nostr:nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpqpygx5exzdwj8vpv2vey6qdt03xvsq4rn8ljj7hqy263hnzntqtzsxcuwp2 If they insist on verifying device/OS integrity, then they need to read https://grapheneos.org/articles/attestation-compatibility-guide which explains how they can use hardware attestation to verify GrapheneOS and permit it. They should also be made aware that the Play Integrity API has no actual security standards and permits devices with no security patches for a decade. They're permitting incredibly insecure devices but not hardened devices with GrapheneOS.
I raised a support case with Revolut today, complaining about they discussion to ban GrapheneOS (and SailfishOS). They gave me a stupid argument that Revolut's current policy is to "ensure consistent security standards across all users", but coukd not explain how making security worse for all users can do anyone any good.
I asked how I could escalate the case and raise a formal complaint and was told that there are two options :
1: Use this form at https://forms.revolut.com/e0ed546b-2fac-462f-9578-0eaff076c17f
2: email them at formalcomplaints@revolut.com.
Please include your name, phone number, email address associated with your account, when the problem arose, and how you'd like the matter resolved.
Maybe you can ask your users to flood Revolut with formal complaints ?!?
At least I have done my part now :-)
Discussion
nostr:nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpqpygx5exzdwj8vpv2vey6qdt03xvsq4rn8ljj7hqy263hnzntqtzsxcuwp2 What they're doing demonstrates a near total lack of understanding security, which is quite concerning for a financial service. They think it's fine to go a decade without applying any security patches but somehow running a highly private and secure open source OS which has high hardware security standards only currently provided by Pixels is a problem for them. It doesn't make any sense. They need to educate themselves.
That's what I said, but they keep repeating the same line about ensuring consistent security standards across all users.
They don't understand security. They don't care about security.
... so now it's up to us to demonstrate that we do.