Uncomfortable Questions About Android Developer Verification
Key topics
The Android developer verification debate has sparked heated discussions, with some commenters labeling Google's requirement to verify developers as "fascist control." The conversation took a philosophical turn when the author alluded to Richard Stallman being "right," prompting a lively discussion about the legendary programmer's crusade for software freedom. While some commenters praised Stallman's unwavering commitment to user freedom, others criticized his abrasive style and perceived inflexibility, though counterpoints were raised highlighting his willingness to make concessions for practicality. The debate has reignited interest in Stallman's ideas, encouraging readers to explore and learn more about the underlying issues.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
47m
Peak period
75
0-3h
Avg / period
13.3
Based on 160 loaded comments
Key moments
- 01Story posted
Aug 27, 2025 at 1:14 AM EDT
4 months ago
Step 01 - 02First comment
Aug 27, 2025 at 2:01 AM EDT
47m after posting
Step 02 - 03Peak activity
75 comments in 0-3h
Hottest window of the conversation
Step 03 - 04Latest activity
Aug 29, 2025 at 12:10 AM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Shame on Google and Apple, it was always clear this was the end goal and next up is also your PC.
Right after will come the removal off apps they don't like and there is nothing you can do about it.
Stallman was right
[1] Feel free to discuss this too, if you want. I'm developing my opinion on it.
Respectfully, this claim is incorrect. See this 2013 essay [0] for one example out of many where concessions are made to practicality.
Folks who are unfamiliar with Stallman's writing and the general philosophy of the FSF and/or the GNU Project might find spending an hour or so reading through some of the essays here [1] (perhaps starting with this 1991 essay [2]) to be informative.
[0] <https://www.gnu.org/philosophy/is-ever-good-use-nonfree-prog...>
[1] <https://www.gnu.org/philosophy/essays-and-articles.html>
[2] <https://www.gnu.org/philosophy/shouldbefree.html>
> The question here is, is it ever a good thing to use a nonfree program? Our conclusion is that it is usually a bad thing, harmful to yourself and in some cases to others. If you run a nonfree program on your computer, it denies your freedom; the immediate wrong is directed at you.
That is most certainly not making concessions for practicality in my book. So if anything, the citation you provided is IMO evidence for my claim.
As we're seeing, time and time and time again, it is harmful. The benefits may outweigh the harms today, but unless the steward of that nonfree software is extraordinarily careful and forward-thinking (as it were), those relationships inevitably go bad and become coercive over time. As we know, Stallman is (and always has been) right about this.
> That, to me, is very much refusing to make concessions to practicality within their ideology.
1) The last paragraph of the opening section is a plain and obvious concession to practicality: "But there is one special case where using some nonfree software ... can be a positive thing. That's when the use of the nonfree software aims directly at putting an end to the use of that very same nonfree software."
2) I'm not sure how saying "We'd be sad and would all be worse off if you used nonfree software, but do understand that there can be compelling real-world reasons to do so. Please don't use nonfree software, or -if that's not possible- consider small ways to avoid using it whenever opportunity presents itself." is anything but a concession to practicality. A hard-liner that refuses to make concessions to practicality wouldn't incorporate such a thing into their philosophy!
Respectfully, are you sure you're not letting knowledge of how Stallman uses/manages/etc his personal computing devices influence your interpretation of what these essays and the FSF's philosophy are about?
It certainly is not harmful, in my view. I think that the FSF's position on this topic is ridiculous. No harm whatsoever is done by running a piece of closed source software on your computer.
> The last paragraph of the opening section is a plain and obvious concession to practicality
No, it's not, at all! It is ideological, not practical, to say that the only reason to deviate from one's ideology is if doing so advances the ideology even faster.
So, I'm confused. What do you believe that Stallman is right about? If there's never any harm done by running nonfree software on your computer, then what's the problem? I must have misunderstood your commentary here [0] because this statement
> The thing is... he seems to have been right the whole time. Companies really do want to lock you out of controlling the devices you own, and do so at the first opportunity. So... Stallman was right.
certainly seems like you were claiming that there are harms inherent in the practice.
> It is ideological, not practical, to say that the only reason to deviate from one's ideology is if doing so advances the ideology even faster.
Not making a concession to practicality would be saying "There is no circumstance in which one should use nonfree software. Not even in the service of replacing that nonfree software with free software.". You're simply incorrect about this... especially when you also consider point #2 of the section you've quoted from.
[0] <https://news.ycombinator.com/item?id=45036440>
Because with each single person who decides to run a particular non free software, that's a tiiiiiny bit more vendor lock on, a tiny bit of control lost, of power, freedom, given up.
And when enough people do this, what happens? Look at Google. Look at the post you're on. You tell me - what happens?
He's not wrong at all - it's just uncomfortable. This is a side effect of capitalism or maybe humanity. Its nothing you or I can single-handedly solve, or cause. But we each contribute to it a tiny amount.
Also: https://news.ycombinator.com/item?id=45025116
Didn't he give some wiggle room in GPL license ?
Oh? From the "Finding the right bargain" section of this 2002 essay [0]
> So perhaps novels, dictionaries, computer programs, songs, symphonies, and movies should have different durations of copyright, so that we can reduce the duration for each kind of work to what is necessary for many such works to be published. Perhaps movies over one hour long could have a twenty-year copyright, because of the expense of producing them. In my own field, computer programming, three years should suffice, because product cycles are even shorter than that.
Has his opinion changed since then?
[0] <https://www.gnu.org/philosophy/misinterpreting-copyright.htm...>
Read up on the principles of the Free Software Foundation if you want all the details.
“I could have made money this way, and perhaps amused myself writing code. But I knew that at the end of my career, I would look back on years of building walls to divide people, and feel I had spent my life making the world a worse place.”
Already starting on macos. Gatekeeper had setting where you could allow any app. Now it is removed. While still possible to allow individual app (you need to do it after every OS update), trajectory is now clear.
Even the language we are using to describe the situation is problematic. Why do we say "side-load an app"? It should be just "run a program"!
An OS that doesn't let you run programs of your choice is laughable.
iOS on the other hand historically required a jailbreak for this. I think that's where the confusion started. Android doesn't need a jailbreak, it doesn't need root (privileges), it doesn't need a custom ROM. You can just install stuff, it's normal. I think iOS users don't realize how different Android is and they just start repeating words like sideload and root without knowing what they mean, assuming it's just Android-speak for a jailbreak. They don't realize there's no jail in the first place.
I am aware English is a living language, and if enough people are wrong for long enough, they stop being wrong, but it's certainly painful to witness.
[1] https://android.stackexchange.com/a/84248
[2] https://www.androidauthority.com/how-to-use-adb-android-3260...
> When referring to Android apps, "sideloading" typically means installing an application package in APK format onto an Android device. Such packages are usually downloaded from websites other than the official app store Google Play. For Android users sideloading of apps is only possible if the user has allowed "Unknown Sources" in their Security Settings.[1]
More accurate would be "run a program not approved by Google"
This is not fascism, this is just a rational move from Google in a market economy. It feels like every time something like this happens, Americans rediscover what capitalism is and implies, then blame it on "human nature", "greed" or "fascism".
Google is not very separable from the US government, and they use illegal monopoly everywhere without any oversight.
> A fascist corporation can be defined as a government-directed confederation of employers and employees unions, with the aim of overseeing production in a comprehensive manner.
https://en.wikipedia.org/wiki/Corporatism#Fascist_corporatis...
Google goes even further than that: they do not only control and oversee all production via the Play Store, they also control all usage of their products. And while it may currently not be government-directed, they certainly are government-protected as long as they're allowed to run the only app store in town.
In any case, I hope this blows up in Google's face hard, ROMs like LineageOS become as popular they were back in their heyday, and root hiders get extra attention too so banking apps etc work seamlessly as on non-rooted phones. Requiring some developer ID crap is essentially as bad as Apple has it, reason for which I've always considered developers having Apple phones quite unserious.
Commercial apps and services will require passkeys and device attestation, so you'll only be able to use open source software even if you have a device to run it.
The walls are closing in, and it's not just mobile. It's only a matter of time before passkeys are used to block Linux users from the commercial Internet as well.
"debugger vendors in 2047 distributed numbered copies only, and only to officially licensed and bonded programmers." - Richard Stallman, The Right to Read, 1997
People will be running pirated debugger copies if that comes to shove
99.9% of people DNGAF about OSS. They do care about doing what they need on their phone without malware/bloatware/nagware
Also publishing and development are separate activities
Yeah I agree his opinion is probably more balanced, however Right to read is a short story displaying characters with too much learned helplessness and too little agency so I'm just going based on what he literally put to paper
Clearly it wasn't doing fine in 2018 when Apple became the first trillion dollar company. Nor was it when in 2012 when Apple's market cap exceeded oil companies, barely breaking half a trillion dollars. And the economy was definitely in shambles back in 2005 when no company even had a 400bn market cap! Seriously, how could the economy ever survive?!
Where would the wold be without all those innovations. Like the 2005 invention of YouTube, the 2007 release of the iPhone. Where would we be without such world changing technologies that followed with tech's rise in global dominance? Technologies like, Bitcoin, VR, and an even thinner iPhone? Do you even know how many peoples' lives these technologies have saved? Seriously? Because I don't...
Yeah you're absolutely right, tell that to Facebook/Instagram/Temu/TikTok/Pinduoduo/(any other _spying_ apps) users.
It's is acceptable for the hack to be difficult so long as it exists. I'm sure later models will eventually be jailbroken too. In the meantime, all of nintendo's best efforts haven't ended the piracy of switch games which is what the vast majority of people care about, not getting their favorite linux distro to run on the hardware itself.
It is surely possible if only because the general population is not interested in infosec.
On the gripping hand,firmware writing practices being that they are; it is impossible to produce an uncrackable phone.
Stallman's "Right to Read" is an accurate reflection of reality in that sense.
I only have Linux PCs (laptops) and servers, 100% of my work and personal stuff is done there (though for work I do need to hop into MS365, Google Workspace, Zoom, etc, hooray for browsers, my final firewall between me and the walled gardens, though we can have a whole discussion on that).
For mobile, we have PostmarketOS, Phosh, Ubuntu Touch. I really must try living in them, is it on me? IDK, our government even has an identity app for iOS and Android. I should not be using it, I should stick to web. But its so much more convenient. I'm just weak, aren't I?
Maybe I should go for Ubuntu touch, with an iPad on the side or something. At least my most personal device is something I control then. Or just keep my Linux laptop handy (or make a cyberdeck!). But I want a computing platform that does not require carrying a bag. It's kinda sad. Even GrapheneOS (one of the most personal and secure mobile computing experiences out there)'s future is in the hands of its greatest adversary, the one that does not want you to have a personal computing experience.
Obviously even maintaining AOSP yourself requires a huge effort and a lot of people would need to donate development time/money.
https://www.gnu.org/licenses/license-list.html#apache2
https://www.gnu.org/licenses/license-list.html#GPLv2
Good luck building anything on top of that & keeping it in sync long term.
No. microG is an ABI-compatible replacement for Google libraries, just like wine is a replacement for Win32 APIs.
The grip of Google, Microsoft and Apple are tightening. Microsoft's TPM requirements for Windows 11 are ostensibly for security, but they're also a mechanism to enforce hardware/software integrity and authentication. Google wants to extend their integrity APIs to Chrome and I doubt Microsoft would object to implementing something similar.
Soon enough computing and the web may end up segregated, with there being devices authenticated and controlled by a central authority and those that are not. In a lot of ways this is already the case, I can't access the 4K Netflix streams I'm paying for on Linux because of DRM and using anything other than stock Chrome can often get you flagged for annoying captchas. But it can get so much worse than that.
My govt's app did, but after bugging them a lot they removed safetynet.
So, how can anyone expect FOSS mobile OSs to ever exist unless forced by law by the US or something?
So, how do we get to a commodity layer for Mobile devices? It looked like it was going to be Linux (Android), and that was Google's intention. But now they are just using their significant resources to corrupt that original idea, using their trojan horse called "play services".
The public at large only cares about convenience, not about privacy. Why don't we? How much enshitification is enough to draw that line in the sand?
Google is a big company and there may have been some factions pushing to make android an open ecosystem, but I don't see that that was ever the companies intent overall.
Is it the lack of deep, DNA encoded morality? What are we going to do about this? What is the DNA of an organization anyway?
How, as a society can we take away these stimuli that make it so natural to consume individual freedoms when we grow our tribe-size?
Maybe we need more freedom, more freedom to say: "F-this I'm out of here, I just like the set of rule of this other society better." Maybe we are still too constrained. By our ways of generating income, by our countries, continents and ultimately our planet. We have 1 lifetime, we have to make do with what we find.
It's specifically publicly-traded companies, because they cease to be controlled by real people who can make a human decision when there is a trade off between a marginal increase in profits and not being schmuck.
The problem is that it's difficult for cooperatives to raise capital: they can issue debt, but not equity (because the definition of a co-op is that it is owned by members (usually customers and employees )-and no-one else). But debt is not really risk capital in the same way as equity and doesn't enable bold initiatives and innovation.
(I am holding out hope for the phone that the GrapheneOS project is planning to make.)
I was just saying that you can make the problem more narrow by not trying to support every device out there. Start small and pick your battles (which probably means using AOSP and using sandboxed AOSP).
I think the main issue of many previous attempts was what typically happens in the FLOSS community: there are N attempts rather than one coordinated attempt (Ubuntu Touch, Plasma Mobile, PostmarketOS, PureOS, etc.) and everybody is targeting different hardware. It's similar to how the Linux desktop got fragmented, though it's even more problematic for mobile, since the usage is probably 1/1000th of Linux desktop usage.
I bought a PinePhone, and after a few too many show-stopping issues (not being able to receive a call for a scheduled job interview was the last straw), I went back to using LineageOS without gapps. I'm not a developer either, just a fairly technical user, so when the device wasn't working, all I could do was report bugs, and things weren't improving fast enough. I haven't checked on progress in a while now. postmarketOS seemed like the one to follow, and they do also support some beefier devices like the OnePlus 6T, but then you'd miss out on the PinePhone's ability to easily remove the battery and to boot off the SD card in addition to eMMC.
I also felt a bit bait-and-switched that the PinePhone Pro came out not too long after the original and then everyone seemed to switch to that one. It reminded me of the awful Gemini PDA and how quickly they rushed out a successor without fixing any problems.
When was it? There are no complains from people daily driving both phones in the last couple of years AFAIK.
In 2025 you’d be viewed just as much suspicion for not building your stack on Freedom. I still have hope that we’ll get there with phones, too, some day.
The use of managed language runtimes, and SaaS products with low code/no code, makes the OS kind of irrelevant, and many times we don't even consider Linux on the cloud vendor, it is seen as an implementation detail, as many workloads are done via managed deployments like Vercel, Netlify, Azure Web App Service, and similar services.
Tell me you live in the web bubble without telling it.
This is a huge factor. Mobile chip sets (CPU/SoC, crypto enclaves, GPU modems/basebands) are buried under NDAs a mile thick, and you can't just whack an oscilloscope on the bus like its 1979. Those companies treat their opaque hardware as their defense against IP theft, they'll never, ever give it up in the current environment.
And the cameras are super complex and require a bunch of DSP and AI to even vaguely work let alone do all the headline features.
You can even see this into the abominal products they release, rife with frankesteinian cobbled together bits and pieces from different 'orgs' trying to grab a piece of the (tr)action and the wild inconsistencies in the UX.
You cannot say that. This means we have thousand half-baked projects to choose from, and choice is good. At least this is what I was told.
You have to commercialize openness if you want the muscle of the consumer to be able to produce it.
Short presentation of the basic concept: https://youtu.be/SO46oEdlkY8
Some things with massive value in excess of the cost of production cannot be pursued by capital nor bought by the individual. Your choices are government, non-profit, or something in between all three. PrizeForge aims to be between all three and to completely change how we do consumer open source, incidentally bringing billions of dollars into making it.
BTW your password-based signup flow isn't working (on iOS Safari at least).
Turns out, some new enrollments topped up their accounts and dropped off before the final step that makes it show up on the home page, so now I know it's something, and something is worth doubling.
> existential threat to surveillance capitalism
Should I buy a gun? I'm an American.
No, that's unnecessary. Nobody will be taking you that seriously.
> some new enrollments topped up their accounts and dropped off before the final step that makes it show up on the home page
Did they actually put money in?
So, for a second experiment, I was actually running a stream for Emacs (yeah, yeah, I know, I know). They managed to raise all of $10 for themselves. The premise was to pay out a weekly prize for whoever developed something cool. Super simple.
There's so little data, but it very clearly, very, very clearly seems to say the enthusiasm is for PrizeForge to get good more than it was to use PrizeForge for something else.
And I'm going to keep expanding in various directions because there's no way I'm oriented yet, but it's not nothing. It's terrible UX, terrible everything, but just clearly enough on top of something.
> ...terrible UX, terrible everything...
I think I accidentally enrolled for emacs and can't unenroll on the site. I guess I'll have to finally start using emacs now
If the web was enabled, app stores wouldn't be possible and you could run anything without an installation. But somewhere along the line both Google and Apple realized that this isn't really to their benefit and "walled ecosystems" are an advantage.
Debian here, and... yup. It's so weird to realize this. I have lots of browser windows open with lots and lots and lots of tabs open, but the only other app I have open is a Matrix client (which honestly is not that great; Element's web version has more features and better polish), and a terminal. If you can call a terminal a GUI app.
Sure, I do use native apps sometimes. A calculator app, GnuCash, VLC, some others. But they're not open all the time; they're infrequent-use apps. And a lot of my VLC use has been replaced by streaming on the web.
It's incredibly sad.
Unfortunately no NFC Payments though, since they are only available for Google Wallet (which uses safetynet)
A workaround for NFC payments I've heard about for folks running OSes on their Androids that don't support that feature is a smartwatch with NFC.
Or using a bank that supports NFC payments (not using Google Wallet).
GrapheneOS Foundation raised this practice with European Commission because it unfairly penalises secure and safe competition giving instead a lie to the developers and banks that ancient, unsafe, vulnerable platforms are more secure.
Basically it’s a passive variant of smartwatch payments: you can pay with a ring, or bracelet, or a mechanical watch. The cheapest option is this plastic thingy (currently out of stock): https://eu.k-pay.com/product/mavericks
I’m thinking about implanting one into my hand :^)
On the one hand, I approve of self-administered biohacking.
On the other hand, you might need a Faraday glove to prevent tap to pay shenanigans by folks with a mobile card reader who bump check you.
I would not do this type of biohacking myself, but if you go down this path, look into how NFC skimmers work, because that and compromised card readers and unauthorized tap to pay events on portable card readers is a threat vector. I have heard that Google and Apple are working to roll out tap to pay from card to phone and phone to phone, which could allow folks to skim your NFC device to run an unauthorized transaction.
> roll out tap to pay from card to phone and phone to phone
It’s already here! Stripe has supported it for a while now, and I’ve seen a bunch of other payment providers have it, too: https://stripe.com/terminal/tap-to-pay
Life, uh, finds a way, after all.
> Even if you do, I think it’ll take about one chargeback to get your merchant account blocked.
Well, someone's merchant account might be blocked, but carders don't necessarily use their own accounts; in fact, I would doubt that many do, but criminals are often underestimating risks and overestimating rewards. It's almost a truism at this point that folks who do crime are not usually acting rationally, but I don't want to stereotype.
> It’s already here! Stripe has supported it for a while now, and I’ve seen a bunch of other payment providers have it, too: https://stripe.com/terminal/tap-to-pay
Finally! This feature is going to help a lot of small businesses in isolated areas where mobile phones are the primary (or only) computing devices that are commonly owned. This can create virtuous cycles that are somewhat unpredictable, which should help make these markets more dynamic and competitive.
Thanks for posting that Stripe link. Here's some more tap to pay links I was able to find, eventually. The search terms match too much, so it is a bit hard to disambiguate legacy NFC payment flows that use traditional or modern terminals from the new device to device payment flows. I remember hearing about Stripe's work on this feature, but since I didn't hear much after that, so I wasn't sure if the feature had ever shipped. I'm glad that this tech is getting in the hands of end users.
Apple-specific roundup of apps and vendors that support the feature:
https://apps.apple.com/story/id1620226212
https://www.apple.com/business/tap-to-pay-on-iphone/
These two are available on both iOS and Android, in case that is important for folks:
https://squareup.com/us/en/payments/tap-to-pay-android
https://www.paypal.com/us/business/pos-system/tap-to-pay
Now they very kindly just display a warning.
Also why does a gas station app need to send notifications? :)
(Don't know for sure, wouldn't use one myself.)
Now I have to keep my 4 year old phone with 2 year outdated Android to access the bank application. Which deemed more safe then my mobile with latest security updates. Haha
my phone is rooted and their app won't work.
And my bank's web app developer couldn't even fix their log in bug for several months. I realize, now, it's because they want to sunset their web portal.
Which is extremely annoying ... what if I don't have my mobile!!
Lazy, and greedy corporates, just trying to save their costing with shortcuts, never realizing security is never achieved by taking shortcuts.
Their developers usually understand security well enough.
The problem, especially for banks, is that they're zero-risk driven, their ideal world is the one where risk doesn't exist. So instead of mitigating it they chase risk elimination (!= reduction) at any cost, while middle management needs to report that they improved something for the quarter. This results in all these kinds of stupid policies, where a 6 year old mobile, unmaintained for 4, is considered more secure than the weekly build of the community-based custom ROM running with locked bootloader signed with user-managed keys with strong protection (these days it's almost infeasible).
EDIT: to be clear, it's normally not the developers thinking up these policies, I have worked in a bank.
I don't actually believe that. They chase risk elimination at any cost to you. If there's a significant cost to them, they're going to be all about quantitative tradeoffs.
Yes, banks* claim phones riddled with maximum severity security issues are secure. Also phones that are rooted but using magisk modules to conceal this fact, and use spoofed signatures from ancient hardware, but the most safe platform is not secure enough for them.
Go figure.
*not all, there are notable exceptions explicitly supporting secure platforms through the modern Hardware Attestation model.
The irony is that they'd rather suffer losses from fraud if the fraud is less than the cost of setting up App-based TOTP and a campaign to get customers to use the app. Yet they suddenly get all in a huff about PCI compliance as CYA so they don't have to pay an app developer to figure out how to check "is phone rooted? Yes. Which OS?"
Changing banks is easy when it's just about cash in a savings account. Not so easy in other cases.
I run a Google'd OS for now but I haven't used my bank's terrible app in years and years. I use their terrible website via desktop mode instead.
I cannot imagine a legal defense for forcing someone to accept the terms of service of Apple or Google to use their bank account.
It's impossibly convenient to be perfectly fair with you, however I know that my bank has stopped issuing the "BankID Card" (which was a card and pin device that allowed you to generate challenge numbers)- and now forces you to use the BankID app -- which will not run on rooted phones of course.
It's even slightly worse as the App requires NFC; so I can't keep a backup on my iPad (which is what I was doing before).
I guess I absolutely need the play store to get BankID on the phone- so I’ll try that now with my Pixel 7.
The only issue I had on GrapheneOS was that I had to play with the location permissions a bit when I wanted to copy the BankID to GrapheneOS from another phone (I've got some pictures of that in this blog post: https://www.jonashietala.se/blog/2025/08/28/ill_only_buy_dev...).
All other Swedish bank accounts I've tried have also worked great (including Swish).
https://grapheneos.org/articles/attestation-compatibility-gu...
Feel free to say you are a member of the Church of Cryptography and that installing proprietary corporate controlled apps is against your religion.
Never been asked to install an app for banking, but a health care clinic dropped me as a patient for not buying a phone that can install their app. I was the first case where a patient refused to conform. Found a new clinic who was willing to earn my business with phone and email correspondence. The original clinic escalated the case to corporate HQ when I filed a public medical malpractice complaint, and they ultimately responded by adding a webapp.
DEMAND the right to live your life without corpotech in your pocket. I am now 5 years without a smartphone working as an engineer and founder with an active social life who frequently travels and it can absolutely be done.
On the last change my bank made me call to their hotline (even though everything else is possible to be done online) to keep using a separate hardware device - which ended up being just "so, you don't want to do it on a phone?" - "yep" - "ok, should be with you in a week or so".
I nowadays consider my phones pretty much throwaway devices - I don't have full control, I can't fully trust them. Plus they could be stolen, break when I drop it into water outside, ... - so I think it's ridiculously stupid to tie anything important to a phone as main authenticator.
Overall the usefuleness of a phone has been declining steadily - the selling point of a smart phone originally was that I have an app, and because it's a reasonably trusted device it'll store credentials, and I can use the app without logging in every time. By now most of the apps are just repackaged websites, and because of that - and because they don't trust their backends - we now have quickly expiring tokens in use in the apps as well. Most of the apps I don't use every day - and over the last few months every single one wanted me to log in again next time I used it.
Adding to that the nonsense of "there's a new app available, download that first before using" which typically doesn't add anything of value to me, and we're now at a state that not only does the typical smart phone app not offer a benefit over just using a website - it now often is even worse than just using a website.
It shouldn't be a thing, but it is. In the Netherlands the newer digital-only banks are allowed to do this. No smartphone, no service.
The more established banks (systeembanken) do have alternatives, but realistically not using their app for login auth and transaction approval is a huge pain in the ass.
(My bank, ABN AMRO, has an app which thankfully works fine on GrapheneOS.)
I barely use my bank's website and could easily not use it at all and still have all the functionality that a bank provides.
In the Netherlands (and beyond) online payments (shops, Steam, etc.) are made via the IDEAL platform run by the Dutch banks collectively. That is a good thing, because payments are secure and easy, and no one needs a credit card. But that does mean using your bank's web service to approve those payments.
Using the bank's offline OTP hardware (where you insert your debit card and enter a PIN and the code generated by the bank's website for an OTP) is possible, but using the app is significantly less effort than that. There is very little point in resisting it. It's not a healthy situation, but it is the reality.
If you install the app then you are complicit in normalizing the requirement of signing terms of service and data sharing agreements to US technology companies in order to do banking.
Be the person that demands better. Be the squeaky wheel. Call politicians and press if needed. Stop this shit now before it becomes expected for school and healthcare too.
My bank's app recently started warning me that I should "Turn off developer mode" for """security""" on every sign-in. This warning doesn't stop me from using the app yet, but I'm sure it'll get there.
I doubt very much that it is possible for this practice to be legal, i.e. to condition the services of an European bank of the existence of a contractual relationship with a third party, which is non-European.
Nevertheless, nobody has enough spare time and money to challenge legally such banks.
Now I do my operations mostly through other banks that still have browser-based online banking, but I have not closed yet my last account at such a Societe Generale subsidiary, because I have regressed to use an antique SMS-based substitute for online banking, which is good enough for that account, which I keep only for a credit card used mostly for shopping in supermarkets or the like.
My banks all require their own individual apps for authentication and authorization. I can use the website but to log in and authorize any transactions I need their app. Ironically this runs on my 8 year old Android 10 phone (used as a backup) so security can't be part of it.
147 more comments available on Hacker News