- Were any of the current directors or new nominees involved in the incident where F-Droid marked Bible and Quran apps as NSFW, hid them from search by default, and expressed the intent to remove them completely (https://gitlab.com/fdroid/admin/-/issues/252#note_2578531026)? (Discussed on HN: https://news.ycombinator.com/item?id=45638096)
If I’m charitable, I could assume they intended to make a controversial move to drive public attention to the growing government restrictions on innocuous apps. As far as I know, though, nobody at F-Droid admitted to this; and if they were, why didn’t they mark other widely used apps like Wikipedia and Reddit frontends that provide easy access to much more sexually explicit content in the same protest?
If I’m less charitable, and go by what F-Droid admins actually said, they took this action out of a sincere belief that these apps contained content unsafe for minors that necessitated flagging, and sincerely believed that Wikipedia and Reddit frontends somehow don’t qualify for the same. If they honestly believed this, it demonstrates (to me) poor judgment; and since the action was walked back almost immediately due to negative public response, that indicates further that they never actually believed this in the first place, and that instead somebody took it upon himself to specifically target religious apps out of his own bias.
Either way, it really soured me on the judgment of the F-Droid maintainers. After a stunt like that, I no longer trust them to fight the battle against oppressive government restrictions on operating systems effectively. Formerly an F-Droid user of many years, this caused me to switch away completely: I’ve started donating monthly to Accrescent instead, download as many apps as I can from there, and switched from F-Droid to Obtanium for any apps not yet on Accrescent.
- She lusted after lovers with genitals as large as a donkey’s and emissions like those of a horse. 21 And so, Oholibah, you relived your former days as a young girl in Egypt, when you first allowed your breasts to be fondled.
Ezekiel 23:20
- Setting aside the context of this quoted verse and how NSFW stuff is judged in religious texts, this doesn't address the more important point that OP raised: the visuals of this verse and more extreme ones can be easily found on Reddit and similar allowed apps. So OP's points stands.
- The other apps are clients. The apps themselves don't actually contain any content, they're just code. An app that itself contains an offline copy of a book with NSFW text is not the same thing.
Meanwhile Reddit is a doubly poor example because even though the service contains NSFW content, it marks it as such, and then the client not only doesn't itself contain it but gives the user a separate opportunity to select against it when using the app to download pages.
- Bible apps often don’t contain the text directly, but allow the user to download a preferred translation on initial startup. That didn’t prevent them from being marked NSFW.
And clearly that wasn’t the standard anyway. Before the introduction of the policy restricting religious texts, the only apps F-Droid had marked NSFW were frontends to porn sites, even though the apps presumably contained no sexual content directly.
- It should be pretty obvious why porn apps are marked NSFW despite not containing any content. Substantially all of the content they can be used to access is NSFW, whereas it's reasonably possible to access only SFW content on Reddit.
Which would also explain the Bible apps without an initial copy. Choosing which translation to download when substantially all of them are translations of the same NSFW text means that substantially all of the users would end up with NSFW content on their device by using the app.
- Except, of course, that the Bible in any translation is not NSFW, certainly in the common usage of the term. It contains depictions of violence and sex, yes. But so does Fanny Hill, and that hasn’t legally been considered obscene in the UK or the USA in over fifty years. F-Droid’s excuse, that they needed to restrict Bible apps to protect F-Droid from legal liability, is not believable.
- You're trying to be clever, but the context from the drop has been to distinguish "a sincere belief" from… the kind of rhetorical underhandedness that you are indulging in.
Not only is this not going to convince anyone that there's anything behind it other than an attempt to formulate a winning argument (having set that as your goal) irrespective whether there's any actual sincerity to the words you're choosing, but it comes across as the opposite of clever: that anyone who's convinced themselves that it really is clever and that no one can possibly permeate this forcefield of insincerity is a perhaps-delusional, and definitely-insufferable halfwit.
- I would still say that counts as the app providing the content, not users. It's not user uploaded, it's app uploaded.
- Those points don't connect though. Reddit is a social media platform. The Bible is book. It's a static piece of media.
- Yeah, kids need to read this. Totally. /s
- In Biblical times, yeah? There was no such thing as birth control. If you get pregnant and are unmarried, your life might as well get over.
- The irony is this is an allegory for two cities who "committed adultery" against the covenant relationship with God by becoming bedfellows with pagan authorities in a "lust" for power. This isn't actually about sex just very strong poetic allegory to raise awareness.
- The act of abortion has existed since 1000 BCE with the earliest being 1550 BCE. Around the estimated time of the mythical Moses. Obviously not as effective, but the practice existed. Not to mention sex isn't one specific act. There are many ways to have sex, even by biblical standards, that do not involve the possibility of getting pregnant.
- > If you get pregnant and are unmarried, your life might as well get over.
Not really. And biblical times does not mean people's lives were run according to commandments in the Jewish bible (neither in ancient Judea nor elsewhere).
- I find it funny and sad that this is the sort of thing that people like to bring up as somehow bad and not the part where the Isrealites are admonished for not genociding the Cannanites hard enough.
- My reading is they were simply trying to comply with regulations. It wasn't about what ideas they believed the religious texts were trying to convey, but whether their content met a certain definition set by law. The law could be poorly written, or it could be poorly and over-cautiously interpreted by F-Droid maintainers. But I didn't get the feeling they were acting on any kind of moral judgement or own belief about what's appropriate for children.
Does the Bible encourage violence or promiscuity? Not really, no. Does it mention and describe those things in some detail? Yes, absolutely. If that's the kind of content you need to remove from your store, then obviously you need to remove the Bible from your store. Whether that was really the case seems questionable at best, but the stated logic seemed pretty coherent to me.
- > The law could be poorly written, or it could be poorly and over-cautiously interpreted by F-Droid maintainers. But I didn't get the feeling they were acting on any kind of moral judgement or own belief about what's appropriate for children.
If F-Droid were being overcautious, they would have blocked social media apps too. Social media is explicitly the single biggest target of these “think of the children” app store laws after outright porn sites. F-Droid left Reddit and Mastodon clients unmarked. Am I supposed to believe that F-Droid honestly thought the law applied to apps containing only ancient religious texts, and not to social media? Has any other app store interpreted the regulations the same way? And if they truly believed that was a legal requirement, why did they reverse the policy after only a couple days of user complaints?
- Which regulations? F-Droid seems to be governed by Dutch law (see https://commonsconservancy.org/dracc/0039/ ). Do they have laws prohibiting all apps with any violence or promiscuity?
(As an aside, if they indeed had to follow some Dutch law and remove Bible and Quran apps, maybe F-Droid can be hosted by freedom.gov, US govt's new anticensorship portal..)
- Ironic as Governments use religion to oppress. In facts it's one of religions primary roles.
- Even mainstream religions are seen at brainwashing cults by many people and my guess is it was something along these lines. They thought they were contributing to the greater good by keeping people from being indoctrinated into a cult. I don't agree but I've seen many self-proclaimed atheists make such statements.
- > a sincere belief that these apps contained content unsafe for minors
Hey I believe that too. If people are entitled to believe whatever is written in those books, surely people are also entitled to believe it's nonsense and actively harmful.
- You’re free to believe that. But the topic here is F-Droid and its board of directors, along with the context that governments are attempting to censor operating systems and app stores. The question is, if you controlled an app store, would you prevent users from making religious choices for themselves? F-Droid is, probably, the biggest and most mainstream free software app store for mobile operating systems, and is trying to drum up community support (“Keep Android Open,” etc.) in response to the new laws. But F-Droid initiated a sudden change in policy—censoring religious apps—wilfully censoring content that’s never been illegal by any reasonable interpretation of the law. Such decisions obviously negatively impact parts of the free software community, and bring up questions about how effective F-Droid and F-Droid’s leaders can be in this fight.
- Will F-droid continue when Google bring in their changes, soon?
- Even with Google's changes, F-Droid will continue to work with Android phones that do not use Google GMS.
If you care about your actually owning your device, install something else than stock OS. I would recommend GrapheneOS, since the security of some/most other alternatives is pretty bad.
- AFAIK every popular Android phone uses a qualcomm modem chip with a separate OS that has complete access to ram. NSA most certainly has a backdoor there and such complete access to any Android phone. This was common knowledge after the Snowden stuff. I don't think this has changed at all since. Only few niche phones (pinephone) separate these systems or have a hardware switch to disable the cellular system.
- GrapheneOS works only with Pixel devices, which doesn't make it much useful for the vast majority of Android users.
- GrapheneOS is working with a manufacturer to change this:[0]
> We're working with a major OEM and the devices will be the future versions of existing models they have now. The devices will be priced similarly to Pixels. The initial devices will have a flagship Snapdragon SoC for the best security and support time. Snapdragon flagships have significantly better CPU and GPU performance than Pixels. Snapdragon provides high quality Wi-Fi, Bluetooth, GNSS and cellular support as part of the SoC. eSIM and other functionality is also provided by the SoC. Snapdragon has decent image processing functionality included too, and good neural network acceleration.
[0]: https://old.reddit.com/r/GrapheneOS/comments/1o32gpg/deleted...
- Indeed. Sadly the reality is that most other Android devices are simply not secure enough. Many Android phones do not have a separate secure enclave (outside Pixel and IISC Samsung flagship and A5x range), so they are vulnerable to breaking PIN-based unlocking, side channel attacks, etc. Besides that they often only provide old vendor kernel trees, old firmware blobs, etc.
So, you have to wonder whether you want such a phone anyway if you care about security and privacy. If you don't care about security anyway, you could as well run /e/OS, etc.
Above-mentioned Samsung phones could perhaps make the cut, but don't support unlocking anymore (and when they still did, would blow a Knox eFuse).
- Reduced security has always annoyed me a bit as an argument. Sort of in the same way as signal deprecating SMS because it's insecure.
I get all or nothing when your threat model is state actors. However, for most people, the benefit is just freedom from corporate agendas.
Not everyone needs kernel hardening, or always E2EE (as with signal). Personally I just like the features it provides (e.g. scoped storage, disabling any app including Google play services, profiles etc etc
Its also an easier sell to people who are apathetic to security when the product is just better and more secure, the same way apple does (for whatever their reasons may be).
All that said, I get they're limited in funds and manpower, plus the things mentioned at the end there, so I can only be so peeved they chose a target and stuck with it. They typically cite security as the reason, not those other ones, however.
- Oh man, I am still annoyed about Signal removing SMS support. Had to add another app to my phone and I can now no longer accidentally discover that someone I'm texting has Signal, which happened more than once to me!
- Reduced security has always annoyed me a bit as an argument.
Security is one of one of the main selling points of GrapheneOS, I can fully understand that they don't want to weaken that by supporting fundamentally insecure devices.
I think a nice side-effect is that they only focus on a small number of devices (Pixels) and support those really well. I have followed the /e/OS forums for a while and many devices have constant regressions because it is hard to validate each release on tens of devices.
I get all or nothing when your threat model is state actors.
People do have different thread models, though I think up-to-date software should be the baseline for everyone and where pretty much every phone outside iPhone, Google Pixel, and a subset of Samsung phones fail. Also, I think having a secure enclave should be the baseline, since phones do get stolen.
Its also an easier sell to people who are apathetic to security when the product is just better and more secure, the same way apple does
That's really a weird example though for supporting the argument that GrapheneOS should support more devices. Isn't Pixel + GrapheneOS then pretty much iPhone + iOS? Privacy-respecting, secure, not pushing AI subscriptions all the time (though iOS is getting worse in that respect), offering useful functionality?
At any rate, I understand if you have another phone, you wouldn't buy a Pixel for GrapheneOS, but it does make sense to buy your next phone for running GrapheneOS. Pixel covers a pretty wide price range to, e.g. the Pixel 9a was 349 Euro here recently, all the way up to the Pixel fold.
- > I can fully understand that they don't want to weaken that by supporting fundamentally insecure devices.
Except that there is nothing fundamentally insecure about them, they just don't support a specific convenience feature. You can straightforwardly support PIN-based unlocking by encrypting the PIN in ordinary persistent storage using a longer passphrase that only has to be entered during boot.
This is arguably even more secure because it allows the PIN to be dumped from active memory and require the longer passphrase again after a timeout, a limited number of bad attempts or in response to a panic button on the lock screen. Then the device doesn't contain the long passphrase whatsoever, instead of having it permanently stored inside of an opaque enclave that itself could (and often does!) have its own vulnerabilities.
- > I get all or nothing when your threat model is state actors.
The problem for those of us in the USA, that labels anyone who disagrees with the current administration and ICE as a domestic terrorist, means that now everyone's threat model is a state actor.
The threat model of every citizen that dares to exercise their first amendment rights now escalated beyond corporate agendas to "How do I make sure Israeli & Palantir spyware doesn't end up on my phone? How do I make sure if my phone does get confiscated, Cellebrite can't image it or access the data?"
Even if that weren't the case, I see no valid reason to be lax with security in 2026. There's no excuse anymore, I mean we still have OEMs selling phones that they do not issue security updates for after purchase. That's just gross negligence.
- How do I make sure if my phone does get confiscated, Cellebrite can't image it or access the data?"
In this context one super-nice feature of GrapheneOS (do check the legal ramifications though, IANAL) is that it supports a duress PIN. It's an alternative PIN that immediately erases your phone (probably throws away your FDE keys?) and clears your eSIM.
Besides that, it also supports configurable time to reboot after no unlocks. This is relevant because it is typically much harder to exfiltrate data BFU (before first unlock) than after. iPhone also supports this, but only does it after I think 3 or 4 days. On GrapheneOS, this can be set as short as 10 minutes when there is a risk of your phone getting confiscated. Of course, you can also manually reboot, but that's not possible in every situation.
- Graphene is OSS, so if you want to create a fork that supports other phones, you are free to do so. The maintainers have limited amount of resources, why wouldn't they focus those resources on the most secure hardware if that is what aligns with their goals? If you have different goals, create or fund a fork to support more hardware.
- > Sadly the reality is that most other Android devices are simply not secure enough.
This seems like a bad reason for not supporting a device. If the device doesn't have a hardware feature then the OS it came with can't be doing it either, and then all you're doing is leaving the user with all of the other security problems in the OEM OS that otherwise could have been improved by replacing it.
- Perfect really is the enemy of good when it comes to GrapheneOS
- It really isn't; the project acknowledges numerous existing compromises. Take a look at their roadmap or any number of threads if you think they only ever implement perfect features.
That's also an unfair take when one considers how many improvements they've upstreamed to AOSP and how many quality of life features they've implemented.
- Every GrapheneOS proponent I've seen has claimed that other devices are inferior to Pixel security wise, and that's why they're not supported. That always sounded a bit odd to me and certainly seems to have a bit more nuance based on your comment. Thank you for adding some clarity here.
- See their list of device requirements: https://grapheneos.org/faq#future-devices
- There's really nothing odd that company that runs Project Zero also builds devices that are well secured.
- Qubes OS, operating system designed for security, doesn't prevent its installation on computers without VT-d. It will just warn you.
- Graphene doesn't really try to stop you. They just don't spend their own efforts on making it possible. It is OSS so, your free to spend your efforts where you want to.
- This is however not their main argument. I doubt they would accept such pull request.
- It would require a significant commitment of limited resources to broadly support insecure devices with very little upside, and to do so would constitute gross mismanagement of the project.
Meanwhile, others are completely free to fork numerous GrapheneOS improvements or benefit from their upstream improvements (as some have, including Google).
Why can't you understand that?
- I never mentioned any commitment except accepting pull requests, did I? Qubes can do that and doesn't require a fork. Are you saying they have much more resources?
- No pull request necessary, forks don't require approval.
- The problem with laptops is that UEFI is a shadow operating system that keeps running after boot, with a bunch of security vulnerabilities. Furthermore all Intel / AMD chips have a microprocessor state called SMF which if you trigger it basically gives you carte blanche to do whatever you want.
"Trusted Boot" is a meme on x86. If you really want something like that you need to do what Oxide Computer is doing and rip out UEFI for good and implement your own secure boot chain.
Qubes is great but at the end of the day cannot protect against evil maid attacks to the level that pixel or apple phones can. Its great at making sure a browser exploit cannot steal your banking credentials you have open in a different virtual machine but cannot overcome the limitations of the platforms it builds off of.
So I understand why the GrapheneOS folks do what they do.
See also: "X86 considered harmful" by the founder of Qubes OS (posted in 2015!)
https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
- I use Qubes with TPM and Heads and with a hardware key. All based on FLOSS, so its possible.
- As one who has lived out of both operating systems for years, I struggle with the way you invariably make value judgments about GrapheneOS every time it comes up in a thread, based on your (justifiable) appreciation for Qubes OS. The same thing happens in reverse on the GrapheneOS forums, by the way.
Both lines of thinking are faulty, and attempting to directly extrapolate from one project to the other (in either direction) mostly only conveys a lack of understanding of both projects, even (especially?) one's favored project.
Joanna Rutkowska herself admitted that the difficult nature of trying to contain the PC hardware stack made it ultimately feel like she lost the war. Qubes OS is inherently vastly more vulnerable than GrapheneOS, in large part precisely because of their different approaches to hardware. Some of this has been mitigated by developments made since she stepped back from the project, but some of it will always remain. How to deal with this inherent conflict is not a simple matter and the two projects have taken two distinctly different approaches.
In the cases of both projects, I think they made justifiable decisions in their approaches. I use and contribute to both projects.
If you've been using Qubes OS long enough, you'll remember a time when trying to run it on anything that wasn't essentially identical to the ThinkPads used by Qubes OS devs often presented a major challenge.
GrapheneOS is a fundamentally different project in scope, and each project has a subset of users which seem unable to do anything but evaluate the other project based on the criteria set by the one they like.
"The goal of the project is not to slightly improve some aspects of insecure devices and supporting a broad set of devices would be directly counter to the values of the project. A lot of the low-level work also ends up being fairly tied to the hardware."
GrapheneOS achieves significantly more security on the hardware level than Qubes OS, in very large part specifically due to the nature of the project. It's also an infinitely simpler OS to get up and running with, on both current-gen flagship hardware and current-gen value-prop hardware available in just about any store which sells cell phones.
In addition to all that, by the nature of the respective code bases it presents a significantly smaller attack surface than a computer running Qubes OS.
Securing a single device type with excellent hardware security is simply much more viable a project than securing a broad range of devices with hardware security that is, at best, pretty terrible.
Repeatedly criticizing one project without significant familiarity with both is not just pointless, it's counterproductive to aims of FOSS privacy and security.
- > In addition to all that, by the nature of the respective code bases it presents a significantly smaller attack surface than a computer running Qubes OS.
I critisize precisely because I don't understand what you're talking about. The last relevant VM escape was in 2006, discovered by Rutkowska herself. Since then, nothing could access my secrets in an offline vault VM. I would appreciate a clarification, how GrapheneOS can be more secure without reliable virtualization.
AFAIK Xen security relies on 100k LoC. And this is in addition to the virtualization. How many LoC does GrapheneOS require to provide its security? How can it have less attack surface than Xen? Developers replying to me here never provided an understandable reasoning, only keep repeating that it's "very, very secure", without even mentioning any threat model.
Doesn't GrapheneOS rely on closed Google's hardware to provide its security? I would never trust Google with that. How can I not critisize such approach?
- Imagine if the Linux project had this same mentality. Thank goodness they don't.
- Which leads to things like laptop sleep working inconsistently. Instead of having a good reputation, Linux's reputation gets hurt by all the random devices it allegedly supports.
- Devices designed for Linux work flawlessly, just like it happens with Mac and Windows.
- Imagine if Apple had this same mentality, they would never be where they are.
(/s in case it is needed.)
As a smaller project, choosing a small set of hardware and supporting it really well (aside from security reasons) seems like a much better strategy than supporting tens of devices badly (go to e.g. the /e/OS forums to see what regressions people are dealing with after monthly updates).
- Indeed. Apple is financially successful, but they're ultimately a minority player in pretty much every market they engage with - including desktop/laptop computers and even mobile devices globally. And for me they are just as inaccessible as GraphineOS.
But for Apple that is not necessarily a bad thing. They're a company. Their goal is to make money and they are highly successful at it. GraphineOS is not a company. They don't make money. Which begs the question of what is GraphineOS's real goal and is it valuable? Creating a maximally secure mobile OS seems valuable on its face, but that value is undercut by its inaccessibility.
- that value is undercut by its inaccessibility
You are saying this like GrapheneOS only runs on some unobtanium hardware. I can literally hop on my bike and pick up a phone that runs GrapheneOS in 5 minutes, every day of the week. Also, it's available in pretty much all price classes except maybe a 100-200 Euro phone that runs on a Unisoc CPU. Pixel 9a regularly goes for 350 Euro here and you can go all the way up to an expensive flagship with a Pixel Fold (or anything in between). Even in the 100-200 bracket you can probably pick up a refurbished 8a that should still be supported until 2031.
I know that they are not sold in every country, but worst case it should be possible to get your hands on one second hand or refurbished.
- The Pixel hardware does not have the capabilities I consider to be essential for my personal phone.
- Huge opportunity for Lenovo/Motorola here who have been the quiet Linux favorite for a while but we shall see if they even bother.
- Sounds like a consumer problem for their own choices of vendor lock in
- Would love to ditch google and use grapheneOS, however have so many banking and (stupid) outlook for work.
- You can check banking app compatibility here:
https://privsec.dev/posts/android/banking-applications-compa...
- Even if it works now, how can you be sure the next app update doesn't break it in the name of security?
- Because it would cause public uproar.
- The outlook app works for me on GrapheneOS, is there something about it that doesn't work for you?
Many banking apps do work on GrapheneOS, the list had already been linked to by others
- > Would love to ditch google and use grapheneOS
grapheneOS only works with google phones.
- For now[0].
And I don't really think that people mean using google hardware but rather being mined by google software.
May I ask, if you (a) just want to be technically correct, (b) don't see the difference or (c) are trying to make a point I don't understand and if so would be willing to explain?
---
[0] https://piunikaweb.com/2026/02/02/grapheneos-non-pixel-hardw...
- I would rather pay a one off ransom to google, than have them harvest all my data and profit from them in perpetuity.
Better yet, you can buy a used pixel phone.
- Pixel 9 Pro handsets are going for around $500 on the secondary markets like ebay. That's a only a single generation off from their current Pixel 10 models and you still get OS and security updates until 2031.
Not a bad deal and pretty crazy how fast smartphones depreciate now.
- Indeed and Pixel 10 was 549 Euro here just a few weeks ago and Pixel 9a as low as 338 Euro.
- The outlook webapp is quite decent. I've never used their native app, but I've manahed to get by fine with their webapp, even though notifications don't work (I just check it regularily). IIRC K9/Thunderbird also has support for exchange now.
- Apparently a lot of banking apps work with the sandboxed Google malwares. Not sure though, I'm not a user (wrong hardware)
- Correct. I am using my Dutch bank and credit card apps without any issues. Someone linked the curated GrapheneOS banking list already. If your bank does not support it, you could either contact them. If they require remote attestation, this can be implemented for GrapheneOS as well:
https://grapheneos.org/articles/attestation-compatibility-gu...
If the bank is very hard-nosed about it, you could consider keeping an old iPhone or Pixel (because long security updates) for banking if it is practical to do for you. 95% without big tech is also a big win. Of course, if you need to have it with you at all times, that might not be a worthwhile option.
- can confirm. And there are even some pages that list banking and other apps working on GrapheneOS. It's actually very few that don't work with sandboxed Google Play API.
edit: https://privsec.dev/posts/android/banking-applications-compa...
- Theres e/OS where you can have a locked bootloader with some phones
- Why do people need banking on their phones though? Banks have websites too.
- > Why do people need banking on their phones though? Banks have websites too.
2FA. I was a smartphone hold-out for longer than anyone I know, but banks mandating 2FA with no options for doing it in a standards-compliant way or any way that doesn't involve the app stores was what finally broke my resistance.
- This is asked again and again. Apparently you guys in the USA or in other parts of the world are still lucky, but in Europe banks must be compliant with regulation that more or less force them to do 2FA through their app with the biometric authentication of either an Android or an iOS phone. There are other ways (eg giving a hardware OTP generator to customers,) but apps are the cheapest solution.
- Do you have a link with information about this?
I'm just wondering since I'm currently using 3 different European banks without any biometric authentication to unlock my phone, password manager or provide a 2FA.
I'm asking so that I can adjust in time to any new regulations I'm not aware of.
- You can still find banks in Europe that do not force Google and Apple on you. They may ask you to use their own security devices for instance.
- My bank has no website or physical branches. They’re mobile-only, but their app is leaps and bounds ahead of the competition.
- I don't much like the official Outlook app. Been using Nine for ages, it does everything I've needed.
- Can you not setup your work email through a regular email client? I thought the days of being locked into Outlook specifically went away with Exchange. Everywhere I've worked since has been able to.
Also, what kind of banking are people doing that requires an app? I genuinely don't know what it could be.
- > Also, what kind of banking are people doing that requires an app? I genuinely don't know what it could be.
Close to every bank in the EU requires their user to have an app, for MFA (both for logging in and for validating transactions - transfers, payments). They use the smartphone's TPM. I have yet to see one that allows you to use your own MFA app.
The few I've seen that don't require it will validate the same through text messages (not everyone has a smartphone); though if you associate their app even once, you're screwed - the app it is from now on.
- >Close to every bank in the EU requires their user to have an app
Possibly this was hyperbole but in any case it's not correct at all.
Anecdotally, of my two EU (massive legacy French) banks, neither requires a mobile app. SMS all the way.
Even Wise, a cutting-edge neobank, does not require you to use its app. And its website accepts standard TOTP authenticator for 2FA.
Revolut is app-only, which is why I never use it.
- Here in The Netherlands banks used to offer authenticator devices, which they are phasing out (you can still use them, but they wont replace them once they run out of battery). Pretty much all banks switched to app-only.
No SMS at all (which is not surprising, because SMS is not secure).
Also, IMO fingerprint/face-based authentication is much nicer/quicker, especially for online payment flows like iDEAL (Dutch predecessor to Wero). And banks here work on GrapheneOS, so not much is lost.
- >And banks here work on GrapheneOS
Until they don't.
- > Anecdotally, of my two EU (massive legacy French) banks, neither requires a mobile app. SMS all the way.
My wording was bad, sorry; but try to install their app just once. After that, I'd bet you won't ever be able to go back to SMS validation (which is what I was talking about at the end of my comment).
If not, I'd be curious to know the banks you're talking about (to consider switching to them, for one thing). What I said above is true of Caisse d'Epargne, HSBC, CCF, among others.
- >I'd be curious to know the banks you're talking about
Fortuneo (internet-only subsidiary of Crédit Mutuel) and LCL. I have had both their apps installed at points in the past. In both cases they defaulted back to SMS 2FA upon uninstalling, though I remember worrying I would have the problem you describe.
Ultimately I can't see how a bank could get away with forcing (rather than just pushing) existing customers to install an app. This would surely be a breach of contract.
- > though if you associate their app even once, you're screwed
Can you go in branch and get that fixed?
- It's way more comfortable to login with fingerprint and not going through a longer login to the website.
Especially since in many countries it requires a national e-ID that is an app on your phone.
- It's nice to have widgets.
- This piddly open source effort pales in comparison to what we should really be doing:
Horizontally splitting Google into multiple companies.
Not division via department splits, but equal partitioning across the company into multiple horizontal businesses that compete on the same offerings.
The EU and next DOJ/FTC need to force this.
- I agree, but the probability that this is going to happen anytime soon is near-0. The current US administration is not going to rein in the tech broligarchy and if they did, it would be done out of spite and the pieces wold sold to administration-aligned oligarchs (e.g. Ellison), which might end up being worse.
The EU is not going to force this, because it has enough fights to pick with the US, and this is not the hill that they are willing to die on. It would be far more likely for them to financially support an AOSP-based OS.
- The EU simply is not (and should not) be able to split up google who operate international. But they can regulate the EU market and declare that a monopolist cannot operate there as a monopolist and introduce any arbitary rule achieving it.
- Yes, though I think that is what echelon was aiming at - the EU saying either you break up or you cannot do business here.
- Not sure if you know this, but both Biden and Trump (in his previous admin) had their DOJ file lawsuits against Google. "United States v. Google LLC," which was filed in 2020 and focused on Google's dominance in search and advertising markets. A separate case was filed in 2023 targeted Google's monopolization of digital advertising technologies. The State of Texas also sued them in 2020.
Google lost all three cases. The DOJ in all three recommended the company be broken up, but the judges disagreed. If you want to blame someone, then blame the judges, not the current admin or Bidens DOJ - both of whom said Google should be broken up.
- Trump 2 is very different from Trump 1 though. Trump 1 still had competent, less corrupt people in many positions. Grifters are going to grift.
Anyway, I am going to stop here, since this will probably derail in a non-productive political discussion otherwise.
- As of now, Google isn't destroying non-Google android installs, so F-droid will still work there (correct me if wrong). So until Google takes android fully closed or succeeds in getting popular/necessary apps to blacklist non-Google-verified devices, F-droid still has a role
- I hope so. The changes can mean two things: people can only use it easily in custom roms (I guess there is an overlap there) or they actually would play with Google: i guess technically they could as well register and sign the stuff with a Google key as the software is all FOSS and would allow defining another responsible developer (otherwise Google would have to through out all FOSS without CLA from their playstore). I guess quitting would be an option, but IMHO the outrage outside the bubble would probably be hardly noticable, so what would be the point?
- Why is there a need for whole "board of directors"?
- You always start open source at the kernel.
Linus knew this day 1 and it bows to no one.
- Just recalling from memory, Linus Torvalds wasn't making a free and open source kernel at first. He was making a kernel yes, but he attended a Richard Stallman speech where Stallman introduced GNU and expressed that he needed a kernel cause AT&T was cracking down on Unix clones. And Linus was moved by that enough to change gears and renamed the project to Linus Unix aka Linux. Anyone who remembers better or has sources, correct me below, I'm writing from memory. My point is though that Linus wasn't originally intending to make a free and open source kernel.
- what do you even mean?! start what at the kernel?
kernel is locked and most phones can't be rooted anymore
