On applications for smartphones locking you in

Posted on Oct 10, 2020

I have resisted for a long time before buying a smartphone, for various reasons; then I was forced to get one because of home banking services requiring it. Using the thing is changing my brain (even though I am using it for non–social reasons); I have mixed feelings about this.

Overall I am unsatisfied by the available applications ecosystem and market; but there is little I can do.

I like gadgets, but not if they are in control: I want to be in control! Decades ago I was in love with my HP48 scientific calculator (yes, yes, I know…). And if I could rule over the right smartphone for me, I feel I could renew that kind of relationship.

The thing I have today behaves like a narcissistic female: it uses me; it gossips about me; it asks third parties to spy on me; it betrays my trust. How could I be happy?

While zapping on YouTube, I have found the interesting PinePhone project. I want one! I do not know if it will ever reach production status, but it is the smartphone I want: totally open and programmable. See Harbingers of failure in Marco’s 2015 Weblog.

The only problem with the PinePhone is that I really need the home banking applications (from now on hba); there is no way the producers of such software will support a fringe device. But is that required? I asked myself what is really required from a smartphone to provide the authentication services that a hba needs.

From now on I will switch to wishful thinking.

I am no expert, but, from what I see, I guess that there are “applications” that are not really applications: they launch the web browsing engine and connect to a website, in a way that is not very different from what we do with a proper web browser such as Mozilla Firefox; the only difference is that the web browsing experience is embedded in what looks like an independent application.

If this is the case: it should be possible to provide device authentication by “simply” generating a tls certificate for the device and website using the device’s own unique identifier (in practice: a unique secret number assigned to the device by the manufacturer). The device acts like a certificate authority and it signs the certificate you generate to access a specific service, that is a specific home banking service. If you have 3 banking accounts: 3 certificates are generated.

If this technology works: there is no reason for an hba to require a true application, it can just rely on a specific website that allows connections from customers only if the customer uses a “registered device”, which is a device on which a properly generated tls certificate has been installed.

Problem solved for the PinePhone. Ha! Ha! Ha!

But life is hard…