Banking Apps with SailfishOS

What should Jolla say? The reasons are the banks that bind themselves to the Google services or the Apple universe. The system is fail.

7 Likes

It seems Hubb5 is right and it belongs not only home-banking apps but also general security apps like Microsoft Authenticator which is also used by many companies to secure their business accounts. Fortunately MS Authenticator app is available in Aptoide store in same version like in Google play store, but the app doesn’t provide security for business accounts most likely because Sailfishs Android support doesn’t provide APP LOCK-feature.

1 Like

I’d recommend everyone to get a cardTAN device. It is more secure and works everywhere with every browser.

3 Likes

I have microG + Microsoft Authenticator on XA2. Installed from Aurora Store. It worked already on Intex AquaFish. I use the Authenticator for business account as SailOTP can’t generate valid code for Microsoft 2FA login. The trick was to disable all permissions and use it only “offline”.

1 Like

Can you elaborate on how you got MS Authenticator working?

I’m trying it on an XA2 and I either get a white screen when trying “login with Microsoft” or it grumbles about Google Play Services not running when scanning a QR code. I’ve installed microG but not sure which bits need enabling to make it work.

Thanks!

Just for curiosity, is there difference between business and private account since I use SailOTP with my hotmail 2FA?

1 Like

I am also able to use native foilauth app for 2FA login into my (non-business) Microsoft account.
Very nice app by the way!

In my case (something we’re testing at work) I need to use the “tap to auth” functionality of MS authenticator rather than a generic OTP code.

just read about it in the MS documentation. Strange idea, they could just skip the step where you choose one of three 2-digit-numbers and let you just enter your Pin/Fingerprint/whatever on your phone. Security improvement from that must be negligible.

May I confirm what apozaf already pointed out. I work in IT Sec for more than a decade and I would strongly suggest to please not use one (1) internet connected device with an outdated OS for 2 (2!) factor authentication.
Esp. when it is not completely under your control as Android always is.

I am sure you can put that to work with micro-g, some more or less shady sources, Alien Dalvik settings etc.

But is it worth the risk?

My daily driver is my SF. I use an Android for some purposes and an iFone for others. None of these devices is in my eyes fit for security relevant actions. Simply because they are connected and have an OS that can be compromised. For business use the risk can be calculated, maybe minimized or simply accepted. I do not think you will like that kind of thinking when it comes to your personal banking.

sry for the wot.
just my 2c

3 Likes

It’s easy.

Banking app + TAN app on 1 mobile = no go

Only a few years ago, the banks forbade sending the TAN to the same device and banks were not liable. In 2020, convenience is suddenly more important than safety?! 2FA can be cracked if the transaction is carried out on the same mobile, regardless of what banks say. Android’s security has never been fundamentally improved. Every new version comes with tons of new bugs and only current devices get security updates at all. Aliendalvik on SFOS does not even receive all the necessary regular security patches and works with an outdated version.

If you want to be at least a little sure, then use an independent TAN procedure, named as ChipTAN, Sm@rt-TAN or CardTAN with an external TAN generator. Sure, it’s inconvenient, but better than nothing. If your bank doesn’t offer this, find another one.

4 Likes

To be honest, I didn’t know they support alternatives. Now I found the way to add alternative authenticator app in aka.ms/mfasetup. Thanks! Now I can get rid of another “must have” android app. How cool is that!

2 Likes

It wasn’t very obvious on Microsoft account page that you can use other than Authenticator app.

Yep I now ran into this with Google Workspace having Device Management enabled. On account sign-in, it requires a screen lock mechanism to be enabled, and as of Dec 2023, you can’t do it in App Support’s Android Settings - whatever mechanism you choose, simply doesn’t get saved.

I wonder if Jolla/y team has any ideas on how to at least allow saving the value, maybe that’s enough to fool this check mechanisms?

1 Like

This happens to me with my health insurance as well.
Even if that’s only for 2nd factor auth, the app checks and requires screen lock. It’s a pain that they don’t accept TOTP or other standards, but we cannot rule the world.

My bank has invented even more dumb protection then in

As of now bank requires an banking app to be able to send an sms during activation to obtain the activation code so there is not possible to activate the banking app from Android AppSupport.

I do all my banking on my laptop with browser. Luckily my bank has given me a free photo tan device and there is also sms tan available (costs 9 cent per sent sms) so I don’t need a banking app.

2 Likes

I do have one bank account where I need the SecureGo Plus app for 2FA. I’ve now found a way to use it by means of waydroid on my Linux notebook. In waydroid, I use Aurora that I got via F-droid. Currently only version 4.2.5 is working that can be installed by enabling the F-droid Archive repos. Based on Aurora, I could then install the SecureGo Plus app.

Does your SecureGo Plus app not complain about the absence of Google Play services? biometric authentication? screen lock?
Or does Waydroid have GAPPS (or can install them…)?

I use VRsecureGo plus and its running without any problem on Xperia 10 II :slight_smile: