The Unclear Impact

Android/iOS phones:
>worst device in terms of security
>easiest device to steal
>already tends to contains too many sensitive data

Banks: Let's try to base security on this thing.

@lanodan It’s especially infuriating when banks want hardware attestation of the boot chains on Android devices, so you can’t even run a sane OS on the hardware.

replies
0
announces
0
likes
0

@kristof hardware and software, you can't have administrative access (aka "root") on your device in many bank apps.

@lanodan sadder still is that a company here provides a system for legally binding e-signatures that is semi-backed on Android/iOS. Half of the key on the smartsteal, half of the key on their servers.

@ignaloidas Ah yes e-signatures… the thing I almost preemptively said I would refused when I had to sign documents during pandemic because they are probably too easy to falsify and very hard~impossible to disprove.

@lanodan tbh here they are decently good if you know what to use. All of our ID cards come with a couple of certificates, which is the best choice besides other dedicated devices you can get. Other kinds of it do suck more though. There's a nice writeup if you want to learn more about how it is here https://nullroute.eu.org/~grawity/pki-in-lithuania.html

@ignaloidas Well signatures with a smartcard are a good idea but at least in France the new ID cards (which seems to be E.U. standard) are contact-less and I'd rather just not have these since it can allow mass harvest of identities with a good antenna.

And while RFID/NFC blockers do exists auditing that they actually work well enough is a bit hard.

@lanodan Do note that while all ID cards have NFC stuff, it has nothing to do with digital signatures. It allows to get all the data printed on the card in a digital format signed with an issuer key. You do need some date from the card to read it as well so they can't be mass harvested (the document no and issuance date IIRC).

All the signature stuff gets handled by a separate micro-controller in a chip similar to those of a bank card. It's kind of a Javacard with custom firmware.

@ignaloidas Ah so could be better than the current situation with bank cards but well I'll see once someone pokes the new french ID cards or I know someone with one and poke at it myself.

(ID cards are only compulsory in France so I'll wait for mine to expire and use my passport when crossing borders or for documents)