App Gallery to Showcase Apps based on Sailfish SDK

Hi

Is there any gallery where all apps based on Sailfish SDK are showcased ?

I am looking an app “BankID” , the app is available for Android, but I do not want to use the android version by tweaking it on Sailfish OS.

This app only concerns user residing in Sweden. And I think Sailfish development team should look into it to develop and publish a BankID client app if they want to tap into Swedish Mobile market.

We use this app to authenticate ourselves and perform online transactions. The issue may already has been discussed in this forum, every time people suggested to tweak and use the android version.

BankID does not exist as a native app, nor does any other eID apps AFAIK.
BankID is a proprietary app (=closed specification) from the major Swedish banks. One purpose seems to be protecting their status quo, and doing so at as low cost as they can get away with. So they are wholly uninterested in making it widely available.

Even if you could reverse engineer it, you probably would have them actively working against you and probably a few tasty lawsuits coming your way.
I wish it wasn’t this way, and i hope eID (in general) will eventually get opened up, but i don’t think BankID has any place in that. Open and audited standards provide actual security - closed standards, not so much.

No tweaks needed, just install it. Works fine.

Are you referring to Jolla, or individual app developers?

If this is how it is, then there is not much any developer can do. I found some information though regarding BankID implementation:

According to the link above - " BankID är enkelt att implementera för webb- och apputvecklare"

From the links above , it seems that it is still not doable , since we still need a BankID client app on Sailfish OS so that the user the can enter the 6 digit code to authenticate .

Do you think this “GrandID API” solves the issue of building the BankID client app on Sailfish OS ?

What you link to has nothing to do with implementing a BankID client, only accepting it in your service or app.

I think part of the trouble with BankID comes from their business model. As far as I understand, they charge services per use. So they add themselves as a man-in-the-middle to every authentication attempt on a service.

As a consequence, I don’t think there will ever be any third-party apps, because the secret sauce is inside the app. And the BankID developers will be forever chasing the latest versions of their chosen platforms, iOS and Android, while shutting people out for having older (or other) phones.

I don’t see how providing and charging for a service needs to shut out 3rd party clients. Even if their secret sauce stopped being secret, they are still the provider of their service and can keep monetizing it.

It’s not like alternative and/or compatible backbend services would automatically be in a position to compete. They have the contracts, the name recognition, certifications and so on and so forth.

I think that depends on the architecture, and with the source being closed it’s difficult to know exactly how it works.

Having said that, my impression is that on desktop systems there is a more-or-less standard smartcard plus a more-or-less standard smartcard reader. The certificate never leaves the card, the PIN code never leaves the reader. The BankID software seems to do two-three things:

  1. Ask the card to sign an auth request
  2. Tell the company behind BankID to charge for auth
  3. Possibly check a cert revocation list

My understanding is that the operating system could provide these services, except for the billing part. That is the only reason I can think of for supplying any special software at all.

There’s also (or used to be) the cert-on-file mode, where I guess the BankID software additionally does the signing. I also guess this is how it works on mobile, possibly backed by “trust zone” storage.

Okay, so i just assumed this was about the mobile version (SFOS being mobile and all that). And frankly, nobody uses the desktop version anyway…

I’d be quite surprised if mobile signatures didn’t pass through their servers, that could then tell themselves to charge for the usage. Somebody needs to relay the request to sign anyway, and often the app is not on the same device as where you are doing what needs signing.

1 Like

It’s still architecture dependent. If all auth happens at the backend supplied by BankID they’d still be in control. If auth happens on device, then it would be a problem with frontends that don’t call home with every auth attempt.

But charging card holders an annual fee could potentially pave the way to open up. BankID could still argue that they must control every link in the chain for security reasons. (Not that security seems very high, given the stream of attacks reported in media.)

I’m as annoyed by this as you are. (Edit: add missing verb…)

1 Like

Since there is no use of secure enclaves or similar, i sincerely hope and fully expect that authentication is backed by shared knowledge and signed off on by their servers. Kind of convenient that no fancy features are used, because then the app still works.

I’m annoyed enough to have read the entire EU proposal on eID interoperability and a Digital Wallet.
…and have given feedback on it. I think this is the chance, or it is just a matter of time until we lose access to eID for some arbitrary reason.

1 Like

It seems that the issue will persist to remain - https://www.monperrus.net/martin/bankid-digital-exclusion

Wonder if Freja will adopt the different path,
recently contacted about this and there was a prompt answer as follows:

Thanks for your feedback.
I don’t have any information that we will support Sailfish OS
But I’ll forward your suggestion to our developers.

1 Like

I’m just sticking my nose in since they claim to have apis :slight_smile:

the docs at: http://docs.grandid.com/ seem to show apiKey based access to ‘federated login’.

This kind of thing…
Parameters /json1.1/FederatedLogin?apiKey={apiKey}&authenticateServiceKey={authenticateServiceKey}

In any case, looks like ‘customer’ and ‘service’ keys. I haven’t read any further … Well, section 7. has examples with curl, etc.

Thank you for taking the time to read up on the topic and provide feedback. I hope they do take it into account.

1 Like