Hey everyone, Hope you all having a good day today, I apologize in advance for this long read but TLDR will be at the bottom.
There’s this potential issue I’m facing right now and I need some opinions on how to go about this or maybe I’m overthinking this situation.
Context: I’m Running a google pixel phone with grapheneOS for about a month now, without any sandboxed google play services, the experience has been amazing and so freeing, this switch was overdue since all of my services are open source / privacy respecting or self hosted solutions, this was the last step to finally be “free” and I just got up one day and decided to bite the bullet, buying the phone with cash.
BUT i made the rookie mistake of not checking banking app compatibility and as luck would have it, my banking apps outright blocked GOS users and no settings would work
Luckily with some patience and a bit of RE magic, I managed to come up with bypasses for 2 local banking apps in a little over 3 hours, it was laughably easy and any user could pull it off without changing any settings or installing anything.
issue: Here’s the potential problem.
Now we may all know the Privsec GOS banking app compatibility list at first I was over the moon to make a useful contribution ESPECIALLY to a list like this.
And then it dawned on me, I’ll be potentially shooting myself in the foot and here’s how:
1-I live in a relatively small country that isn’t mentioned anywhere in this list, I’ll be the first one in my nation to make a contribution, while yes we do have wiggle room for internet freedom, the local government showed that it will not tolerate moves that will encourage the masses to take privacy routes, basically “if you’re gonna do it, shut up about it or we’re gonna come after you” it did happen before.
2-The population pool is small, to make matters worse, Google pixel phones aren’t even a thing here, I had to REALLY dig around to find someone that sold these brand new, the second hand market is just as bad, no one is selling these phones so I imagine that people who actually have these phones here can be counted on my fingers.
3-The bank I’m using most probably already logged the phone type, It wouldn’t be so hard for them to connect the dots if they got alerted about my bypass solutions, The privsec fill out forum needs me to include my phone model name and build number, potentially leading to a full OPSEC compromise.
Verdict / Thoughts:
I’m split on this issue, part of me things I’m over thinking the shit out of this situation and I’m over estimating their capabilities.
The other part is telling me that I’ll be destroying my opsec and I should stop.
I’m thinking of falsifying Device name / model on the forum to avoid this but I don’t know if this is even enough and I don’t want to mislead other users.
TLDR: Local Banking apps blocked GOS, came up with a bypass but not enough people use Google pixel phones locally and this may lead to a full OPSEC compromise if I posted about it.
no, that’s a well known workaround, but the banking apps I used were just giving me a generic error, while yes they used google play integrity API, they weren’t enforcing it.
what it turns out is that they were checking for specific packages that come preinstalled with every copy of GOS, effectively blocking users of said operating system.
Luckily these packages aren’t essential and could be disabled by users, bypassing their checks.
this is one of many that they implemented, there are 3 other checks but it was easy to bypass those too without compromise.
Why are they explicitly going out of their way to block GrapheneOS despite not many people using it?