this post was submitted on 25 Apr 2024
5 points (61.9% liked)
Privacy
32173 readers
1470 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
That's a safety thing. Phones are usually owned by one person or possibly shared in the family, but the security is such that app data is per-user anyway.
Websites though, people still sign in from all sorts of devices and often wildly insecure ones such as public/work computers, one malware away from hackers having access to your bank account.
Inconvenient for advanced users like us, but it would literally make all of those refund scams so much easier to pull off because they wouldn't even have to trick the victims into logging into their bank: blank the screen, transfer the money, tell them their computer is all fixed, bye.
The security hole here seems to be remote control of devices, more than the nature of the software used.
If your bank really spies on you through its app, I would change bank. Neither of my bank apps even run in the background or even request sensitive permissions. I will happily change my mind if you can show any proof that this is happening.
It's purely security. On Windows and largely on Linux desktop as well, any app can easily look at other app's data, that's why there's so many browser credential stealers. Maybe you'll never be a victim of this sort of attack, but if it does happen your bank account is gone.
Android and iOS have complete data isolation between apps. Unless you have root on it, even if you install malware and give it the maximum amount of permissions Android can possibly give, it can't access your auth cookies from the bank app. The bank app can't even access them either until you input a pin or biometric data to get it from the TEE.
Thus it's safe for banks to actually let people stay logged in with reduced identification. Browsers can't do that, not without the web integrity.
We're an absolutely minuscule minority that cares, and could use a stay logged in feature safely in a browser environment.
Dealing with fraud cases is expensive for the banks, they have good reasons to ensure you can only access your bank account under safe conditions. The average person doesn't even know what a web browser is, they know they click the Google and enter what site they want to go to into Google and search for it. They're the people that get scammed on the phone. They're the people that have their entire life savings wired overseas.
Just let your password manager fill up the login everytime, it's not hard.
Your points are of course valid but this is getting slightly offtopic.
What would be nice would be not to have to use a proprietary app on a closed-source software stack in the first place, given that it clearly represents a privacy compromise. And that is possible: almost no bank makes it obligatory. But they would obviously love to. If only to fire their web team and save some money.
And this is not just about banks. Every online service is trying to force us onto the closed platforms of Google and Apple, when an open-standards software platform exists and is perfectly workable. Seems there might be a battle worth fighting here. Nobody much seems to agree. Fair enough.
IME that hardly works any more, as mentioned.
Android is open-source. My phone runs an open-source build of it.
At this point it's barely any worse than a web browser. I know it's sandboxed, it can't access anything I don't want to. All it lacks is isolation with the kernel since web browsers run JavaScript and Android runs native code.
Worst comes to worst you just run the app in Waydroid.
Good points.