for companies like Boost, the limitations are almost all in software configuration, because that's cheap and easy to do rather than rolling your own baseband configuration.
For years, carrier lock on iOS devices was simply a software switch. In a lot of devices, still, if you have an unlocked boot loader you can run patched baseband firmware that doesn't care that it hasn't been told the magic numbers to unlock itself.
The carrier gives you a subsidized price on the phone and then you pay for it as part of the service bill. If you can unlock it you could switch to a cheaper carrier. None of this should be allowed of course. Phones should always be unlockable.
I know this. It doesn't answer my question at all.
I wonder if it might be about things like tethering, I remember for a while US carriers (AT&T I think?) used to lock it under a specific plan, but unlocking the bootloader/rooting let you bypass this limit
If you can unlock the bootloader you can generally also reflash the firmware at will on the baseband, so you can replace it or modify it to remove any subsidy/carrier locking on the baseband side.
Unlocking the bootloader will also of course let you eliminate the carrier’s bloatware that they get paid to install and load onto it, including the things that they shoved all the way into the Android “non-disableable” list.
Tracfone called this “cellphone trafficking” all the way since the 90s when people would buy their loss leaders, flash ‘em, and flip ‘em to third world markets for top dollar.
https://stopcellphonetrafficking.com/
Wait, the xiaomi one is weird.
You have to pass an actual, 'notoriously difficult' test?
What are they testing?
https://github.com/MlgmXyysd/Xiaomi-BootLoader-Questionnaire
here are some past papers. For example:
https://github.com/MlgmXyysd/Xiaomi-BootLoader-Questionnaire...
Since 1,2,3,4 are wrong, but the problem asks "do not select the correct statements", you need to choose 1,2,3,4.It show not only how hard the problem, but they also play on words. You also need to answer 13 questions in 15 minutes. And scoring more than 85 points to have a chance to unlock it.
https://www.bilibili.com/video/BV1jPbXzaE9d/
Because the exam difficulty is too high, some people even go to official repair centers requesting a downgrade, and snatch the phone when the technicians unlock and reflash the firmware.
UPDATE: fix the score requirement and the correct answer.
Wow, that’s certification level with extra traps on top.
>Because the exam difficulty is too high, some people even go to official repair centers requesting a downgrade, and snatch the phone when the technicians unlock and reflash the firmware.
Are people that interested in unlocking despite the high friction? Honestly, I’m impressed.
I don't know how popular of unlock, but AFAIK, they want to remove bloatware (like the Scam Protection APP from government, or Advertisement APP from mobile carrier), unlock hardware restriction (higher refresh rate) and some other reasons.
Wall of Fame (allows re-locking the bootloader with custom key): https://github.com/chenxiaolong/avbroot/issues/299
fuck iqoo