I currently have a complaint at kifid (instititute for complaints against financial service providers in the Netherlands) against Revolut because it doesn’t work on degoogled phones. They claim it makes it more secure. Can anybody point me to a study or expert opinion on the security benefits of safetynet and how it protects android phones?

My inkling about googled OEM phones is this:

  • many are old
  • many aren’t receiving patches anymore
  • many receive security patches late (weeks or months)

And regarding degoogled phones:

  • they are more likely to get security patches more quickly
  • they are often maintained longer than OEM phones
  • certain ROMs like calyxos and grapheneos (to a certain degree eos) are actually more secure than stock OEMs due to either
    • security focus
    • faster security patches
    • being limited to relockable bootloaders

Revolut claims that allowing these ROMs (or similar ROMs) to run their application would reduce the security of the application. I’m not a security expert so it would be nice to find out if that really is true for android.

This was posted on mastodon and reddit for reach.

  • limerod@reddthat.com
    2·
    2 days ago

    It is a security theater and akin to pat your back feel good. Your app is secure, yay!

    Same with apps blocking functionality due to VPN usage or detecting USB debugging or developer settings.

    • voicesfromdeep@programming.devOPEnglish
      3·
      5 days ago

      A GrapheneOS developer (@[email protected]) points out that it seems like that’s due to Revolut using Play Integrity API incorrectly (from what I understand). If they were to update the app and actually use the result, it might lead to Revolut not working on GrapheneOS either.

      With my complaint, I’d like to get Revolut to work on all degoogled phones and not have any risk of an update suddenly killing support.