Rooted mobile devices are a reasonable signal they been have hacked and security features might be disabled or work as expected.
It just banks, a lot of corporate security polices don’t allow rooted devices, as they could bypass mobile device management policies for devices owned by the company.
With laptops it’s a different story. Whether users have Mac, Linux or Windows, there’s a reasonable chance they have admin access too, so checking for root access is not such a useful signal there.
Rooted mobile devices are a reasonable signal they been have hacked and security features might be disabled or work as expected.
Rooted mobile devices are a reasonable signal that someone wants to actually own what they buy, and corporations want to make sure as few people think that as possible.
Windows/Macos/Linux are designed around the fact that the person managing the device has root access, Android and iOS are designed around noone having root access.
Sure it’s fine to mess around with rooted phone and look what’s inside, but essentially for your daily operations having rooted phone is unnecessary security risk.
Android and iOS are designed around noone having root access.
Yes and I consider that to mean I don’t own the device. And there are plenty of Android forks specifically designed around you having root access.
The issue is that you don’t want to give some random untrusted process root access. You, the user, have root access as long as you’re capable of running processes as root, but that doesn’t mean you should.
There could be tons of apps on the iOS App Store or Google Play Store that are completely benign under the existing security model but do nefarious things when run as root. No one knows that for sure because they aren’t tested under root by Apple or Google.
The problem with root is that it’s giving the process the keys to the Ferrari. That’s long since been decided to be a bad security model. Far better to have the process request permission to access particular resources and you grant them on a case by case basis.
I just want to point out, that what you are saying sounds good in an ideal world. But the realitiy looks different. (I actually typed out some points, but then I remembered that I don’t want to engage in yet another lengthy internet-debate, that ultimately comes down to personal preferences and philosophy)
Ah but I love reading these specific philosophical discussions on tech, I don’t blame you though
The issue is that you don’t want to give some random untrusted process root access.
It’s been awhile since I’ve used anything but Magisk but usually you have to set root permissions per app, or you can get Magisk notification to request access.
You’re free to install another operating system or variation on Android on your phone still. And if you decided to go with another Android such as Graphene, you’d still not want to root it because it’s a security risk.
The important question is why smartphones are designed around not having root access and computers are?
What are the incentives at play?
The answer is obvious, tech companies wouldn’t have given users access to root control on their computers either if they knew what they were doing and thought they could have gotten away with it.
It is just circular logic claiming smartphones have to be this way, circular logic that provides a rhetorical smokescreen for the process of corporations taking our agency away from us over our lives and the tools that sustain us.
There’s also the fact that on Win/Mac/Linux, you’re interacting with the bank via a browser and not a bespoke app.
So just warn the user that it’s their own responsibility and all claims are waived, instead of just saying “no” ?
There is parallel with masking. The bank values the safety of the whole rather than the freedom to root for an individual. You stand to lose only your own bank balance. The bank stands to lose the funds of every rooted phone that contains a banking app exploit targeting them.
I mean, they get that anyway with malware and security exploits. Except that rooted phones usually have a root manager, which asks for permission if an app wants to do more. And i don’t think the root user listening into the app/their own account should be a problem; because in this case the problem is with the banks’ security practice.
Well, at least my bank doesn’t care about root or safety net.
The concern is not much phones rooted with intent by their owners, but phones rooted by malware without the owner’s consent:
https://thehackernews.com/2021/10/this-new-android-malware-can-gain-root.html
If there was a way to signal that a rooted phone was actually secure, malware would send that signal.
I don’t bank on my phone
There is no banking app for authenticating transactions for desktops?
Google and Apple have been very successful at convincing everyone, including banks, to see the idea of users having control over their own phone-like computers as dangerous.
Next thing you know, banks will try to convince its clients that they really don’t need to access all their money.
Banks and Uma Musume. Uma Musume also gets mad if you don’t pass Device Integrity
It’s not just root. They would prefer you not to have a custom keyboard either.
That’s actually got a solid reason behind it.
It’s because the OSK is just another program as far as Android is concerned. It can’t directly look into the application, per Android specifications, but it CAN record key presses, even for passwords. It even receives context hints based on the metadata on the input box. Then it can send your data off to unknown servers.
thats a bit ironic seeing how the default keyboard on most phones are a privacy nightmare.
That it is, but at least it’s not sending your card details to me.
Yeah but why it’s sending details at all. There are FOSS options which are completely radio silent. Some password managers come with their own board.
The reason is very simple: They rely on Google Safetynet (basically self-diagnosis). And that will immediately tell you off if it notices your device is rooted. And while you can have a lengthy discussion regarding whether this makes your phone less secure or not, this is another simple argument from Google’s POV: The device has obviously been tampered with, we don’t want to put any resources into covering this case, since as far as we are concerned you shouldn’t use our OS like this.
So basically laziness.
The banking apps I’ve tried don’t require SafetyNet, instead they use Android AOSP’s
basicIntegrity. The latter doesn’t require certification by Google, but also checks whether the device is rooted and the bootloader is locked.This means custom ROM’s on most devices won’t pass
basicIntegrity, as only Google Pixel and OnePlus allow for relocking the bootloader.OnePlus no longer supports that as of ColorOS OxygenOS 12 unfortunately.
That’s a bummer. Seems like Google Pixel and Fairphone are the only ones left. I don’t even know why manufacturers wouldn’t allow for relocking or even unlocking of their phones. I can’t imagine they make much money with user data and the phone is already paid for. Warranty claims shouldn’t be much of an issue either, as modifications can be easily detected and it’s likely not a relevant amount of people anyway.
As I understand it, the stated purpose is to prevent supply chain attacks and ultimately possible damage to their brand. In practice many of these same vendors ship their own spyware and do not want it removed.
SafetyNet is dead.
They rely on Play Integrity API.
That covers:
App Binary signatures App source corroboration - Was it actually installed from the Play Store? Android device attestation - Is it a genuine device powered by Google Play Services Malware detection - Google Play Protect is enabled and has not seen known malware signatures.
They can choose to ignore any number of those but they do not. It’s part of their security reporting requirements to use attestation I expect.
Beyond that - a device that doesn’t meet Play Integrity is more likely to be a malicious actor than it is to be a tech enthusiast with a rooted phone: One of them is far more prevalent than the other in terms of device usage.
Android apps are trivial to reverse engineer, inject code into and generally manipulate. That lets apps like ReVanced work the way they do… but that also means that blue team developers have a lot more work to do to protect app code.
Source - Android App Developer, worked on apps with high level security audits (like banking apps).
My bank doesn’t know for some reason. I don’t even pass (
as femme but that’s not relevant) safetynet, but it doesn’t seem to care. Sadly can’t pay with my phone or watch thoThey 100% would stop you if they could.
It’s why Google’s website DRM thing was so scary.
not was, is.
i dont think they dropped it.
Okay, so I originally was going to go in a long rant about how they’re still doing it, but decided that it didn’t really add much to the comment, so removed it.
Afaik they’ve, for now at least, shelved it in browsers, but are still going ahead in Android webviews (as part of their war on Youtube Vanced).
i guess they will probably try again with a new name later when the dust settles. can never trust them.
what about android webviews, i thought it isnt related to vanced? how do they plan to kill vanced this time?
MV3 is still happenning
Was? What did I miss? Even if it was discarded, there will aways be another attempt.
Basically Google wanted to put checksums in webpages and then not render the page period if the checksum didn’t match and said checksum could only be verified by “approved” browsers that had the correct certificate (which surprise was Chromium only browsers such as Chrome and probably Edge). As such you wouldn’t have been able to run any adblockers as that would change the checksum and the way the page was rendered. They could also then go one step further and do a Denouvo type set up to make sure the OS wasn’t being altered.
Super useful technology for security purposes!
Super scary technology for literally everything else.
Yes, I know about what they attempted (actually published some of it already in an official repo).
But why you talk in past tense? Have they reverted the changes and publicly pinky-promised not to do it?
I just want my bank to allow me to use some other form of authentication besides just a password.
Oh yeah? How about SMS? Or you can install this proprietary Symantec bullshit!
I just want my bank to accidentally deposit $1m into my account
because you use the root account on linux occasionally to do one thing but when you’ve got a rooted phone everything is done with the root account
Because they want to “protect” you from “yourself”. Imagine, you could scrape your own data that you can already see.
I’d be really worried if the security of server operation for my bank depended on the client-side. But playing devils advocate, some people will most likely point out that a root exploit on a phone may be unintentional and used to spy on people, to which I answer:
- show me a big scary box where I can “accept the risk” and move on
- keep in mind that if I am root on my phone, I can hide the fact that I am root on my phone and you’ll be none the wiser
Currently, option 2 is in effect, sadly.
Option 2 is not long for this world
As long as we’ll have control over the software, it’ll be there. If we reach the point were you’re not allowed to own computers, we’ll have bigger problem.
You deftly evaded the leading attack vector: social engineering. Root access means any app installed could potentially access sensitive banking. People really are sheep and need to be protected from themselves, in information security just like in anywhere else.
You don’t get a “accept the risk” button because people don’t actually take responsibility, or will click on those things without understanding the risk. Dunning Kruger at play.
Why is this prevalent on Android but not desktop Linux? Most likely a combination of 1) Google made it trivially easy to turn on, and 2) the market share of Android is significantly large enough to make it a problem warranting a solution.
The fact that you know how to circumvent it is inconsequential to the math above. Spoiler: you never were nor ever will be the demographic for these products, in their design, testing, and feature prioritisation.
Root access means any app installed could potentially access sensitive banking
That’s not how it work. Having a rooted phone does not turn it into a digital farwest were every application can do anything. It becomes a permission like everything else; if you only grant it to safe stuff (like, for example, not granting root to a single app but using it to customize your phone through ADB), there’s not much to see here.
In fact, it can be better: having root means you can arrange additional ‘firewalls’ between apps and your data , or omit/falsify sensor data the the banking app should not need, that the Google is unwilling to implement.
The word “potentially” was critical in the parent’s comment. A banking app cannot be assured that other apps are prevented from accessing its data when the phone is rooted.
So? If I, the customer, want to access my banking info, on my phone, with whatever means I want, I should be able to. As I said, it’s not like every app gets root access, if I, as the owner of the device, explicitly gave root access to something, it’s for a reason.
And the main point that a rooted phone can basically hide itself from any app remains; these “detections” are trivially bypassed in the exact situation they’re supposed to detect.
And if you don’t want to wear a mask on your face during a pandemic, you should be able to? Not everything is about you.
Banks practice defense in depth as other security practitioners do. Not every defense will stop every attack, so a layered, overlapping approach is used.
The issue with option one is that scammers get old (or not technical) people to do stuff when they don’t know what they’re doing and click the box not knowing what they just did. So yes very frequently they need to protect people from themselves because they’re dumb, but I still expect banks to do business with those dumb people, sooo… Option 2 it is.
Ok but also What tech illiterate person roots there phone
That’s where this part becomes relevant
a root exploit on a phone may be unintentional and used to spy on people
I think I just figured it out, hang on with me.
It’d be the tech literate person in the family. The nephew that’s working as a programmer or something like that. Now, if that nephew has some interest in stealing their uncles money, they now have access to their bank account through a freely rooted phone.
This gives them a lot of options, which I don’t have to explain.
Given that a lot of scams actually happen between presumed family and friends…
Yeah I kinda get why banks are doing this
Your bank most likely has an app on mobile. If you have Root and Xposed you can do crazy things to that app (and your phone). You don’t use an app on a PC, you use their website.
Most bank apps nowadays are just a webview wrapper over their web app. And they only have two reasons to maintain that app, to be able to make contactless payments with the phone, and to farm your contacts (supposedly for easier money transfers).
Yeah, but that’s on you.
It’s not like you can use a hacked app to give you free money, unless they’re doing something completely absurd like relying on client side security.
It’s not to stop you from abusing their systems but to stop scam victims from being screwed
One easy example is that you can get around the “no screenshots” lock many bank apps use with root, allowing you to potentially expose security vital information to people.
Should those of us who know what we’re doing be allowed? Maybe.
But it’s there to protect the old people who will run the .exe that’s designed to root their phone and then let them hand over data that would otherwise be locked down so that doesn’t happen just because someone called them and said they’re from the bank.
And how is that any different from being on a PC? You didn’t even have to be root to take a screenshot there.
One easy example is that you can get around the “no screenshots” lock many bank apps use with root, allowing you to potentially expose security vital information to people.
Nothing stops a scammer from telling someone to open their bank account, press prntscr on their keyboard, and paste it into their site. You don’t see banks freaking out about that…
Not only rooted. If you have de-googled Android image like LineageOs, CalyxOs, iodé, etc… It also detects it as rooted, even if it’s not.
Probably a “safety net” thing, which depends on Play Services’ binary blobs (which is spyware btw) and empty promises from Google.
There is no banking app for authenticating transactions for desktops?
Your browser?
Web browsers.
At least in the EU web browsers don’t allow for authenticating transactions (beyond a limit of e.g. 30€). Either an additional authenticator app or a standalone card reader is mandatory.
Luckily my banking apps work flawlessly on GrapheneOS and even microG, likely because of they care about the bootloader being locked again.
I guess I don’t know what you mean by “authenticating transactions”.
Online transactions require a second factor which displays the actual amount to be transferred. This works by either an app which receives the transaction data (recipient, how much) over the network, or a device which takes the bank card and is used to scan something similar to a qr code. The device then displays the transaction data.
This makes sure a fraudulent site can’t easily change the amount or the recipient of a transaction, even if they somehow made an identical website (or close enough).
For remote transactions (e.g. online payments), the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimising the risks in case of mistakes or fraudulent attacks.
https://www.ecb.europa.eu/press/intro/mip-online/2018/html/1803_revisedpsd.en.html
It’s not perfect, especially with people using a banking app and the second factor app on the same device for convenience sake.
Interesting. If they do that in the US some day, I would absolutely much rather buy that device than unroot my phone.
Not for authentication. No idea if this is not a thing, but banks here in Germany all have their weird proprietary TOTP app that checks if your device is rooted or now even if it is a “Google certified OS”.
You can use some weird hardware device instead with the obvious drawbacks.
all have their weird proprietary TOTP app
But don’t support standards like WebAuthn or even FIDO 2.
My favorite thing is when banks don’t allow passwords that have spaces in them or are more than 12 characters long.
Honestly there should be a standard of what security means, like how passwords are stored and how TOTP is implemented, and if a bank doesn’t implement it then THEY are responsible for any “identity theft” that happens on their site, not the users.
Looking at you, fucking Paypal.
Or yes, my bank wanting only numbers not even letters.
Literally the only passwords I dont have in Firefox.
