From 340e94b8da3c302b331321e81368c94294407823 Mon Sep 17 00:00:00 2001 From: spring-onion <133713420+spring-onion@users.noreply.github.com> Date: Sun, 13 Oct 2024 15:32:25 +0200 Subject: [PATCH 1/6] Add banking app reports 505-509 (#278) --- .../Banking Applications compatibility with GrapheneOS.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/content/posts/android/Banking Applications compatibility with GrapheneOS.md b/content/posts/android/Banking Applications compatibility with GrapheneOS.md index 32d1abc..19ffa67 100644 --- a/content/posts/android/Banking Applications compatibility with GrapheneOS.md +++ b/content/posts/android/Banking Applications compatibility with GrapheneOS.md @@ -426,6 +426,8 @@ TEST: Test url again after removing the parameters and verify there is no mistak ### Pakistan - [HBL Mobile](https://play.google.com/store/apps/details?id=com.hbl.android.hblmobilebanking) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/504) +- [JazzCash - Your Mobile Account](https://play.google.com/store/apps/details?id=com.techlogix.mobilinkcustomer) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/505) +- [SadaPay: Money made simple](https://play.google.com/store/apps/details?id=com.sadapay.app) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/506) ### Peru @@ -553,9 +555,12 @@ TEST: Test url again after removing the parameters and verify there is no mistak - [Prepaid TWINT & other banks](https://play.google.com/store/apps/details?id=ch.twint.payment) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/228) - [Raiffeisen E-Banking](https://play.google.com/store/apps/details?id=ch.raiffeisen.android) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/26) - ~~[Swissquote](https://play.google.com/store/apps/details?id=com.swissquote.android)~~ - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/471) +- [UBS Access: Secure login](https://play.google.com/store/apps/details?id=com.ubs.swidK2Y.android) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/508) +- [UBS TWINT](https://play.google.com/store/apps/details/UBS_TWINT?id=com.ubs.Paymit.android) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/507) - [UBS & UBS key4](https://play.google.com/store/apps/details?id=com.ubs.swidKXJ.android) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/493) - [ZKB Access](https://play.google.com/store/apps/details?id=ch.zkb.digipass) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/94) - [ZKB Mobile Banking](https://play.google.com/store/apps/details?id=ch.zkb.slv.mobile.client.android) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/93) +- [Yuh - Your App. Your Money.](https://play.google.com/store/apps/details?id=com.yuh) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/509) ### Taiwan From 02294c066b7ec8b0402872b3f94b4d5134189632 Mon Sep 17 00:00:00 2001 From: randomwithnoname <184692997+randomwithnoname@users.noreply.github.com> Date: Sun, 13 Oct 2024 14:32:53 +0100 Subject: [PATCH 2/6] Fix typo + acknowledge Bromite is dead (#280) Signed-off-by: randomwithnoname <184692997+randomwithnoname@users.noreply.github.com> --- .../android/Choosing Your Android-Based Operating System.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/android/Choosing Your Android-Based Operating System.md b/content/posts/android/Choosing Your Android-Based Operating System.md index fe3ceb7..1a8c7d9 100644 --- a/content/posts/android/Choosing Your Android-Based Operating System.md +++ b/content/posts/android/Choosing Your Android-Based Operating System.md @@ -95,7 +95,7 @@ Being a soft-fork of [LineageOS](https://lineageos.org/), DivestOS inherits many It comes with substantial hardening over AOSP. DivestOS has automated kernel vulnerability ([CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures)) [patching](https://gitlab.com/divested-mobile/cve_checker), fewer proprietary blobs, a custom [hosts](https://divested.dev/index.php?page=dnsbl) file, and various security features ported from GrapheneOS. A non-exhaustive list of this includes: -- A hardened webview. [Mulch](https://gitlab.com/divested-mobile/mulch) comes with *some* patches from GrapheneOS's Vanadium browser and the [Bromite](https://github.com/bromite/bromite) project. It gets updated fairly quickly and do not fall behind nearly as much as Bromite. +- A hardened webview. [Mulch](https://gitlab.com/divested-mobile/mulch) comes with *some* patches from GrapheneOS's Vanadium browser and the [Bromite](https://github.com/bromite/bromite) project. It gets updated fairly quickly and does not fall behind nearly as much as Bromite did. - Kernel patches from GrapheneOS and enables all available kernel security features via [defconfig hardening](https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Functions.sh#L758). All kernels newer than version 3.4 include full page [sanitization](https://lwn.net/Articles/334747/) and all ~22 Clang-compiled kernels have [`-ftrivial-auto-var-init=zero`](https://reviews.llvm.org/D54604?id=174471) enabled. - GrapheneOS's [`INTERNET`](https://developer.android.com/training/basics/network-ops/connecting) and SENSORS permission toggle. - [Hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) From 15136e3c8f3fae0059ad984f13d740dddfd8e26b Mon Sep 17 00:00:00 2001 From: 8pen-s8urce <125303310+8pen-s8urce@users.noreply.github.com> Date: Sun, 13 Oct 2024 07:33:26 -0600 Subject: [PATCH 3/6] =?UTF-8?q?Fix=20typo=20(dater=20=E2=86=92=20date)=20(?= =?UTF-8?q?#279)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 8pen-s8urce <125303310+8pen-s8urce@users.noreply.github.com> --- .../android/Choosing Your Android-Based Operating System.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/android/Choosing Your Android-Based Operating System.md b/content/posts/android/Choosing Your Android-Based Operating System.md index 1a8c7d9..ae015fb 100644 --- a/content/posts/android/Choosing Your Android-Based Operating System.md +++ b/content/posts/android/Choosing Your Android-Based Operating System.md @@ -45,7 +45,7 @@ It would be much better if you just stick to the stock operating system (which g ### Chromium Webview Updates -Android comes with a system [webview](https://developer.android.com/reference/android/webkit/WebView), a component that many apps rely on to use as part of their activity layout. It effectively behaves like a minimal browser, opening random websites with arbitrary code the internet. Thus, it is very important that this component is consistently kept up to dater. +Android comes with a system [webview](https://developer.android.com/reference/android/webkit/WebView), a component that many apps rely on to use as part of their activity layout. It effectively behaves like a minimal browser, opening random websites with arbitrary code the internet. Thus, it is very important that this component is consistently kept up to date. Some Android-based operating systems, including ones like CalyxOS, often fall behind on security updates for this component. Particularly, this has gotten so bad that they actually fell behind for [3 months](https://github.com/privacyguides/privacyguides.org/pull/548#issuecomment-1018245074) back in January 2022 and [2 months](https://github.com/privacyguides/privacyguides.org/pull/1378) in June 2022. It is a good indication that these operating systems cannot keep up with security updates and should not be used. From 3f21dd17825a67800cd0207c3baff219f64de3d7 Mon Sep 17 00:00:00 2001 From: spring-onion <133713420+spring-onion@users.noreply.github.com> Date: Mon, 14 Oct 2024 22:20:19 +0200 Subject: [PATCH 4/6] Update banking app report 453, add 510, 511 (#283) --- .../Banking Applications compatibility with GrapheneOS.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/posts/android/Banking Applications compatibility with GrapheneOS.md b/content/posts/android/Banking Applications compatibility with GrapheneOS.md index 19ffa67..a24cc58 100644 --- a/content/posts/android/Banking Applications compatibility with GrapheneOS.md +++ b/content/posts/android/Banking Applications compatibility with GrapheneOS.md @@ -437,6 +437,7 @@ TEST: Test url again after removing the parameters and verify there is no mistak ### Philippines - [GCash](https://play.google.com/store/apps/details?id=com.globe.gcash.android) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/382) +- ~~[GoTyme Bank](https://play.google.com/store/apps/details?id=ph.com.gotyme)~~ - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/510) ### Poland @@ -631,9 +632,10 @@ TEST: Test url again after removing the parameters and verify there is no mistak - [Bank of America Mobile Banking](https://play.google.com/store/apps/details?id=com.infonow.bofa) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/242) - [BECU](https://play.google.com/store/apps/details?id=org.becu.androidapp) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/60) - [Capital One Mobile](https://play.google.com/store/apps/details?id=com.konylabs.capitalone) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/107) -- [Cash App](https://play.google.com/store/apps/details?id=com.squareup.cash) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/453) +- ~~[Cash App](https://play.google.com/store/apps/details?id=com.squareup.cash)~~ - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/453) - [Chase Mobile](https://play.google.com/store/apps/details?id=com.chase.sig.android) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/13) - [Chime – Mobile Banking](https://play.google.com/store/apps/details?id=com.onedebit.chime) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/46) +- [CitiManager – Corporate Cards](https://play.google.com/store/apps/details?id=com.citi.mobile.ccc) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/511) - [Citi Mobile®](https://play.google.com/store/apps/details?id=com.citi.citimobile) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/366) - [Citizens Bank Mobile Banking](https://play.google.com/store/apps/details?id=com.citizensbank.androidapp) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/66) - [CommunityAmerica Mobile](https://play.google.com/store/apps/details?id=com.ifs.banking.fiid1454) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/154) From 1b06c58b8fbbc0f9f6c8651b1b72dabb43c1e5bf Mon Sep 17 00:00:00 2001 From: randomwithnoname <184692997+randomwithnoname@users.noreply.github.com> Date: Tue, 15 Oct 2024 21:44:42 +0100 Subject: [PATCH 5/6] Signal stopped using their original 1024-bit RSA key (#284) Signal stopped using their 1024-bit RSA key Source: https://github.com/signalapp/Signal-Android/issues/9362#issuecomment-2291360164 Signed-off-by: randomwithnoname <184692997+randomwithnoname@users.noreply.github.com> --- content/posts/android/F-Droid Security Issues.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/posts/android/F-Droid Security Issues.md b/content/posts/android/F-Droid Security Issues.md index e4a97dd..b224433 100644 --- a/content/posts/android/F-Droid Security Issues.md +++ b/content/posts/android/F-Droid Security Issues.md @@ -212,7 +212,7 @@ If you don't have Play services installed, you can use a third-party Play Store **[Accrescent](https://accrescent.app/)** is an up-and-coming app repository which strives to tackle the issues discussed here [and more](https://accrescent.app/features). Hopefully Accrescent or a project like it can flourish as a secure and open ecosystem for app delivery. -It's also worth keeping an eye on the great work **GrapheneOS** does on [their future app repository](https://github.com/GrapheneOS/Apps). It will serve as a simple, secure, modern app repository, albeit only for a curated list of high-quality apps, some of which will have their own builds (for instance, Signal still uses their [original 1024-bits RSA key](https://github.com/signalapp/Signal-Android/issues/9362) that has never been rotated since then). +It's also worth keeping an eye on the great work **GrapheneOS** does on [their future app repository](https://github.com/GrapheneOS/Apps). It will serve as a simple, secure, modern app repository, albeit only for a curated list of high-quality apps, some of which will have their own builds. --- @@ -222,4 +222,4 @@ This article aims to be **purely technical**. It is not an attack on F-Droid or In spite of this, the release of this article has unfortunately triggered a mostly negative response from the F-Droid team and some of their community, who seem to take a dismissive stance toward this article rather than bringing relevant counterpoints. Some of these individuals go as far as engaging in harassment campaigns against projects and security researchers that do not share their views; hopefully they realize that such unethical behavior undermines their own project and reputation. Creating a rift between developers and security researchers is not in anyone's best interest. -Some individuals have also falsely associated this article with GrapheneOS. _This article is an entirely independent work and unrelated to the GrapheneOS project. It was not written by a GrapheneOS developer and does not claim to represent the GrapheneOS project's official stance._ Either way, dismissing the article on the basis of association instead of addressing the actual technical content is silly and not helpful to anyone. \ No newline at end of file +Some individuals have also falsely associated this article with GrapheneOS. _This article is an entirely independent work and unrelated to the GrapheneOS project. It was not written by a GrapheneOS developer and does not claim to represent the GrapheneOS project's official stance._ Either way, dismissing the article on the basis of association instead of addressing the actual technical content is silly and not helpful to anyone. From 25875759124f4a5e512f64141863b3453964ab15 Mon Sep 17 00:00:00 2001 From: spring-onion <133713420+spring-onion@users.noreply.github.com> Date: Sat, 19 Oct 2024 01:31:09 +0200 Subject: [PATCH 6/6] Add banking app reports 512, 513 and 515 (#285) --- .../Banking Applications compatibility with GrapheneOS.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/posts/android/Banking Applications compatibility with GrapheneOS.md b/content/posts/android/Banking Applications compatibility with GrapheneOS.md index a24cc58..f59ab81 100644 --- a/content/posts/android/Banking Applications compatibility with GrapheneOS.md +++ b/content/posts/android/Banking Applications compatibility with GrapheneOS.md @@ -495,6 +495,7 @@ TEST: Test url again after removing the parameters and verify there is no mistak ### Slovakia - [365.bank](https://play.google.com/store/apps/details?id=bank.sk365.app) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/326) +- [Fio Smartbanking SK](https://play.google.com/store/apps/details?id=sk.fio.sb2) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/513) - [George Slovakia](https://play.google.com/store/apps/details?id=sk.slsp.georgego) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/343) - [Tatra banka](https://play.google.com/store/apps/details?id=sk.tb.ib.tatraandroid) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/325) @@ -547,6 +548,7 @@ TEST: Test url again after removing the parameters and verify there is no mistak - [ABS Mobile Banking](https://play.google.com/store/apps/details?id=com.abs.android.mbanking) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/233) - [Airlock 2FA](https://play.google.com/store/apps/details?id=com.airlock.iam.a2fa) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/229) +- [Alpian - Banking & Investing](https://play.google.com/store/apps/details?id=com.alpian.alpian) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/515) - [BCN Mobile banking](https://play.google.com/store/apps/details?id=com.bcn.android.mbanking) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/145) - [BCV Mobile](https://play.google.com/store/apps/details?id=ch.bcv.mobile.android) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/231) - [Credit Suisse – CSX](https://play.google.com/store/apps/details?id=com.csg.cs.dnmb) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/72) @@ -670,6 +672,7 @@ TEST: Test url again after removing the parameters and verify there is no mistak - [University Credit Union](https://play.google.com/store/apps/details?id=org.ucu.mobile) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/465) - [USAA Mobile](https://play.google.com/store/apps/details?id=com.usaa.mobile.android.usaa) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/80) - [U.S. Bank Mobile Banking](https://play.google.com/store/apps/details?id=com.usbank.mobilebanking) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/84) +- [Venmo](https://play.google.com/store/apps/details?id=com.venmo) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/512) - [Wells Fargo Mobile](https://play.google.com/store/apps/details?id=com.wf.wellsfargomobile) - [Report](https://github.com/PrivSec-dev/banking-apps-compat-report/issues/63) ### Vietnam