Because they want to “protect” you from “yourself”. Imagine, you could scrape your own data that you can already see.
I’d be really worried if the security of server operation for my bank depended on the client-side. But playing devils advocate, some people will most likely point out that a root exploit on a phone may be unintentional and used to spy on people, to which I answer:
show me a big scary box where I can “accept the risk” and move on
keep in mind that if I am root on my phone, I can hide the fact that I am root on my phone and you’ll be none the wiser
The issue with option one is that scammers get old (or not technical) people to do stuff when they don’t know what they’re doing and click the box not knowing what they just did. So yes very frequently they need to protect people from themselves because they’re dumb, but I still expect banks to do business with those dumb people, sooo… Option 2 it is.
It’d be the tech literate person in the family. The nephew that’s working as a programmer or something like that. Now, if that nephew has some interest in stealing their uncles money, they now have access to their bank account through a freely rooted phone.
This gives them a lot of options, which I don’t have to explain.
Given that a lot of scams actually happen between presumed family and friends…
You deftly evaded the leading attack vector: social engineering. Root access means any app installed could potentially access sensitive banking. People really are sheep and need to be protected from themselves, in information security just like in anywhere else.
You don’t get a “accept the risk” button because people don’t actually take responsibility, or will click on those things without understanding the risk. Dunning Kruger at play.
Why is this prevalent on Android but not desktop Linux? Most likely a combination of 1) Google made it trivially easy to turn on, and 2) the market share of Android is significantly large enough to make it a problem warranting a solution.
The fact that you know how to circumvent it is inconsequential to the math above. Spoiler: you never were nor ever will be the demographic for these products, in their design, testing, and feature prioritisation.
Root access means any app installed could potentially access sensitive banking
That’s not how it work. Having a rooted phone does not turn it into a digital farwest were every application can do anything. It becomes a permission like everything else; if you only grant it to safe stuff (like, for example, not granting root to a single app but using it to customize your phone through ADB), there’s not much to see here.
In fact, it can be better: having root means you can arrange additional ‘firewalls’ between apps and your data , or omit/falsify sensor data the the banking app should not need, that the Google is unwilling to implement.
The word “potentially” was critical in the parent’s comment. A banking app cannot be assured that other apps are prevented from accessing its data when the phone is rooted.
So? If I, the customer, want to access my banking info, on my phone, with whatever means I want, I should be able to. As I said, it’s not like every app gets root access, if I, as the owner of the device, explicitly gave root access to something, it’s for a reason.
And the main point that a rooted phone can basically hide itself from any app remains; these “detections” are trivially bypassed in the exact situation they’re supposed to detect.
And if you don’t want to wear a mask on your face during a pandemic, you should be able to? Not everything is about you.
Banks practice defense in depth as other security practitioners do. Not every defense will stop every attack, so a layered, overlapping approach is used.
You really are missing the point that if the device is rooted there is nothing an app can do to protect itself. Defense in depth is layering (sometimes overlapping) solutions that do something. Detecting root and saying “nuh-uh” is not doing anything.
As long as we’ll have control over the software, it’ll be there. If we reach the point were you’re not allowed to own computers, we’ll have bigger problem.
Because they want to “protect” you from “yourself”. Imagine, you could scrape your own data that you can already see.
I’d be really worried if the security of server operation for my bank depended on the client-side. But playing devils advocate, some people will most likely point out that a root exploit on a phone may be unintentional and used to spy on people, to which I answer:
Currently, option 2 is in effect, sadly.
The issue with option one is that scammers get old (or not technical) people to do stuff when they don’t know what they’re doing and click the box not knowing what they just did. So yes very frequently they need to protect people from themselves because they’re dumb, but I still expect banks to do business with those dumb people, sooo… Option 2 it is.
Ok but also What tech illiterate person roots there phone
That’s where this part becomes relevant
I think I just figured it out, hang on with me.
It’d be the tech literate person in the family. The nephew that’s working as a programmer or something like that. Now, if that nephew has some interest in stealing their uncles money, they now have access to their bank account through a freely rooted phone.
This gives them a lot of options, which I don’t have to explain.
Given that a lot of scams actually happen between presumed family and friends…
Yeah I kinda get why banks are doing this
well you can buy a rooted phone that runs some thing like lineage preinstalled.
You deftly evaded the leading attack vector: social engineering. Root access means any app installed could potentially access sensitive banking. People really are sheep and need to be protected from themselves, in information security just like in anywhere else.
You don’t get a “accept the risk” button because people don’t actually take responsibility, or will click on those things without understanding the risk. Dunning Kruger at play.
Why is this prevalent on Android but not desktop Linux? Most likely a combination of 1) Google made it trivially easy to turn on, and 2) the market share of Android is significantly large enough to make it a problem warranting a solution.
The fact that you know how to circumvent it is inconsequential to the math above. Spoiler: you never were nor ever will be the demographic for these products, in their design, testing, and feature prioritisation.
That’s not how it work. Having a rooted phone does not turn it into a digital farwest were every application can do anything. It becomes a permission like everything else; if you only grant it to safe stuff (like, for example, not granting root to a single app but using it to customize your phone through ADB), there’s not much to see here.
In fact, it can be better: having root means you can arrange additional ‘firewalls’ between apps and your data , or omit/falsify sensor data the the banking app should not need, that the Google is unwilling to implement.
The word “potentially” was critical in the parent’s comment. A banking app cannot be assured that other apps are prevented from accessing its data when the phone is rooted.
So? If I, the customer, want to access my banking info, on my phone, with whatever means I want, I should be able to. As I said, it’s not like every app gets root access, if I, as the owner of the device, explicitly gave root access to something, it’s for a reason.
And the main point that a rooted phone can basically hide itself from any app remains; these “detections” are trivially bypassed in the exact situation they’re supposed to detect.
And if you don’t want to wear a mask on your face during a pandemic, you should be able to? Not everything is about you.
Banks practice defense in depth as other security practitioners do. Not every defense will stop every attack, so a layered, overlapping approach is used.
You really are missing the point that if the device is rooted there is nothing an app can do to protect itself. Defense in depth is layering (sometimes overlapping) solutions that do something. Detecting root and saying “nuh-uh” is not doing anything.
Option 2 is not long for this world
As long as we’ll have control over the software, it’ll be there. If we reach the point were you’re not allowed to own computers, we’ll have bigger problem.