nixCraft 🐧Mar 2

/e/OS is a complete, fully “deGoogled”, mobile ecosystem

https://e.foundation/e-os/

Would you use it? My best guess is that most people will use it if /e/OS provides some sort of jailed/isolated compatibility to run banking apps which typically don't work without google play service.

/e/OS - e Foundation - deGoogled unGoogled smartphone operating systems and online services - your data is your data

ECOSYSTEMKEY FEATURESGET /E/OSNEED HELP /e/OS is a complete, fully “deGoogled”, mobile ecosystem /e/OS is an open-source mobile operating system paired with carefully selected applications. They form a privacy-enabled internal system for your smartphone. And it’s not just claims: open-source means auditable privacy. /e/OS has received academic recognition from researchers at…

Show threadRay McCarthy

@nixCraft
Does Revolut App or Irish An Post Banking (no website alternative) work on any de-Googled Android?

IMO if there is a banking licence you should be able to do everything on a Website / Browser without a special plugin.

PayPal and my Credit Card work without an app.

Apptization of Internet based services with removal or no Browser version is abusive. Should be illegal.

Mar 2 at 12:37pmWeb
Show threadAdrianMar 2
@raymaccarthy @nixCraft revolut works on @GrapheneOS, afaik it's some workaround made by the GOS team
Show threadDaemon ByteMar 2

@raymaccarthy @nixCraft I can say all the German banks seem to work just fine. Most won't let you pay via nfc without google though. Paypal is the only one I have found to let me do that. The rest depend on google wallet. There is a good compatibility list for /e/

https://community.e.foundation/t/list-banking-apps-on-e-os/33091

[LIST] Banking Apps on /e/OS

This is an editable list of banking apps that work on /e/OS. Please enter details only after you have tested all features of the application. If some functionality is not working mention that in the comments. Looking for contactless payment? See this article. TLDR: Curve app for customers, Zettle app for merchants. Country Bank App Name Status Comment WorldWide Revolut Revolut Works only with pre-installed /e/OS and locked bootloader Confirmed working on Murena Fairphone 6 with prein...

/e/OS community
Show threadRay McCarthyMar 2

@daemon_byte @nixCraft
I'd never use my phone to make local physical payments, or online payments. I only want to manage the account. Hence I'd prefer to use a real web page.

I pay online by IBAN, Paypal or Card details.

Show thread🐈‍⬛David SommersethMar 2
@daemon_byte @raymaccarthy @nixCraft I've tested out Curve Pay with NFC. That worked fine. I'm just hesitant to trust fully them (I'm a bit paranoid on such type of apps), and it requires a subscription and ID check to get all the goodies.
Show threadRay McCarthyMar 2

@dazo @daemon_byte @nixCraft
I won't put any 2FA, important app or payment on a phone that leaves the house, ever.
What if it's lost or stolen?

The important phone with 2FA, special apps etc never leaves the house.

Show threadDaemon ByteMar 2
@raymaccarthy @dazo @nixCraft not a choice. All the credit cards / banks want to use the app to check website logins or credit card transactions
Show thread🐈‍⬛David SommersethMar 2

@raymaccarthy @daemon_byte @nixCraft

I use Aegis, which encrypts the database and requires an unlock passphrase (or biometric auth, but something tells me you don't use that). Same with Bitwarden or Proton Pass. As well as several other apps.

Seedvault + Synching (over a VPN to my server) ensures everything is backed up. I'm just waiting for Murena to release the MDM feature, so I can remote wipe the device.

Plus enabling the "Find my Device" feature where you send a unique SMS code to your phone and it will reply with the GPS coordinates. This will also enable location/GPS if turned off. (This feature is disabled by default).

/e/OS is also fully encrypted, so if it gets turned off, your data has some protection there too.

But all of this doesn't matter much. It all depend on each of our own threat models. How far do we go to protect ourselves in regards to the threats we want protect us against, and how that intersect with the phone being convenient to use for every day life. There exists no "one size fits all" here.

Show threadDaemon ByteMar 2
@dazo @raymaccarthy @nixCraft for my regular 2fa? I use proton authenticator for 2fa and bitwarden for passwords. I can't bring myself to put my 2fa in the same app as the passwords. I did use keepass xc but I figured there was actually a higher risk of me messing the sync up and killing all my 2fa :) I do have the find my device setup but I haven't setup seed vault yet.
Show thread🐈‍⬛David SommersethMar 2

@daemon_byte @raymaccarthy @nixCraft I have Aegis do an automatic encrypted backup to a directory Syncthing takes care of. But I don't want 2FA and passwords in the same app as well, that feels a bit "too many eggs in a basket".

Seedvault is pretty easy to setup. But you need to write down and store the recovery passphrases. You just pick a directory where the backup should be stored. And Syncthing keeps track of that directory as well

Show threadDaemon ByteMar 2
@dazo @raymaccarthy @nixCraft I was already setting up the backup. I didn't realise it was built in already. You're using syncthing fork?
Show threadRay McCarthyMar 2

@daemon_byte @dazo @nixCraft

So my 2nd "outdoor" phone is totally disposable. The only personal stuff are phone numbers of people I might ring from it.
It has a copy of a music collection and some useful standalone apps and a few copies of ebooks. No Kindle / Kobo /Google book account. No spotify or whatever.

Show threadRay McCarthyMar 2
@dazo @daemon_byte @nixCraft
"Find My Device" is a security / privacy risk and may not work depending how the phone was lost / stolen.
The 2FA and various important apps are tied to the SIM/Phone number. If you are on Contract or number is registered then then the phone operator can be conned into issuing a SIM or Transfer (O2 frequently has done this). If the non-contract phone is lost then the number is lost too and you are locked out of 2FA and apps. You then have to create new Amazon, Bank.
Show threadDaemon ByteMar 2
@raymaccarthy @dazo @nixCraft firstly, the find my phone on /e/ is not a privacy risk. You text a given code to your phone and it texts back a GPS. Simple and private as long as nobody knows my code. And the 2fa is not linked to my number. I can, and have, swapped sims and it works fine
Show threadRay McCarthyMar 2
@daemon_byte @dazo @nixCraft
The services I'm using link to a number, not an app!
Show thread🐈‍⬛David SommersethMar 2

@raymaccarthy @daemon_byte

You seem to try to achieve "absolute security". That is a utopia.

It is needed to have a security approach which is aligned with a threat model adopted for your situation. Otherwise, the most likely outcome is that you can't be online at all (in the fear that your devices or online accounts/accesses might be compromised) or that you can only be at a single location where you can keep an eye on all the devices you have at all times - and that they need to be stored in a high security safe with top notch alarms to detect physical breaches.

Both of these approaches also has flaws.

Such strict regimes is not something most users ever need to consider, just based to the statistical risks that it would be required. You would need to be a very high profile VIP person to have such needs.

And such a strict regime can become so tiresome that you lower the guard to quickly, compromising the security regime a lot, when you need a quick solution in a stressful moment. This is how strict regimes ends up counterproductive.

A carefully considered threat model focusing on more realistic threat vectors you might end up in, and have carefully considered countermeasures against these vectors, with clear areas what kind of acceptable compromises may be fine, will result in a security regime which is possible to follow in real life.

Show threadRay McCarthyMar 2

@dazo @daemon_byte @nixCraft
A backup without a SIM with the original number is useless!

In fact I've no important stuff on the phone that's not a copy of PC stuff. No backup needed. The only important thing is the actual phone number!

All the 2FA is by SMS. Yes, there are ways that's insecure. Helped by it being an unregistered phone/ no contract!

Show threadDaemon ByteMar 2
@dazo @raymaccarthy @nixCraft on /e/? I tried curve but it didn't work for me. Oh well I cancelled my curve account now anyway. They've gone seriously down hill as they desperately tried to stop losing money
Show thread🐈‍⬛David SommersethMar 2

@daemon_byte @raymaccarthy @nixCraft yeah, worked reasonably well I'd have to say. On /e/OS on a FP4. But it's a while now (5-6 months, probably) since I cancelled my free account. It could have changed since.

But it actually saved me in a shop during travelling abroad. For some reason neither my Visa nor MasterCard was approved in the shop. Paying via Curve worked, charging the same credit card account which failed in the shop.

The spending limits are fairly low on the free account, though. That's were you need a paid subscription to actually make it more useful.