The Vietnam government has banned rooted phones from using any banking app

In principle I'm certainly on board with the idea, but the problem is - at least in the Anglosphere, probably further - that the financial system is part of the military and policing systems. They are a powerful and persistent lobby that want a phone to be able to provide enough who-what-when-where to be able to put someone in jail or in extreme cases drop a missile on them.

That is one of the reasons the crypto market is behaving like some radical innovation instead of just a group of bozos speedrunning financial history. For the first time since the invention of capital we have an asset class where it doesn't take the cooperation of a group of armed thugs to guarantee the integrity of the system.

I don't see how a separate dedicated piece of hardware is less secure. It has zero contact whatsoever with your other comm devices. It can be switched off when not needed, to prevent any chance of tracking you. Think of it as of an advanced yubikey.

It's not money-preserving though. You need an extra device, and an extra phone number. The separate phone number is another privacy-preserving feature though.

There's a second layer to the conflict here, in that (e.g.) the banks will want to move the entire flow into whatever secure device, enclave, or "agent" they supply - meanwhile, the whole point of me having a general-purpose computer is to be able to do general-purpose computing that I want within this flow.

My favorite, basic example is this: I'd like to create my own basic widget showing me my account balance on my phone's home screen. Doesn't have to be real-time, but accurate to +/- few minutes to what the bank app would say when I opened it. It has to be completely non-interactive - no me clicking to confirm, no reauthorizing every query or every couple hours. Just a simple piece of text, showing one number.

As far as I know it, there's no way of making it happen without breaking sandboxing or otherwise hacking the app and/or API endpoints in a way that's likely to break, and likely to get you in trouble with the bank.

It should not be that way. This is a basic piece of information I'm entitled to - one that I can get, but the banks decided I need to do it interactively, which severely limits the utility.

This is my litmus test. Until that can be done easily, I see the other side (banks, in cooperation with platform vendors) overreaching and controlling more than they should.

The point of the exercise isn't to just see the number occasionally; I can (begrudgingly) do that from the app. The difference here is that having the number means I can use it downstream. Instead of a widget on the phone screen, I could have it shown on a LED panel in my home office or kitchen[0], or Home Assistant dashboard. Or I could have a cron job automatically feeding it to my budgeting spreadsheet every 6 hours. Or I could have an LLM[1] remind me I've spent too much this week, or automatically order a pizza on Saturday evening but only if I'm not below a certain threshold. Or...

Endless realistic, highly individual applications, of a single basic number. The whole point of general-purpose computing empowering individuals. If only I could get that single number out.

--

[0] - Why would I want that is besides the point.

[1] - E.g. via Home Assistant.

> No, the much more secure while at the same time liberty-preserving way to do this are heavily sandboxed secure enclaves with attestation, or even better standalone tamper-proof devices capable of attestation.

Thats what is being required. The problem is making sure the policy is enforced correctly includes local business logic and user experience components. The money transfer needs to come from an authenticated user providing consent, not from some software that happens to have managed to get installed on the phone with sufficient permissions to interface with the secure element or to have their version of a library loaded.

That means one needs to validate user-facing software, and not just the API to a black box. Thus one is requiring a chain of custody validation up to the boot loader.

Yet you're paying to get a passport etc...

You are free to use your pc. But it’s up to you if you want the more advanced features on a phone app.

And exactly who's going to pay for that?

But with kernel level attestation, the banks can start requiring this on computers as well...

(From the kernel-level anti-cheat discussion the other day)

Even elected governments already have the ability to take whatever they want from you, and force you to act against your own interests; this seems like a comparatively minor infringement.

My (Canadian) bank extorted me into installing their app, literally blocking me from doing transfers of my own money without it - I had to install it and take a picture of myself and my ID. After this I was able to switch to sms authentication and delete it, but they’re obviously trying to force people onto the app, and eventually they will do so more aggressively.

Of course in Canada we have a banking oligopoly that is effectively there just to rob people, but ironically any of the “challenger” startup banks are 100% app based afaik

Does not work anymore for many banks in Germany. I have 2 accounts that require me to have different second factor apps installed. For one bank I would have to open a separate account with a debit card to use hw tan generator. For the other AI would have to switch bank account after the regulators banned SMS and indexed paper TANs.

Assuming the browser has feature parity. I was visiting my parents over Xmas and my dad couldn’t make a payment because the number of saved payees was capped to 100. There was literally no option to delete a payee in the website, the only way we found was to install the app, authenticate, and do it in there. It’s happening already.

How are people on HN of all places still this short-sighted to not understand that this will stop being an option? It's incredible to see like 10 individuals commenting this all over threads like these. Think before you comment.

Until they decide that they only support 2FA by app push notification.

My bank turned their website off. Mobile app only now.

If your bank has a website.

If buying is not owning, pirating is not stealing.

Piracy isn’t merely a virtue, but a moral imperative, an obligation to uphold civic freedom.

It is immoral not to pirate. It is everyone’s duty to do their part in normalizing and encouraging piracy.

No, not civilized, precisely because of this (and other things).

Where in Europe? Some countries are making some efforts to get away from cloud providers like those but all I know of are increasing dependency on Apple and Android.

That's not exactly correct, at least in the U.S. Banks don't take away the right to modify, banks discriminate against modification.

Businesses, in general, have the right to refuse service to anyone for any reason except when their refusals either explicitly, or implicitly by pattern of behavior, derive from one or more characteristics that are protected from discrimination under law. The characteristic of having rooted, and/or having modified, a device is not currently protected from discrimination, and so businesses — who are self-serving to the extreme and minmaxing risk vs. profit just like any good video game player would — are within their legal rights to discriminate against users who modify their mobile phones.

You can see a similar pattern taking effect in the car modification industry; California requires tens of thousands of dollars to assess whether a car modification is "legal" to sell there, due to the intersections of gas vehicle smog laws and the tendency of vehicle owners who modify their vehicle to be likely to, just as businesses do above, selfishly minmax lower-emissions vs. higher-performance behaviors in the car's components and programming. As there exists no categorical protection against undue discrimination for "those who modify their property", one such as myself who modifies their vehicle without intent to reduce or defeat low-emissions behaviors has no recourse to claim that the state's $20,000 test fee is discriminatory against personal use by individuals. I support the societal-level necessity of enforcement in this area, but that doesn't excuse charging $20,000 to a for-profit business and then $20,000 to a personal-use resident.

So, the true solution, in a U.S. constitutional context anyways, is to amend the protected categories under the Bill of Rights to include "individuals who modify their own possessions" as a category that is protected from undue discrimination. It's a simple enough change from a written perspective. Perhaps California or the E.U. will enact it first?

Note, however, that undue does not mean always. Digital ID checks should be restricted to devices booted into sealed-attested mode for the same reason that notarization apps should — faked/stolen digital IDs carry severe and broad-spectrum risks to an entire society of individuals — but banks simply trying to decrease their fraud reimbursement expenses have insufficient cause to discriminate against account holders accessing their accounts. I would absolutely accepted "not permitted to initiate outbound transfers in excess of $10,000" as a compromise.

It becomes more unclear when you consider e.g. Apple Pay, and Apple Music. Both currently deny service to those whose macOS is not sealed and attested. One could make a very convincing case that digital wallets are a case where the benefits of sealed attestations are a necessary case of discrimination against those who modify their devices; financial fraud is a nightmare for both users and banks, after all! But there is no convincing case that being able to listen to music albums with a modified device is somehow a threat both to users and to the music industry, and so Apple would find their demand for sealed+attested to be illegal discrimination by Apple Music.

I suspect the outcome here is that we see devices that offer a sealed-attested 'wallet' mode, activated by a hardware switch function of some fashion, that temporarily seizes control of the device in order to create a protected environment — with some sort of indicator that can't be falsified by any other software on the device, i.e. the camera green / mic orange LED — so that users can interact with attestation-critical services like ID checks, NFC payment, and MFA requests without having to reboot their device from modified mode. Those who want to install their own attested environment can do so, with the understanding that a great deal of legwork remains to not only earn the world's trust that third-party environments can be secured, but also that both government and corporate environments detest having to decide who to trust themselves and will do their very best to either reject all parties other than a single corporation (E.U. age checks, I'm looking at you!) or will create arcane bullshit obstacles that make it difficult to DIY a secure wallet. Some of that difficulty is completely appropriate for exactly the reasons that secure attestations are appropriate in specific, narrow cases only (same reason I appreciate paper currency having physical anti-counterfeiting technology, but not the stupid constellation): counterfeiting predates humanity, sealed-attestation environments are an excellent defense against entire categories of attacks, and a reasonable level of bureaucratic slowdown is an excellent defense against opportunistic hit-and-run fraud.

You do have that right. You just can't use banking apps in Vietnam on such devices.

This is really no different to the antivaxxer arguments in the peak pandemic era. Some people didn't want vaccines. Fine. Well, not fine. None of it is based on any kind of rational argument but nobody was strapped down and forced to have one. But not having one meant there were certain jobs you couldn't have. Just like for decades unvaccinated children couldn't go to public school.

You make a choice and if you don't like the consequences of that choice, that's a you problem.

Have you ever listened to any scammers operate? People are, for lack of a better word, stupid. They're far too trusting. Anything from Nigerian prince scams to buying Walmart gift cards and giving some random person the number to whatever.

You might say "ah but this is social engineering" and that's true but so is "Hi, this is Brian from tech Support. We need you to change these settings and to install this app on your phone".

Let me put it another way: how do you feel about backdoors into crypto? Just the existence of a backdoor creates an attack vector regardless of whether the designated users misuse use it or not. Just the ability to "opt in" to root access for almost everyone creates way more problems than it solves.

And this is the key point: what benefit does it give users? Because nobody can really answer that other than some hand-waving about "freedom".

The main danger is a virus that infects everybody's phones and then takes control of the telephony modem, e.g. like a DDOS attack.

That's why you can't have root access to the modem even though you technically own it.

Viruses injecting code into the process of the app that you use to do online banking. obvsly. Or the app you use to do second-factor authentication.

You can protect against that by requiring the app to have a valid signature. You cannot guarantee that the signature is valid unless you can guarantee that the kernel has not been modified. You cannot guarantee that the kernel has not been modified if the phone has been rooted.

For what it's worth, my banking app for my Canadian bank (and the app which does second-factor authentication for web transactions when doing web-based online banking) will not run on a rooted phone. For good reason, I think.

My bank used to use SMS for second-factor authentication, but no longer does so. For good reason. When I do online banking from my desktop, I still have to use the second-factor authentication login on my phone. Or sim-less tablet, interestingly. Whatever the mechanism, is, it is not SMS based.

Because when you don't do this, people get scammed out of money.

If there is a series of buttons you can press to circumvent the anti-scam measures, then the scammers simply walk you through pressing those buttons. If you cover them in giant warning labels the scammers simply add explanations into their patter. The buttons must physically not exist, for gullible people to not get scammed out of money.

The next response will be 'well maybe we shouldn't accommodate them'. They vote, and there's more of them than you.

The irony is that Apple started out by discovering the the hackability of the hardware and software they found in their time. Instead of leaving something like that behind for those who come after them, to pay back what was given to them, they build walled gardens where you’re just not allowed to “bump into the walls too much”.

> You can have sandboxing and system integrity while still giving the user overrides.

I think this is wishful thinking, and the most experienced organizations in the world in this field agree with me. You can’t square this circle.

We can pretend that these two things can coexist, but they cannot. Where there are overrides, there are youtube tutorials on how to disable the overrides to install malicious botnet vpn surveillance proxy apps to get free robux. (to borrow a turn of phrase from @ptacek iirc)

If you give users an escape hatch, they will get malware in ring 0 and Apple Pay will stop being a thing because people’s cards will start getting remotely skimmed at scale. (Or Amazon will give you 1.5% off all purchases to install a rootkit that uploads your complete realtime cc nfc purchase boop history and email receipts and location track so they can figure out which businesses to clone/dump on next.)

If you say “…but not the SEP” then you’re just admitting that you need a part of the phone the user does not and cannot control. Most users care about the privacy of their nudes and sexts so they’d rather it be the whole damn phone.

Did we forget that even the not-full-scale escape hatch that was enterprise app certs was abused by Meta (then Facebook) to install surveillance VPN backdoors on customer phones at scale? Apple didn’t even know bc they were sideloading them via enterprise certs and when they found out they revoked them across the board, but by then thousands of people had had 100% of their phone’s network traffic surveilled by an ad company without consent.

> You can have sandboxing and system integrity while still giving the user overrides.

How? What kind of overrides? You mean that Safetynet could still report attestations?

I have no idea how it works, but doesn't it require a chain of trust, starting from a known boot image, then every process that can write to arbitrary memory needs to be a known image? (And even that might not be enough if there are ways to dynamically exploit them.)

There must might be infinite ways but only one simple, reliable and practical way

Okay, it is a full on spyware virus though, not super sure why people would love Bonzi on their system.

This is kind of a shitty compromise, the second you leave a tiny crack open in the security, maybe through root access, maybe some better sideloading, somehow people WILL be tricked into installing malware, and it baffles me...

I've seen it happen multiple times with my older (and younger, though less often) relatives and acquaintances, I'm really not sure how like a solid 5 dialogs that scream at them with sayings like "do not do this", "this is dangerous", "if someone is telling you to do this they're a scammer", and that somehow raises zero alarms, however if you tell them to consider the possibility that they're downloading a virus, or that the nice IT man on the phone is probably not that trustworthy, they will simply not believe you.

That's why I kind of get the paranoia, though most of it is just that and I really believe that software freedom is a whole lot more important.

> normal people can't be trusted with system-level access but some people can.

Why can "normal people" be trusted with a car then? Or firearms? Or kitchen knives?

In other areas of life, people self-select at their own risk. You can diagnose medical issues yourself, buy power tools you don't know how to use safely, and invest in assets that you don't understand.

All other things being equal, we should try to protect people. But we shouldn't force everyone to make the choices that are best for the people with the least comprehension of what they're doing.

If the only damage is personal (they lose their own money), why can't we make them responsible for their choices?

Normal people shouldn't have computers. The internet must be made back into something you sit down to use.

Non-ideal situation for those power users - have 2 phones. Annoying but also a perfect separation of free/personal and controlled/official spaces.

When a bank eventually requires a more recent phone to work, they will carry three phones, one for that one bank, one more for the rest of the banks, and a personal one.

Then they might move somewhere else with different banks and different hardware requirements, they will carry 5 phones.

I mean, did it do 80% of the stuff? Devices have changed a lot.

By the time that iPhone SE 3 finally goes unsupported (even the iPhone SE 2 from 2020 has yet to lose support) you'll just buy a cheap refurbished iPhone 16e. Old-gen iPhones are widely available and quite cheap.

To be fair my 2016 iPad Pro is up to date and can still run any app I throw at it

If you’re not using it regularly, why would you need anything except security updates?

Or you could just turn on Do Not Disturb…

There are enough non-shitty banks and credit unions, at least in the US, that you should be able to easily switch banks to a better one. They have no moat.

It's true that GrapheneOS is not rooted, and, unlike other non-rooted custom ROMs, allows re-locking the bootloader. But, whether a banking app will work depends on what level of Google Play attestation they require. While most banking apps work fine on it, a significant minority do not.

Not if you want to use tap-to-pay systems.

It is very ironic that the solution is using an old, insecure phone full of unpatched holes for all important banking and id business, because that one is vendor-allowed while your state-of-the-art GrapheneOS is not.

My job's SSO moved to provider that either required an unrooted phone or a reliable Voice auth.

For 2 years the voice authentication worked fine (they call me, I type in a number) on my regular rooted phone. Then one random morning I just stopped getting the phone calls. "Network said no".

Complete lock out, nothing I could do except go out and panic-buy an unrooted phone not running Lineage and using a modern Android version. (I tried my older unofficial lineage phones without root, and no dice.)

I opted for a good phone I could postmarket later, but gosh did it set me back almost 1/5 of my monthly salary.

Yes, I got my iPhone SE 2022 used for 150 EUR!

How is a pixel with grapheneos not a secure device?

Ps no it's not rooted but it won't pass full play integrity so it will usually be treated as such.

Also, a properly configured root is not a weakness just like having a computer where you don't log in as admin unless you really need to can be just fine.

A £150 back market phone is not a secure device. It probably stopped receiving security patches a month after its release.

Why? Do you have many unplanned urgent banking needs? Everything that needs an unmodified phone can wait until I get home.

Cheapest new Googled Android phone is < $100, Pixel 9a on sale <$400 and Graphene is free, still (much) cheaper than the latest gen spiPhone.

I understand that you’re using it as an example, but I still find it very misleading. Estonia is pro-privacy and has consistently voted against Chat Control.

On the other hand, France has been undermining privacy for a few years now. They supported Chat Control, have attacked GrapheneOS, etc.

Don't they usually SMS you a TOTP code that you could then just type into the unmodified one? I've seen some apps that snoop on your SMS to automatically grab the TOTP code but I've never come across one that wouldn't let you manually type it in.

I use the eSim feature in my iPhone, this worked well.

> iPhone still does bluetooth transmissions/pings even in airplane mode ... the only way to disable any transmissions is to turn off the device

I used to be under the impression that:

- Airplane Mode via Control Center icon, true.

- Cellular, WiFi, and Bluetooth off, via Settings, not true.

Meaning, if you turn those off specifically, you are not talking to towers or access points or broadcasting a persistent bluetooth ID.

Having Kagi'd a bit just now, maybe the thing that can't be turned off is NFC?

https://www.simplymac.com/ios/can-you-turn-off-nfc-iphone

If that's the case, then I'd hold this as a different threat model than not being able to turn off WiFi and Cellular.

Very curious if an iPhone or iPad with all accessible settings off, including for NFC turning off Apple Pay, NFC tag reading, etc., leaving only this background NFC on, if there are still persistent identifiers being broadcast.

Bluetooth's the same RF chip as wifi in new phones isn't it? Can't just exacto knife a trace on the board without murdering everything I take it?

iPhones will transmit bluetooth beacons even if turned off. Fortunately the battery goes completely flat after a couple of weeks or so and then they no longer do. Unfortunately this is not very healthy for the battery.

I've turned off find my device on my device.

Although, I am still using 17.7.2 that won't stop nagging me to upgrade to iOS 26.2.

I don't want to because I know I'll hate it.

You don’t do any important stuff on your phone. Others might not have the luxury.

Notably, in Vietnam people use QR payments a lot. If you want to interact with them by, say, paying at a small local restaurant, you’ll need a phone (or a stack of cash, and please do prepare change).

Just because you don’t need it doesn’t mean other people don’t. Heck, I have no need for a rooted phone so I only use a normal phone, but I respect that others might need a rooted phone.

It depends on location. In my whereabouts banking and e-signing requires one of two 2FA solutions both are mobile-only.

Theoretically there is a third option with USB ID card reader to use certificate stored in ID card. But I never saw one used in practice. It’s a PITA to get those devices to work on anything beyond Windows. And they’re accepted in relatively few places.

That's what I do. I don't install apps for stuff I can just do on the web.

Because that needs 2FA to login and guess what the only way to get the code is.

My main reason is that I wanted to separate browsing/daily use from auth/banking. These two things just don't belong together, from my perspective.

Yes, you can use the "pixel camera" app on GrapheneOS

It's Pixels only at the moment; the GOS team are apparently working with another hardware vendor to produce a suitable device, but that's still a long way off.

To stop third parties selling your location information.

https://www.ftc.gov/news-events/news/press-releases/2024/12/...

You start to use it because you care about privacy and your data. But now it's just to avoid all the crap Google and OEMs put into the phone. Same story is with PC and Windows. To quote one smart guy: "I'm not in the mood to be treated as a chimp." And that's it.

Some people are really into security, some people are really into trains.

System wide adblocking, being able to backup any app are the top two reasons I'd still root my phones if i had any choice. You'd be amazed by the battery life improvement you'd get by just blocking ads..

I deliberately avoid all banking apps even though i didn't root my phone, but i have to use Google Pay a lot. So... That's the only reason this phone I'm typing on isn't rooted.

I want to backup my entire phone on a local server I own. Apps, app data, settings, WiFi passwords, call logs, etc. Good luck without root.

Who exactly are "they" in this context? Shared documents don't mention anything like that.

Maybe it’s country-specific, but most banks I know support a card reader or photoTAN device. You don’t need to use a phone.

I’ve seen dedicated hardware devices which scan a QR-like code and show this in a little screen of their own. The bank provides them and does not require any app.

I only know of a single bank using this.

I'm in Europe, and some of my banks still operate with a token just showing numbers, while others use devices with QR code readers and a colour display which then can show transaction details.

They don't really like you using that and keep annoying you to stop doing that, but I don't think they'll fully get rid of that - those are filling some accessibility niches as well.

Is this true?

The old, standard RSA number generator token key ring device is not permitted in Europe for authorizing bank actions ?

I am in europe and my bank issued me a hardware token I still need to use from time to time.

What's a mobile deposit and why do you need an app to check it?

Personally, I'm OK with that tradeoff. I live close to my bank, so going to deposit in person isn't a problem for me.

yeah. Americans are one media campaign away from having to argue for their right to possess fully semiautomatic general purpose computers with high capacity peripherals. Europeans and the rest of the collective West won't even get such courtesy, their young global leaders don't need to justify their actions to the unwashed masses.

all they really need to do is to make the Internet inaccessible from any device except the castrated thin clients that our computers are doomed to be replaced with. and that can be done trivially.

I hate that future so much, but I don't know what to do to avoid it. My sole choice to bank on pc and use it as a pc will not be considered by the product people making the choice to go smart phone app only.

I'm essentially along for the ride because the masses will gobble it up.

Wifi? Because it is part 15. That spectrum is less strict.

SDRs? Because they are not certified transmitters. They are test RF gear, or a component of a transmitter, not an end-user product.

Cellular radios in a PC? You don't get root on those. Same situation as they are in a cell phone: They are licensed-band transmitters, and they are required to be tamper proof to protect the licensee.

SDRs are (IIRC) low-power enough that they don't fall under FCC regulations.

I guess I take credit and debit cards for granted. Surely the rest of the world had some solution before smartphones, though. Hopefully the US doesn't descend into needlessly using the phone as a middleman as the norm.

I don't have a problem with online payments, and I'm not using a banking app.

Keyloggers would be considered a form of fraud, right? Customers can be protected by not allowing rooted phones which may contain malware and steal credentials, but then again Windows is a nightmare for security and nobody is banning banking from Windows.

Yeah I call bullshit. The number of people with rooted phones is going to be way less than 1%, and the number of those that are unsophisticated enough to fall for scams/malware is going to be miniscule.

This is pretty clearly a case of "oh there's an option here that says 'allow on rooted phones', do we want to allow that?" "No that sounds scary and risky! Of course not. We must not allow it."

The option is there, and nobody is going to try to sell not ticking it.

Can you share what limits they did and did not impose?

Also even if they aren't hijacked devices, any kind of phone farm is harder to run with locked down devices.

Tricking someone into installing a malicious app usually doesn't involve them having a third-party or modified operating system on their phone. I'm asking about that because I believe it's a hypothetical risk rather than a problem in practice and I'm curious about any evidence to the contrary.

Singapore could be due to being a common VPN exit node for within SE Asia? Close by and avoids the most common regional blacklists (and gov firewalls of course).

Rooted devices don't enable that transaction. That's all social engineering.

> so they up the security

They're upping the surveillance, not the security, quite demonstrably.

This is meant to protect /them/ from liability and not /you/ from loss.

This reminds me when living in South Korea used to require Internet Explorer/ActiveX to get anything done online:

https://en.wikipedia.org/wiki/Web_compatibility_issues_in_So...

A solution could be having a tiny non-rooted Android system as a "coprocessor".

Possibly, but companies seem strangely set on getting people to install apps, even when the feedback is negative.

Offering a monetary reward for installing apps seems fairly common. Chevron had someone at my gas station offering something like $5 of free gas, plus $1 a gallon off of the next three purchases. If it was something the customers wanted, they wouldn't need to pay people to do it.

This term needs to catch on, this is the first I've seen it, bit it explains why so many prodict decisions are made and those who know better/different are just too small a minority to get any say.

We're dragged into this kicking and screaming and yet normies think we're the crazy ones.

And, of course, easier to get the valuable data about the person setting up an account.

You're on the money with the rest of this, but...

> Many tech jobs in the US will move to Vietnam in the coming few years.

It would seem to me that India has that on lock.

I use a small town credit union and its great.

Claim you don't have a phone, and they'll find a solution.

Recalling Venmo winding down web beginning in… let’s see… 2018!

https://www.digitaltrends.com/phones/venmo-shutters-web-plat...

I long ago decided never again to use anything but a credit union, and this makes me glad that credit unions tend not to ride the forefront of tech trends.

China is ahead of the curve here, the one app is wechat.

It's already reality in my country, where you cannot access online banking for any banks except via their mobile applications, which (of course) refuse to work on anything rooted or running non-stock firmware.

It is a massive observation of how things look already no more, no less.

You should make a mat for that.

That's what a malware can do on a rooted phone, _once it gets root access_, but that doesn't mean a rooted phone is easier for malware to attack.

There's not even that many people using rooted phones, and many are tech savvy people that are generally a bit more careful, so even if a rooted phone gets infected by some malware chances are the malware won't even be written in such a way to try to obtain root permissions through the standard procedure and exploit it.

True. All internet packets are REST API packets - there's no other type of packet. And all cell radio traffic is internet packets (which are REST API packets).

This isn't about the bank's security - it is about the users'.

Users are losing billions worldwide due to fraudulent apps. If a user has root and runs a malicious app, it can intercept what a legitimate banking app does. A scam app with root can draw over the screen and tell users to transfer money, or it can run a series of actions when the banking app is running, or do any of a hundred things to steal money.

TOTP is pretty standard. Give the user backup codes and just use normal recovery methods. For most things that might be email. For a bank it's probably identity verification.

Yep! Tourists are excluded. Also, my SO is Viet turned Viet Kieu (not me), but we have significant familial and business ties in VN.

I don't know the reality, but my guess would be that it's the inverse of what you proposed; a significant portion of fraud cases identified by banks involved a rooted phone. From the defender's perspective, this could be a problem they run into over and over again, and take an outside place in their eyes.

I think the point is that phone apps are more secure than, for example, web apps.

Users that try to use mobile apps as if they were web apps, disabling location, and security features are just flagged by numerous security mechanisms.

Probably. I know a guy who roots phones for older people or friends parents, installs pirated games and such for them and making sure it is locked down in certain ways for the older generation.

In other words, the correlation is that older people are more likely to have a rooted phone and are more susceptible to fraud.

Dunno how widespread this is, just something to keep in mind.

Perhaps people who unknowingly bought a rooted phone. I don't know how frequent this is, but it would be the only case it would matter.

“Every high civilization decays by forgetting obvious things.”

backup, root, recover?

This kind of checks would prevent you from running the app in virtualized environments too. You'll need the cheap device, assuming it doesn't get too old or its keys get leaked and your device also gets distrusted as a consequence.

These practices are strengthening the Google/Apple hegemony and are ultimately damaging user freedoms and consumer protections. I'm sure that's not your employer's intention, but it is a negative thing that they're contributing to. And because of how essential banking is, banks have a big thumb on this particular scale, and I wish they'd use it for good rathet than for enriching and entrenching evil.

I understand (but vehemently oppose) the argument for root detection. What risks to banks see from having developer settings enabled?

Great, so the no-name iPhone clone in China passes your test but EOS doesn't.

There's no way to assess the security of a rom from an app and it's about time that banks learn this reality.

Software on mobile is even more fragmented and less standardized than on desktop

> If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.

Now that's just not true now, is it? Sure the lawyers told you that (the ones that get paid to tell you that), but nowhere in EU was a bank actually fined for not root checking a device.

They were plenty fined by being utterly incompetent with security practices and doing them poorly - like trying to inject wierd .SOs to do the root detection you're defending.

Why don't banks just make desktop computer applications?

In the given scenario though it's less likely such a user would be using a rooted or replacement OS. It's an involved process to do this in the first place.

Ie: the much larger percent of users affected by this news would already be more technically savvy and one would assume be less susceptible to known scams.

To your parent point though, sideloading apps per se OTOH is something most Android installs can do without rooting or a replacement OS. Google is already rolling out developer verification requirements for sideloaded apps on GMS Android installs (most devices) to mitigate impact of malicious apps, so there is already action being taken for regular users.

One could imagine other reasons Vietnam may want to dissuade more tech savvy users from running AOSP-based installs (such as GrapheneOS, which is known to be robust against Cellebrite) and using banking is a decent place to start.

Yeah, if you need network on the secondary, then tether it to the primary, lol.

That sounds like a Silicon Valley bit.

> Incidentally, if anyone wants some collector's edition Google/Android devices...

Please get in touch with the postmarketOS folks, since any phone old enough to be running CyanogenMod proper is most likely not supported there yet. (It would be super nice to even have a proper list of all devices where old CyanogenMod was officially supported at some point, with device specs for each. We're lacking even that at present because the transition from the CyanogenMod name to LineageOS was so messy.)

Of course, the combination of extremely limited hardware specs (512MB RAM + 512MB built-in storage was a common spec), old ARM32 SoCs and the ongoing 3G/2G mobile network phaseout means that many such devices will only really be useful as glorified palmtops or for even more minimal uses. But it might be worth experimenting with nonetheless.

Authoritarian governments have an interest in knowing where and how you spend your money, and from where you got it.