hey guys, i hate smartphones and sold mine a long time ago, but now my bank won’t allow me to verify debit card transactions with a simple SMS anymore and wants me to install an app to authenticate them, i really don’t want to buy a smartphone just for this shit so I was wondering if there’s a workaround of some sort? thanks
3 Likes
Banks vary in their 2FA.
Mine does SMS, app and physical card reader access.
Yours might maybe do Email if SMS alone is not enough?
[edit: I was presuming for online transactions. If you have to authourise my SMS in the real world, maybe get a chip+pin debit card? then the pin is the second factor, after the (insecure) mag/chip 1st factor.
I was presuming online shopping would be done on a PC with email access…]
2 Likes
I have Android in a VM on my secondary computer and use that.
6 Likes
You presume right, the problem is mainly with online transactions, the rest I can do with pin. I will ask my bank for alternatives but I highly doubt they have email.
That sounds like it could solve my issue, but as far as I’m aware I need to download the bank’s app from Google app store and I think Google app store doesn’t run on emulated android?
1 Like
Have you considered getting an additional bank account / credit card / debit card elsewhere?
2 Likes
Wasn’t an issue when I did it, not sure if the PlayStore is still there (or works) since I have my banking app and some test-project I wrote in there.
Edit: I guess BlueStacks would work, assuming you trust banking info to some random emulator.
1 Like
I’m seriously considering it, although I feel like all other banks here will be the same.
Actually I was wrong, Google Play Store does work, however the Bank’s app won’t install, says it’s not optimized for that device, somehow it detects that this is a VM 
I don’t trust Bluestacks, it doesn’t run on Linux and it’s very expensive.
1 Like
The number of banks without good 2FA options is kind of alarming when you stop and think about it.
2 Likes
- Shame
- It does not cost anything
1 Like
Have you tried proper Androidx86?
1 Like
Get a *Pi (RPi, Odroid, Pine64 etc.) and install Android on it. You have a browser in it and you can also install Aurora store and F-Droid, along with microG. Should be just what you need. And it is ARM, so all programs should work (there are issues with Android x86 when trying to run programs from the Play Store, because they are compiled for ARM).
4 Likes
This is probably the cheapest solution
1 Like
This is what I am using, is it the correct one? https://www.android-x86.org/
This is so smart! Could I just then remote desktop this and just use it for whenever I need some app? Also is this the android I need to install? https://www.android-x86.org/
1 Like
If you have root access (which you should on a Pi Android), then you should be able to install a VNC server and remote into your Pi.
And no, Android x86 is just for desktops and VMs (and maybe laptops). The Android version will depend on the Single Board Computer you will buy. For example, if you get a Raspberry Pi 4 (which is usually the most supported, because it is the most popular), you would get LineageOS LineageOS 18.1 (Android 11) for Raspberry Pi 4
There is LineageOS and other versions of AOSP (Android Open Source Project) for other boards, like the Odroid XU4, but again, the simplest would be to just get a Raspberry Pi 4 (2 or 4 GB versions should be enough for a mobile banking software and a web browser + a VNC server and still have some memory left).
1 Like
Regarding running Android in an Emulator or similar solution: just be aware that the application might be able to detect those and other form of tampering. Depending on the sophistication of the hardening of this application this might be easy to circumvent or very difficult.
Furthermore, other non certified devices might also not work. Again, this all depends on their implementation, if they do not care about that than these solutions are perfectly fine.
As I am actively trying to increase the level and quality of privacy in my life, just wanted to ask if running an Android Pi operation like this would significantly decrease privacy relative to me not having a smartphone? I know there’s no such thing as perfect privacy so it’s all on a relative scale. I don’t plan to carry it around with me and I will try to keep it off at least 50% of the time.
Second question - what if some app needs a phone number to run? Will it be able to run on this Pi device considering it doesn’t have SIM?
Thanks.
I’d use a link, for addressing “phone difficulty”
It leads to an email verify [2 factor: random line of numbers + the debit PIN]
NEVER bothered with a banking app… and damn well will continue not to
1 Like
Fair questions. Android in itself isn’t the issue, but Google services are. microG is a re-write of Google services without the Google in it and runs things locally when it can, but it doesn’t have the more privacy invasive stuff. This may break some programs, but most of them should work. So that’s a plus, but ideally, you would only be running FOSS programs from F-Droid. But you can’t escape some proprietary programs, like in this case mobile banking.
Android tablets exists, so most programs are made keeping in mind that some devices may not present a SIM. For example, if you install WhatsApp and I believe Signal as well (haven’t tried the later) on a Pi or an Android tablet, it will ask for a number that you insert manually, then you usually receive a SMS code that you have to grab from your phone and put into the program to confirm its your phone number. I think the same applies to banking programs, but I have not tried personally.
Regarding this issue, some weaker verification methods can be bypassed. For example, most programs may check in the Play Store your device ID. You probably shouldn’t install Play Store if you want some additional privacy and use Aurora store instead. Aurora has an option to spoof other device IDs (like, pretending to be a OnePlus 7T or a Galaxy S9+ or Nokia 9 or FairPhone 2 or something, lots of options) and most programs should work. But harder verification methods may check for your device again after it gets installed and the worst of them will check to see if you have root access and if you do, they will refuse to work. There may be some banks doing that, I don’t know. But a quick search on the web shows that there are some programs, like Magisk which can hide the fact that you are rooted from certain programs.
You need root access in order to install a VNC server and remote into your phone Pi.
As for keeping it offline, well, you can just enclose it into a metal case, so it’s nice and cool, but which also blocks WiFi, then only leave it with a network cable attached. You remove the cable when you are not using it, maybe plug it back in when you leave the house, in case you need to remote to it from somewhere else (via a VPN I hope). Also, a Pi doesn’t have GPS built-in, so that’s a plus, but then again, it’s not hard to detect your location based on your IP, unless you have a home network VPN tunnel to a VPN service provider or your own VPN in a VPC or cloud.
1 Like
There is a difference between the various device ID’s being used and in newer versions of Android the only remaining IDs one can use are the Android ID and the Widevine ID, where both have different drawbacks and issues. The thing about “pretending” to be another phone is related to changing the device properties, but checking those for building a device ID is not recommended anymore. (There are various immensely annoying issue with those.)
MagiskHide can hide the rooted status of a device, but it has been discontinued (or will be soon) since the author joined Google. Also, do not mix up rooted status and emulated status or not valid/certified device status. Those are different and also different detection mechanisms will be triggered.
Privacy aside, my banks Should know Exactly who I am. I would have no problem with them knowing, as I kinda have to trust them.
But… I kinda don’t trust them to not “anonymise” and sell my data.
I would keep a smartphone at home just for verification of such things, and use a dumb phone day-to-day if I could.
1 Like