Banks, email providers, booking sites, e-commerce, basically anything where money is involved, it’s always the same experience. If you use the Android or iOS app, you stayed signed in indefinitely. If you use a web browser, you get signed out and asked to re-authenticate constantly - and often you have to do it painfully using a 2FA factor.

For either of my banks, if I use their crappy Android app all I have to do is input a short PIN to get access. But in Firefox I also get signed out after about 10 minutes without interaction and have to enter full credentials again to get back in - and, naturally, they conceal the user ID field from the login manager to be extra annoying.

For a couple of other services (also involving money) it’s 2FA all the way. Literally no means of staying signed in on a desktop browser more than a single session - presumably defined as 30 minutes or whatever. Haven’t tried their own crappy mobile apps but I doubt very much it is such a bad experience.

Who else is being driven crazy by this? How is there any technical justification for this discrimination? Browsers store login tokens just like blackbox spyware on Android-iOS, there is nothing to stop you staying signed in indefinitely. The standard justification seems to be that web browsers are less secure than mobile apps - is there any merit at all to this argument?

Or is all this just a blatant scam to push people to install privacy-destroying spyware apps on privacy-destroying spyware OSs, thus helping to further undermine the most privacy-respecting software platform we have: the web.

If so, could a legal challenge be mounted using the latest EU rules? Maybe it’s time for Open Web Advocacy to get on the case.

Thoughts appreciated.

  • @JubilantJaguarOP
    link
    18 months ago

    Your points are of course valid but this is getting slightly offtopic.

    If your bank really spies on you through its app, I would change bank

    What would be nice would be not to have to use a proprietary app on a closed-source software stack in the first place, given that it clearly represents a privacy compromise. And that is possible: almost no bank makes it obligatory. But they would obviously love to. If only to fire their web team and save some money.

    And this is not just about banks. Every online service is trying to force us onto the closed platforms of Google and Apple, when an open-standards software platform exists and is perfectly workable. Seems there might be a battle worth fighting here. Nobody much seems to agree. Fair enough.

    Just let your password manager fill up the login everytime, it’s not hard.

    IME that hardly works any more, as mentioned.

    • Max-P
      link
      fedilink
      28 months ago

      on a closed-source software stack

      Android is open-source. My phone runs an open-source build of it.

      At this point it’s barely any worse than a web browser. I know it’s sandboxed, it can’t access anything I don’t want to. All it lacks is isolation with the kernel since web browsers run JavaScript and Android runs native code.

      Worst comes to worst you just run the app in Waydroid.