this post was submitted on 25 Apr 2024
6 points (65.0% liked)

Privacy

31974 readers
322 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Banks, email providers, booking sites, e-commerce, basically anything where money is involved, it's always the same experience. If you use the Android or iOS app, you stayed signed in indefinitely. If you use a web browser, you get signed out and asked to re-authenticate constantly - and often you have to do it painfully using a 2FA factor.

For either of my banks, if I use their crappy Android app all I have to do is input a short PIN to get access. But in Firefox I also get signed out after about 10 minutes without interaction and have to enter full credentials again to get back in - and, naturally, they conceal the user ID field from the login manager to be extra annoying.

For a couple of other services (also involving money) it's 2FA all the way. Literally no means of staying signed in on a desktop browser more than a single session - presumably defined as 30 minutes or whatever. Haven't tried their own crappy mobile apps but I doubt very much it is such a bad experience.

Who else is being driven crazy by this? How is there any technical justification for this discrimination? Browsers store login tokens just like blackbox spyware on Android-iOS, there is nothing to stop you staying signed in indefinitely. The standard justification seems to be that web browsers are less secure than mobile apps - is there any merit at all to this argument?

Or is all this just a blatant scam to push people to install privacy-destroying spyware apps on privacy-destroying spyware OSs, thus helping to further undermine the most privacy-respecting software platform we have: the web.

If so, could a legal challenge be mounted using the latest EU rules? Maybe it's time for Open Web Advocacy to get on the case.

Thoughts appreciated.

top 17 comments
sorted by: hot top controversial new old
[–] [email protected] 9 points 6 months ago

Don't do banking on your phone. The reason the bank signs you out is because of security

[–] [email protected] 7 points 6 months ago (1 children)

It is annoying, and they're definitely pushing people toward invasive smartphone apps using various means, but this particular annoyance has a good reason:

Browsers simply aren't as secure as individual apps, mainly because they execute code from other web sites as well. That means credentials available to a browser are only one remote exploit away from being compromised. And browsers are big, complex beasts with an unending stream of vulnerabilities waiting to be discovered and exploited. Tight countermeasures make sense for things as important as banks and medical info.

[–] [email protected] 3 points 6 months ago (1 children)

While it is true that web browsers do have security issues sometimes, they do sandboxing quite well. They isolate each tab in its own memory space and process so that an exploit would be limited in scope

[–] [email protected] 3 points 6 months ago* (last edited 6 months ago) (1 children)

They isolate each tab in its own memory space and process so that an exploit would be limited in scope

Browser sandboxing is nice when and where it works, but is not universal, complete, or immune to exploitable bugs. It also happens to be a high value target.

[–] [email protected] 3 points 6 months ago

True but all things considered its pretty decent

[–] [email protected] 3 points 6 months ago

I am failing to see any discrimination here.

The 4 banks I use all have the same policy. Auto sign out after inactivity from web. Web pages don't really know if a monitor is turned off due to inactivity so it is safer to log them out.
because who locks their screen when they aren't using their system?
When using an app, you have to re auth with a device specific pin or bio metric if the screen turns off due to inactivity or switching apps.

[–] [email protected] 4 points 6 months ago (1 children)

That's a safety thing. Phones are usually owned by one person or possibly shared in the family, but the security is such that app data is per-user anyway.

Websites though, people still sign in from all sorts of devices and often wildly insecure ones such as public/work computers, one malware away from hackers having access to your bank account.

Inconvenient for advanced users like us, but it would literally make all of those refund scams so much easier to pull off because they wouldn't even have to trick the victims into logging into their bank: blank the screen, transfer the money, tell them their computer is all fixed, bye.

[–] [email protected] 1 points 6 months ago (1 children)

The security hole here seems to be remote control of devices, more than the nature of the software used.

[–] [email protected] 1 points 6 months ago (1 children)

If your bank really spies on you through its app, I would change bank. Neither of my bank apps even run in the background or even request sensitive permissions. I will happily change my mind if you can show any proof that this is happening.

It's purely security. On Windows and largely on Linux desktop as well, any app can easily look at other app's data, that's why there's so many browser credential stealers. Maybe you'll never be a victim of this sort of attack, but if it does happen your bank account is gone.

Android and iOS have complete data isolation between apps. Unless you have root on it, even if you install malware and give it the maximum amount of permissions Android can possibly give, it can't access your auth cookies from the bank app. The bank app can't even access them either until you input a pin or biometric data to get it from the TEE.

Thus it's safe for banks to actually let people stay logged in with reduced identification. Browsers can't do that, not without the web integrity.

We're an absolutely minuscule minority that cares, and could use a stay logged in feature safely in a browser environment.

Dealing with fraud cases is expensive for the banks, they have good reasons to ensure you can only access your bank account under safe conditions. The average person doesn't even know what a web browser is, they know they click the Google and enter what site they want to go to into Google and search for it. They're the people that get scammed on the phone. They're the people that have their entire life savings wired overseas.

Just let your password manager fill up the login everytime, it's not hard.

[–] [email protected] 1 points 6 months ago (1 children)

Your points are of course valid but this is getting slightly offtopic.

If your bank really spies on you through its app, I would change bank

What would be nice would be not to have to use a proprietary app on a closed-source software stack in the first place, given that it clearly represents a privacy compromise. And that is possible: almost no bank makes it obligatory. But they would obviously love to. If only to fire their web team and save some money.

And this is not just about banks. Every online service is trying to force us onto the closed platforms of Google and Apple, when an open-standards software platform exists and is perfectly workable. Seems there might be a battle worth fighting here. Nobody much seems to agree. Fair enough.

Just let your password manager fill up the login everytime, it’s not hard.

IME that hardly works any more, as mentioned.

[–] [email protected] 2 points 6 months ago (1 children)

on a closed-source software stack

Android is open-source. My phone runs an open-source build of it.

At this point it's barely any worse than a web browser. I know it's sandboxed, it can't access anything I don't want to. All it lacks is isolation with the kernel since web browsers run JavaScript and Android runs native code.

Worst comes to worst you just run the app in Waydroid.

[–] [email protected] 1 points 6 months ago

Good points.

[–] [email protected] 3 points 6 months ago* (last edited 6 months ago) (1 children)

My experience with my two banks has been, with their respective apps, I can sign in with just a password but I get logged out of the app after 10 minutes of inactivity. I never stay signed in. This is two different apps for 2 different banks.

On the web, they almost always request their crappy 2FA which is via text or email, and I do not stay signed in ever either, as well as being logged out after 10 minutes of activity.

What irks me is their 2FA, they have no other options besides email or text, the least secure options of all 2FA methods...

But being signed out everytime, I'm not sure I see it as that much of a hassle, and I kind of appreciate that if someone can unlock my computer or phone, they cannot open my bank account just because I was logged in 30 minutes ago...

[–] [email protected] 1 points 6 months ago

Exactly, the 2FA recourse usually affects browsers and not apps. And comes on top of the password or PIN, rather than replacing it. Which seems like discrimination. And it's not even secure, as you say.

This all feels very convenient. Like a subtle form of abuse, in the name of security, to push people away from the only platform where they have any serious chance of privacy.

The arguments about the insecurity of the browser context have some merit in the aggregate, but in the end all these considerations are relative to the individual user. Which makes the discrimination a form of collective punishment that might have a legal redress.

[–] [email protected] 1 points 6 months ago

People tend to sign in and forget about it on computers, which are more often shared devices compared to mobile devices. That's one reason they might relax restrictions on mobile vs desktop.

[–] [email protected] 7 points 6 months ago (1 children)

A ton of these requirements are due to regulatory requirements for securing access to accounts at the state and/or federal level.

Requirements are then interpreted by each financial institution and implemented by different teams. It's most likely due to the fact that a desktop is assumed to be more likely to be a shared device, while a phone/tablet is most likely to be a personal device, which is password/bio-metrics protected.

As for security around a browser: if you look at how phishing/hacking attacks happen on a desktop computer, if you can be tricked into launching an virus, it can copy all of your browser cookies and login sessions to the attacker, then they can duplicate your browser session. If you have an unlimited login for a financial institution, then they now have a logged in session for your bank.

https://www.reliaquest.com/blog/browser-credential-dumping/

So if you add up all that, then they're more likely to allow long term login sessions on an application that they control than on a desktop/web browser that they don't.

[–] [email protected] 1 points 6 months ago

Fair enough, but "regulatory requirements" can be a symptom as well as a cause. Bad rules are there for the changing.

So if you add up all that, then they’re more likely to allow long term login sessions on an application that they control than on a desktop/web browser that they don’t.

Again, all true. But this is all just probabilistic, as someone else said. A properly secured browser on a locked down machine can be much more secure than an outdated Android stack in the hands of the kind of person who falls victim to scams.

Here, the effect of "assumptions" is to undermine software freedom and privacy. That feels like a problem that needs a better fix.