Final's avatar
Final final@stacker.news 11 months ago
Revolut is specifically banning #GrapheneOS by checking for the build machine hostname and username being set to 'grapheneos'. We've changed these to build-host and build-user. Combined with another change, this allow our users to log in to it again until they roll out Play Integrity API enforcement. There's no legitimate excuse for banning using a much more private and secure operating system while permitting devices with no security patches for a decade. Meanwhile, Revolut's shoddily made app tells users they're banning GrapheneOS because they're "serious about keeping your data secure". Revolut's app will stop working against once they start enforcing having a Play Integrity API result showing it's a Google certified device. This is not a security feature but rather anti-competitive behavior from Google deployed by apps like Revolut wanting to pretend they care about security. Revolut uses a bunch of shady closed source third party libraries in their app and it's one of these libraries banning GrapheneOS. These libraries are a major security risk and put user data at risk of being compromised. Revolut is not taking user security seriously at all and is cutting corners.

Replies (24)

mqx's avatar
mqx 11 months ago
What are better alternatives to Revolut?
Default avatar
npub1w3nx...sl5v 11 months ago
It's strange that they're alienating a community of privacy minded people of whom many are using Revolut to buy bitcoin...
Max's avatar
Max max@towardsliberty.com 11 months ago
Reason number 719037 to not have a bank account.
Final's avatar Final
Revolut is specifically banning #GrapheneOS by checking for the build machine hostname and username being set to 'grapheneos'. We've changed these to build-host and build-user. Combined with another change, this allow our users to log in to it again until they roll out Play Integrity API enforcement. There's no legitimate excuse for banning using a much more private and secure operating system while permitting devices with no security patches for a decade. Meanwhile, Revolut's shoddily made app tells users they're banning GrapheneOS because they're "serious about keeping your data secure". Revolut's app will stop working against once they start enforcing having a Play Integrity API result showing it's a Google certified device. This is not a security feature but rather anti-competitive behavior from Google deployed by apps like Revolut wanting to pretend they care about security. Revolut uses a bunch of shady closed source third party libraries in their app and it's one of these libraries banning GrapheneOS. These libraries are a major security risk and put user data at risk of being compromised. Revolut is not taking user security seriously at all and is cutting corners.
View quoted note →
3 replies ↓
Javier's avatar
Javier 11 months ago
Which brings me to this idea: if you think about it closely, they always name their anti-freedom and anti-human ideas and aptitudes exactly the contrary of what it is in reality. "Revolut" may sound as revolutionary and pro-freedom, but truth is, what they do cannot be more anti freedom and anti revolution.
Default avatar
npub19hx5...5fr5 11 months ago
Its kinda an advert for GrapheneOS really - seems whatever Revolut want to do, they can do on all phone OS except GrapheneOS
Final's avatar Final
Revolut is specifically banning #GrapheneOS by checking for the build machine hostname and username being set to 'grapheneos'. We've changed these to build-host and build-user. Combined with another change, this allow our users to log in to it again until they roll out Play Integrity API enforcement. There's no legitimate excuse for banning using a much more private and secure operating system while permitting devices with no security patches for a decade. Meanwhile, Revolut's shoddily made app tells users they're banning GrapheneOS because they're "serious about keeping your data secure". Revolut's app will stop working against once they start enforcing having a Play Integrity API result showing it's a Google certified device. This is not a security feature but rather anti-competitive behavior from Google deployed by apps like Revolut wanting to pretend they care about security. Revolut uses a bunch of shady closed source third party libraries in their app and it's one of these libraries banning GrapheneOS. These libraries are a major security risk and put user data at risk of being compromised. Revolut is not taking user security seriously at all and is cutting corners.
View quoted note →
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ's avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ me@mleku.dev 11 months ago
#xapo is expensive but they let me use their app on a rooted phone and i'm glad because i can't make my phone not overcharge when it's mostly plugged in and not carried with me anywhere you can't use revolut on a rooted phone either, this is one of the reasons why i ditched them
Hazey's avatar
Hazey hazey@iris.to 11 months ago
Using a non-grapheneOS android is your first mistake. Installing apps through the Play Store would be the second.
Jon's avatar
Jon 11 months ago
If we're talking about the bank then one big reason is that it allows you to buy bitcoin.
Final's avatar
Final final@stacker.news 11 months ago
Revolut insecurely checks the ro.boot.verifiedbootstate property and forbids it being yellow, which means a locked device with an aftermarket OS that's being cryptographically verified by the firmware. They permit it being orange, which means an unlocked device with any OS. They're specifically banning having a device that's locked with an aftermarket OS rather than banning having an unlocked device or an aftermarket OS in general. Similarly, they're specifically banning the value `grapheneos` for ro.build.user/ro.build.host. Having the verified boot state at orange is unsafe, it means verified boot is disabled. There is no verification of OS integrity after each boot and update. There is no protection against exploit persistence nor a threat choosing to push a malicious update that is not signed with the same key as the originally installed operating system. Both of these things and other similar insecure, useless checks are being done by several different SDKs. Revolut's app is full of sketchy, insecure third party libraries. They certainly don't take security seriously as they claim in their message about banning GrapheneOS. We've fixed both of the ways they're banning GrapheneOS for our next release. Since third party SDKs are what's being used to do it, our hope is that this fixes a few other poorly written banking/financial apps doing similar stuff to ban aftermarket operating systems. These are the full set of changes fixing Revolut's ban on GrapheneOS:
GitHub
use non-GrapheneOS-branded build user/host · GrapheneOS/platform_build@bcd027b
This reuses the format used by the stock Pixel OS. This had to be changed due to apps banning GrapheneOS based on this.
GitHub
set appcompat value of ro.boot.verifiedbootstate to green on user builds by muhomorr · Pull Request #24 · GrapheneOS/platform_build_soong
Depends on: GrapheneOS/platform_system_core#31 GrapheneOS/platform_frameworks_base#109
GitHub
enable appcompat sysprop overrides · GrapheneOS/platform_system_core@971110e
Contribute to GrapheneOS/platform_system_core development by creating an account on GitHub.
GitHub
zygote: don't reload android.os.Build after applying appcompat sysprops · GrapheneOS/platform_frameworks_base@5c85337
Contribute to GrapheneOS/platform_frameworks_base development by creating an account on GitHub.
GitHub
enable appcompat sysprop overrides for user-installed apps · GrapheneOS/platform_frameworks_base@29c31dc
Contribute to GrapheneOS/platform_frameworks_base development by creating an account on GitHub.
 Other banking apps banning #GrapheneOS will need to be retested after the next release.
Final's avatar Final
Revolut is specifically banning #GrapheneOS by checking for the build machine hostname and username being set to 'grapheneos'. We've changed these to build-host and build-user. Combined with another change, this allow our users to log in to it again until they roll out Play Integrity API enforcement. There's no legitimate excuse for banning using a much more private and secure operating system while permitting devices with no security patches for a decade. Meanwhile, Revolut's shoddily made app tells users they're banning GrapheneOS because they're "serious about keeping your data secure". Revolut's app will stop working against once they start enforcing having a Play Integrity API result showing it's a Google certified device. This is not a security feature but rather anti-competitive behavior from Google deployed by apps like Revolut wanting to pretend they care about security. Revolut uses a bunch of shady closed source third party libraries in their app and it's one of these libraries banning GrapheneOS. These libraries are a major security risk and put user data at risk of being compromised. Revolut is not taking user security seriously at all and is cutting corners.
View quoted note →
4 replies ↓
Owner_of_donky's avatar
Owner_of_donky 8 months ago
Final's avatar Final
Revolut is specifically banning #GrapheneOS by checking for the build machine hostname and username being set to 'grapheneos'. We've changed these to build-host and build-user. Combined with another change, this allow our users to log in to it again until they roll out Play Integrity API enforcement. There's no legitimate excuse for banning using a much more private and secure operating system while permitting devices with no security patches for a decade. Meanwhile, Revolut's shoddily made app tells users they're banning GrapheneOS because they're "serious about keeping your data secure". Revolut's app will stop working against once they start enforcing having a Play Integrity API result showing it's a Google certified device. This is not a security feature but rather anti-competitive behavior from Google deployed by apps like Revolut wanting to pretend they care about security. Revolut uses a bunch of shady closed source third party libraries in their app and it's one of these libraries banning GrapheneOS. These libraries are a major security risk and put user data at risk of being compromised. Revolut is not taking user security seriously at all and is cutting corners.
View quoted note →