My point was, that my bank is way more lenient compared to Wero and there is no good reasoning for Wero to be so paranoid. Wero does not actually offer a webapp.

I’m not that well versed myself, but a normal SEPA tranfer via IBAN is SCT, right? And the instant SEPA transfer “Echtzeitüberweisung” is what banks offer internally for their clients, being SCT Inst. So Wero then just allows you to build SCT Inst requests on the fly and send them off? That has me a bit confused as to why it’s marketed as a destinct platform/product. If this is the case, shouldn’t it just basically be a vcard/qr-string type format you can generate locally like a template, share with a “buyer” and they send it to their bank. Like how “Girocode” is already used. There is no real need for an account, is there?

With the app? Does it need any Play Services? According to Wero, they block any non-manufacturer OS.

I just ended up using UKIs with a manual path in the preset. Files are still but in the root partition but they are only used at build-time, so I don’t care.

In reality they do help superficially, but they very much inflate their numbers on a shiny dashboard, showing you how much they’re helping. All while only hitting a small fraction of databrokers.

I also think, that as a subscription solution to a problem, they could turn into the online version of turbotax any second now. Lobbying for harder self-optouts so that their service stays relevant.

Not to sound stupid, but it really depends on how smart you want the watch to be. From connectionless firmware device to fully-featured Android. +1 for gadget bridge either way.

I have a Fossil Hybrid, that combines physical hands with a 2-color e-ink display. It can’t do apps, but it has standalone timers, notifications, media control, pulse/oxygen and step counter. I personally don’t need more. It’s cloudless and lasts a week.

If you need full Android/WearOS check AsteroidOS and specific ROMs. Hardware tends to be on the older side here.

The only thing that’s hard to do is sleep tracking. That tends to rely on proprietary algorithms and cloud compute a lot.

A thing that popped up in corporate space is IgelOS. It’s an immutable image meant for linking to a VM workstation on a company network. Seems worth checking out.

I don’t disagree with owning your hardware. I’m saying that a regulatory body can pose rules on where critical software can run. Part of this is data exposure: A banking app running in a tampered environment makes some malwares possible, which is the side you want an “I know what I’m doing”-button for. But it also creates risk for the bank. In letting you look into network-traffic and memory-dumps, you may discover ways to manipulate an unrooted instance or the backend server. This is security through obscurity and I’d much rather have everything open-source, but it’s what we’re dealing with.

On the other hand, the bank promises to cover damages, whenever they do mess up. You could give them an easy excuse by taking on that responsibility. But regulations don’t allow that, much like they don’t allow you to do your own high-voltage, high-current electricity. And frown upon you breaking load-bearing walls in a housing complex to have a more open kitchen. There is a line where “let me do what I want” becomes anarchy.

Now bringing DRM into this, misses the point. There is telemetry in these apps. But there is no piracy or copyright infringement to be had. The bank doesn’t fear you giving yourself a million dollars by changing your balance in memory. It’s all about responsibility in case something goes south. They would love to shift it all onto you, but they’re not allowed to do that. Attestation was never about protecting you, it’s about protecting them from being blamed.

There is a bunch of parties making guarantees and complying with rulesets. Domino-ing all of them would make you extremely vulnerable. Which is why I opted for “tamper-proof containers running in a unproven host”, rather than signing an unlimited waiver.

Well the idea of having attestation isn’t the problem. The problem is that apps requiring attestation (banks, insurance providers, ID-systems) use the most convenient solution. Slapping on Googles prebuild attestation. Graphene for example, provides alternative attestation for their OS and offers docs for anyone to implement a more fitting set of checks.

There are two approaches here: If you’re upset that your hacked-to-bits, rooted, unlocked and/or unencrypted device is failing checks: I’d say, tough luck. Until we can create provably untampered app-containers, that level of access genuinely breaks TOS on apps and regulations on handling personal data. Breaking those checks is then breaking those compliances in an unsafe way.

If you believe your setup is actually secure and compliant, just not in a way the allmighty Google intended: Try and get an attestation module for your setup. Fight for these apps to accept non-Google attestation and fight for devices that don’t artificially limit what can pass as secure.

I feel there are plenty of local activist/independent servers all over the EU. As long as you mind the encryption/anonymization, you can even round-robin them. Having a central EU authority is better than Google/Cloudflare and should be safe, if the implementation is sound. But there is a lot of room to meddle.

By LeOS? Any GSI-Treble enabled Android phone. So most any phone with an unlockable bootloader. You can use the treble info app to check or search online.

https://gitlab.com/TrebleInfo/TrebleInfo/

LeOS isn’t very popular, because it’s a passion-project by one guy, with little marketing. Said guy is a somewhat opinionated Woodstock-era hippie, hence the colorful icons (they can be easily swapped via an icon-pack of your choice.) Though he is a friendly person.

To my knowledge it’s the only Treble-option with a hard stance on de-googling. Specifically made as an answer to some policies in eOS. There is an interview with him floating about, if you want the backstory. https://nixfaq.org/2021/01/exclusive-interview-with-guntram-lead-developer-of-a-popular-custom-degoogled-android-rom-called-leos.html

Hey there, for starters A-GPS, stun, secure DNS, and several other preconfigured servers default to Google. Some of these can be changed with ADB. Check out a guide on de-googleing LineageOS for a more complete list. It’s not AOSP, but close enough. There are also Google servers configured in the sources. How valuable those connections are, depends on your threat-model. If you’d like a paranoid GSI, check out LeOS. It’s probably the most complete treble-compatible option. AOSP by default, isn’t very private.

And have a script to secure erase the key material. Much faster and will prevent forced/coerced unlocks.

Good to hear. Having a raspberry and kodi focused base with an open Linux backend sounds good. Will try that later.

There is sendtokodi, which uses yt-dlp. I’m a bit surprised that there are no newpipe-extractor clients for Kodi, since there should be hooks for everything you’d need. Then again, I don’t know how well it works outside of Android.

Depends on how far you want to go. From what I’ve been able to tell, they pedel a lot of flashy metrics and still had a bunch of google calls. Some of which you can manually remove, same as LOS. I would avoid buying into their cloud and keeping an eye on things yourself, if you want to install it. I saw them rebrand a bunch of OSS tooling as their own products back then. Don’t know if things changed since then, but I don’t trust the marketing.

I’m on Tuxedo now, really nice so far. Thanks.

I’m currently on Tuta, because I can’t imagine Mail without a free tier. It’s run out of Germany(EU). Its 3€ a month for the normal tier, free takes away most features. Like Proton, you need to use their (OSS)-Client, for encryption reasons. It’s currently growing and I hope they don’t go crazy anytime soon.

I was looking at Posteo, but I don’t want my entire internet identity to be gone, if I ever can’t pay for it.

I’d be a good start, if content platforms had to apply the same guidelines to ads, as they do to content. It’s kinda telling that people on the platform need to not swear, while the ad below goes “You can’t last 5 seconds in this NFT gambling waifu gatcha collector aimed at teens.” or just offer money freud scams directly.