Hey everyone, Hope you all having a good day today, I apologize in advance for this long read but TLDR will be at the bottom.
There’s this potential issue I’m facing right now and I need some opinions on how to go about this or maybe I’m overthinking this situation.
Context: I’m Running a google pixel phone with grapheneOS for about a month now, without any sandboxed google play services, the experience has been amazing and so freeing, this switch was overdue since all of my services are open source / privacy respecting or self hosted solutions, this was the last step to finally be “free” and I just got up one day and decided to bite the bullet, buying the phone with cash.
BUT i made the rookie mistake of not checking banking app compatibility and as luck would have it, my banking apps outright blocked GOS users and no settings would work
Luckily with some patience and a bit of RE magic, I managed to come up with bypasses for 2 local banking apps in a little over 3 hours, it was laughably easy and any user could pull it off without changing any settings or installing anything.
issue: Here’s the potential problem.
Now we may all know the Privsec GOS banking app compatibility list at first I was over the moon to make a useful contribution ESPECIALLY to a list like this.
And then it dawned on me, I’ll be potentially shooting myself in the foot and here’s how:
1-I live in a relatively small country that isn’t mentioned anywhere in this list, I’ll be the first one in my nation to make a contribution, while yes we do have wiggle room for internet freedom, the local government showed that it will not tolerate moves that will encourage the masses to take privacy routes, basically “if you’re gonna do it, shut up about it or we’re gonna come after you” it did happen before.
2-The population pool is small, to make matters worse, Google pixel phones aren’t even a thing here, I had to REALLY dig around to find someone that sold these brand new, the second hand market is just as bad, no one is selling these phones so I imagine that people who actually have these phones here can be counted on my fingers.
3-The bank I’m using most probably already logged the phone type, It wouldn’t be so hard for them to connect the dots if they got alerted about my bypass solutions, The privsec fill out forum needs me to include my phone model name and build number, potentially leading to a full OPSEC compromise.
Verdict / Thoughts:
I’m split on this issue, part of me things I’m over thinking the shit out of this situation and I’m over estimating their capabilities.
The other part is telling me that I’ll be destroying my opsec and I should stop.
I’m thinking of falsifying Device name / model on the forum to avoid this but I don’t know if this is even enough and I don’t want to mislead other users.
TLDR: Local Banking apps blocked GOS, came up with a bypass but not enough people use Google pixel phones locally and this may lead to a full OPSEC compromise if I posted about it.
Sorry for derailing… But what was the workaround? Was the issue they used Play Integrity API and you managed to circumvent it?
no, that’s a well known workaround, but the banking apps I used were just giving me a generic error, while yes they used google play integrity API, they weren’t enforcing it.
what it turns out is that they were checking for specific packages that come preinstalled with every copy of GOS, effectively blocking users of said operating system.
Luckily these packages aren’t essential and could be disabled by users, bypassing their checks.
this is one of many that they implemented, there are 3 other checks but it was easy to bypass those too without compromise.
Why are they explicitly going out of their way to block GrapheneOS despite not many people using it?
if not that many people use it then the potential usefulness is greatly dimished right? So you gotta balance your OPSEC risk with that I suppose. Falsifying information where not pertinent or adding unpertinent wrong information might alleviate some of it (i bought it x months ago, it’s a business account i am not in the country often etc.). It’s fine to mislead some users about the specifics of your case, if the overall goal of helping them can still be achieved i would think, unless it misleads them in a way that might cause harm of course.
good point, I’m leaning towards just changing the device model in the report and calling it a day.
What about just logging in with your web browser? I’ve been using GOS for going on 4 years now and haven’t had any issues with it. Is there anything specific the app provides that you need that isn’t available through browser?
as it stands right now, there is no clear benefit for me when it comes between choosing to bank on my browser vs just using the app while yea it does offer some fingerprinting resistance, I’d be still exposing my real IP address, otherwise the bank would flag any other IP address I’m using and will require me to verify myself.
I opted to run my banking apps in a separate profile without hiding behind anything while kewping my other profiles separate and behind proxies
Assuming your bank already has all of your information, what’s the problem with them knowing your IP?
And how often do you need to use your banking app? Could you connect from a local free WiFi network from a library or something?
You’re overthinking it.
Post whatever you found and just don’t use the banking app.
I have to use it, its part of my daily life, but thank you for your response.
