• @[email protected]
    link
    fedilink
    1408 months ago

    I actually heard something about that in class not long ago

    The story is that Android’s security heavily relies on the compartmentalization of apps that lives in the android layer, over the Linux kernel. Apparently, that functionality works in part because only this layer can perform operations that require root access, no app or user can. So software that allows you to root your phone apparently breaks this requirement, and makes the whole OS insecure. He even heavily implied that one should never root their phone with ‘free’ software found on the internet because that was usually a front for some nefarious shit regarding your data.

    I’m just parroting a half-understood and half-remebered speech from a security expert. His credentials were impressive but I have no ability to judge that critically, if anyone knows more about this feel free to correct me.

    • @[email protected]
      link
      fedilink
      738 months ago

      Isn’t saying that allowing apps to have root lets them access anything just describing what root is? A rooted phone doesn’t have to give superuser access to every app.

      • @[email protected]
        link
        fedilink
        288 months ago

        A rooted phone doesn’t have to give superuser access to every app.

        Sure, but apps that run as superuser can access anything, including the data and memory for banking apps. A big part of Android’s security model is that each app runs as a different user and can’t touch data that’s exclusively owned by another user.

        • @[email protected]
          link
          fedilink
          348 months ago

          It just means you need to trust apps that you give root access to, or only give elevated privileges during the very specific times when apps need them. Root isn’t something people who don’t know what they’re doing should be messing around with, I guess. But I’d think a lot of people who root their phone know and accept the risks.

          • @[email protected]
            link
            fedilink
            17
            edit-2
            8 months ago

            People like you or I may know what we’re doing with a rooted device, but I think the issue for the banks is that they can’t guarantee that someone with a rooted phone knows what they’re doing or isn’t using a malicious app, so they have to be cautious and block all rooted phones.

            An app that requires root may look like a normal app but it could be a trojan that modifies banking apps in the background (eg patches them on disk or in RAM so transfers done through the app go to a different recipient). There’s been malicious apps in the Play Store in the past, and rooted apps have way less oversight - some are literally just APK files attached to XDA-Developers posts or random blog sites.

            • @[email protected]
              link
              fedilink
              118 months ago

              I take your point, and I’m sure you’re right about the banks’ rationale, but in my own view it does not seem like it should be the banks’ decision to make.

              • @[email protected]
                link
                fedilink
                88 months ago

                As soon as a bank offers any sort of fraud protection, though, security becomes a bank issue (in addition to a “you” issue).

                Not at all saying I agree with the banks on this, but I think that may be part of the thinking.

                • @[email protected]
                  link
                  fedilink
                  27 months ago

                  This is a good point. The bank needs to do as much as they can to reduce fraud risk, and they’ve probably found some correlation between rooted phones and a higher likelihood of fraudulent transactions. Some banks block VPNs for a similar reason - when logging in from a VPN, it’s harder for them to tell that it’s actually you vs if it’s an attacker that uses the same VPN service as you.

              • @[email protected]
                link
                fedilink
                17 months ago

                Your risk exposure is that you could lose your bank account balance. The banks risk exposure is that they could lose every bank account balance exploited by the same rooted phone vulnerability. So they evaluate risk differently than you do.

            • sepi
              link
              fedilink
              2
              edit-2
              7 months ago

              bro I gave my nana root on her eye phone and by the end of the week she had hacked half of North Korea - the other half thought her actions were a good example of juche ideals. It was crazy ngl

      • @[email protected]
        link
        fedilink
        88 months ago

        I think he was trying to say apps get access to “root features” through an abstraction layer/API calls that is controlled.

        They don’t/wouldn’t have carte blanche root access to the underlying system. It’s kinda like a docker container or VM or flatpaks/snap packages on Linux. They are sandboxed from everything else and have to be given explicit premission to do certain things(anything that would need root privileges/hardware access).

    • @[email protected]
      link
      fedilink
      538 months ago

      I wouldn’t even feel compelled to root my phones if Google would actually back up my phone instead of whatever 1/4 baked shit they’ve done thus far.

      • @[email protected]
        link
        fedilink
        English
        38 months ago

        I’ve been using android since 2010, and it’s gotten significantly better over the years. There’s only a few things it doesn’t back up, like text messages and app data, most of which you don’t need.

        • @[email protected]
          link
          fedilink
          188 months ago

          Mine backs up my text messages, but I would prefer to backup my app data, authenticators, wallpaper, themes, games, etc., not every app is a shitty front-end to a website.

        • @[email protected]
          link
          fedilink
          English
          58 months ago

          It is not Android that is backing up most things though, it is mostly done by Google Services. That means that your data is effectively vendor locked-in if you want to use Android as an actual open source project. Google gutting the AOSP to this extent should be illegal (maybe even is, but might is right).

    • @[email protected]
      link
      fedilink
      38 months ago

      The problem is very simple - the majority of people are technically illiterate. Apple and Google saw the Windows XP security fiasco, looked at how many people use smart phones today and decided that giving users any rights is not worth the risk.