9mo ago

Why don't banks like root on Android?

186 comments

They 100% would stop you if they could.
It's why Google's website DRM thing was so scary.
- Was? What did I miss? Even if it was discarded, there will aways be another attempt.
  
  Basically Google wanted to put checksums in webpages and then not render the page period if the checksum didn’t match and said checksum could only be verified by “approved” browsers that had the correct certificate (which surprise was Chromium only browsers such as Chrome and probably Edge). As such you wouldn’t have been able to run any adblockers as that would change the checksum and the way the page was rendered. They could also then go one step further and do a Denouvo type set up to make sure the OS wasn’t being altered.
- not was, is.
  i dont think they dropped it.
  
  Okay, so I originally was going to go in a long rant about how they're still doing it, but decided that it didn't really add much to the comment, so removed it.
  Afaik they've, for now at least, shelved it in browsers, but are still going ahead in Android webviews (as part of their war on Youtube Vanced).
- MV3 is still happenning

I actually heard something about that in class not long ago
The story is that Android's security heavily relies on the compartmentalization of apps that lives in the android layer, over the Linux kernel. Apparently, that functionality works in part because only this layer can perform operations that require root access, no app or user can. So software that allows you to root your phone apparently breaks this requirement, and makes the whole OS insecure. He even heavily implied that one should never root their phone with 'free' software found on the internet because that was usually a front for some nefarious shit regarding your data.
I'm just parroting a half-understood and half-remebered speech from a security expert. His credentials were impressive but I have no ability to judge that critically, if anyone knows more about this feel free to correct me.
- Isn't saying that allowing apps to have root lets them access anything just describing what root is? A rooted phone doesn't have to give superuser access to every app.
  
  A rooted phone doesn't have to give superuser access to every app.
  Sure, but apps that run as superuser can access anything, including the data and memory for banking apps. A big part of Android's security model is that each app runs as a different user and can't touch data that's exclusively owned by another user.
  
  I think he was trying to say apps get access to "root features" through an abstraction layer/API calls that is controlled.
  They don't/wouldn't have carte blanche root access to the underlying system. It's kinda like a docker container or VM or flatpaks/snap packages on Linux. They are sandboxed from everything else and have to be given explicit premission to do certain things(anything that would need root privileges/hardware access).
  
  No, but it can.
- I wouldn't even feel compelled to root my phones if Google would actually back up my phone instead of whatever 1/4 baked shit they've done thus far.
  
  I've been using android since 2010, and it's gotten significantly better over the years. There's only a few things it doesn't back up, like text messages and app data, most of which you don't need.
- The problem is very simple - the majority of people are technically illiterate. Apple and Google saw the Windows XP security fiasco, looked at how many people use smart phones today and decided that giving users any rights is not worth the risk.

Because they want to "protect" you from "yourself". Imagine, you could scrape your own data that you can already see.
I'd be really worried if the security of server operation for my bank depended on the client-side. But playing devils advocate, some people will most likely point out that a root exploit on a phone may be unintentional and used to spy on people, to which I answer:
show me a big scary box where I can "accept the risk" and move on
keep in mind that if I am root on my phone, I can hide the fact that I am root on my phone and you'll be none the wiser
Currently, option 2 is in effect, sadly.
- The issue with option one is that scammers get old (or not technical) people to do stuff when they don't know what they're doing and click the box not knowing what they just did. So yes very frequently they need to protect people from themselves because they're dumb, but I still expect banks to do business with those dumb people, sooo.... Option 2 it is.
  
  Ok but also What tech illiterate person roots there phone
- Option 2 is not long for this world
  
  As long as we'll have control over the software, it'll be there. If we reach the point were you're not allowed to own computers, we'll have bigger problem.
- You deftly evaded the leading attack vector: social engineering. Root access means any app installed could potentially access sensitive banking. People really are sheep and need to be protected from themselves, in information security just like in anywhere else.
  You don't get a "accept the risk" button because people don't actually take responsibility, or will click on those things without understanding the risk. Dunning Kruger at play.
  Why is this prevalent on Android but not desktop Linux? Most likely a combination of 1) Google made it trivially easy to turn on, and 2) the market share of Android is significantly large enough to make it a problem warranting a solution.
  The fact that you know how to circumvent it is inconsequential to the math above. Spoiler: you never were nor ever will be the demographic for these products, in their design, testing, and feature prioritisation.
  
  Root access means any app installed could potentially access sensitive banking
  That's not how it work. Having a rooted phone does not turn it into a digital farwest were every application can do anything. It becomes a permission like everything else; if you only grant it to safe stuff (like, for example, not granting root to a single app but using it to customize your phone through ADB), there's not much to see here.

The reason is very simple: They rely on Google Safetynet (basically self-diagnosis). And that will immediately tell you off if it notices your device is rooted. And while you can have a lengthy discussion regarding whether this makes your phone less secure or not, this is another simple argument from Google's POV: The device has obviously been tampered with, we don't want to put any resources into covering this case. As far as we are concerned, you shouldn't use our OS like this.
So basically laziness.
- SafetyNet is dead.
  They rely on Play Integrity API.
  That covers:
  App Binary signatures App source corroboration - Was it actually installed from the Play Store? Android device attestation - Is it a genuine device powered by Google Play Services Malware detection - Google Play Protect is enabled and has not seen known malware signatures.
  They can choose to ignore any number of those but they do not. It's part of their security reporting requirements to use attestation I expect.
  Beyond that - a device that doesn't meet Play Integrity is more likely to be a malicious actor than it is to be a tech enthusiast with a rooted phone: One of them is far more prevalent than the other in terms of device usage.
  Android apps are trivial to reverse engineer, inject code into and generally manipulate. That lets apps like ReVanced work the way they do... but that also means that blue team developers have a lot more work to do to protect app code.
  Source - Android App Developer, worked on apps with high level security audits (like banking apps).
- The banking apps I've tried don't require SafetyNet, instead they use Android AOSP's basicIntegrity. The latter doesn't require certification by Google, but also checks whether the device is rooted and the bootloader is locked.
  This means custom ROM's on most devices won't pass basicIntegrity, as only Google Pixel, ~~OnePlus~~ and Fairphone allow for relocking the bootloader.
  
  OnePlus no longer supports that as of _ColorOS OxygenOS 12 unfortunately.

Google and Apple have been very successful at convincing everyone, including banks, to see the idea of users having control over their own phone-like computers as dangerous.
- Next thing you know, banks will try to convince its clients that they really don't need to access all their money.

Banks when you use browser 3 years of updates behind on Windows XP with multiple unpatched CPU vulnerabilities:
- Old, insecure browsers are rejected too.

Because as per usual they don't understand security. I have started choosing my bank based on software they have. If software looks competent, that's my most significant influence.
They think rooted device = insecure device, but at the same time PC is even less secure and yet all the business users use them and more to the point have passwords written on a sticky note glued to the screen. My old bank at one point "upgraded" their software system and then started asking me for weird characters in password and then asked for maximum length which was the final sin I allowed them to commit. Left them that week.
- My bank keeps their app up to date with all the latest anti-root stuff but allows passwords made of 5 digits. ¯(ツ)/¯
  
  Unless they've changed it very recently, Paypal still limits your password to 20 characters
  
  Ah, that's the "your problem" approach to security.

Does your bank have a Linux application? Of course not, you're using the website. So why not use the website on your phone?
- Most of the mobile sites I visited seemed to have only one goal, to get you to use the app and the mobile interface is often so bad that you'd better use the app
- many banks require use of the app, regardless
  
  And desktop mode doesn't help?
- Mobile web interfaces for banks are complete shit, and often can't be circumvented.

I was once working for a project in a bank, a developer answered me to why they go app only, because "you don't know what people do with their browser".
It's only about the feeling of control (and some paranoia), not about security.
- What I find interesting is that my bank has kind of the opposite stance. It allows you to do a lot more things if you login via their website and I think they overall trust your actions more if you do it over the browser, but you are required to pass a lot more security checks, while on the app a PIN is enough, but it also doesn't allow you to do as much.

It's not just root. They would prefer you not to have a custom keyboard either.
- That's actually got a solid reason behind it.
  It's because the OSK is just another program as far as Android is concerned. It can't directly look into the application, per Android specifications, but it CAN record key presses, even for passwords. It even receives context hints based on the metadata on the input box, so it knows when you're putting in a password. Then it can send your data off to unknown servers.
  
  thats a bit ironic seeing how the default keyboard on most phones are a privacy nightmare.

I can't believe I'm saying this, but thank God my country developers are incompetent.
I was greeted with this message:"This app can't be used on a rooted device" And I was prepared to go through hoops to get it to work. you know, fucking safetynet and all. But it turns out that the solution was just enabling zygist on Magisk.
- Same, hiding root from my bank app was easy, no safetynet needed.
  But their NFC phone payment was something else. I had to use safetynet and google play integrity fix with fingerprint that need to be renewed and other bullshit. I sent my phone in a boot loop too because the latest version had a bug for my specific phone ...
- My bank app had this and i had to go through quite a lot of hoops. Then i didn't have root for a while (new phone) and when i got root again i also only needed to enable zygist for it to work. So i guess they changed it?
  
  Zygist is a way of hiding the fact that you have root access . Likely your bank changed absolutely nothing.
- What does zygist do?
  
  It's just a technique that prevents selected apps from knowing that you have root access instead of just denying them the privileges.
- I was disappointed they didn't actually restrict the app for router devices.
  
  yeah.... in a way I was both happy and disappointed
- Lmao, same.
  I am both happy and slightly worried. Hapied?
- You legend

My bank doesn't know for some reason. I don't even pass (~~as femme but that's not relevant~~) safetynet, but it doesn't seem to care. Sadly can't pay with my phone or watch tho

Let's be real here. Folks running Linux as thier desktop have a high chance of knowing what they are actually doing. Folks with rooted android phones have a high chance of having watched a 12 year old tell them how to root thier phone on TicTok. Which of these groups is participating in the more risky activity?
- This is the real problem.
  Far too many people with rooted phones having no business with a rooted phone, installing whatever from wherever with no regard to the security implications.
  At least people with root on a Linux system, by default, are going to be more knowledgeable in that regard.
- 12 year old tell them how to root thier phone on TicTok
  The real pros learn from Indian guys on Youtube
- Risky for who?
  
  Can't tell if this is serious question or not, but for the end user. Lemmy is a bit of a technical microcosm, so while we might not want protection from ourselves, the MAJORITY of people out there are not technically savvy. So while not everyone has a linux workstation (lets assume 2-3% based on some reporting) Android has an approximate 70% worldwide market share. So that means the VAST majority of people running Android probably can't be trusted to plug in a toaster correctly. This is the same reason there are guiderails on roads with steep embankments.
  
  Both parties.
- The last time I rooted my phone, I used a sketchy app I downloaded from megaupload (man, I'm getting old) that may or may not have given that phone superherpes. You are not wrong.
  
  see my reply to @pacoboyd@lemm.ee
- maybe it's just me, but isn't it quite hard (at least for people not confident doing technical stuff) to root a phone?
  like a decade ago the bootloader may have been unlocked by default and for many phones there were exploits so that they could be rooted with an app, but nowadays you would have to:
  unlock the bootloader by installing ADB and fastboot drivers, booting into download mode and run terminal commands that would reset your phone in the process; and for some phones, you would also need to shorten a test point and for quite a few of them nowadays, unlocking the bootloader is impossible
  boot into download mode and flash a custom recovery with fastboot or potentially with Odin or some other proprietary software (or sometimes you can root from download mode)
  for some newer (including Samsung) phones, you also need to disable dm-verity otherwise your phone wouldn't be able to boot into Android
  
  boot into recovery mode and finally flash (probably Magisk) an image to root the system
  I guess there are usually detailed instructions for this, but I doubt that most people rooting their phones now would be non-techie people who are just watching generic online tutorials. they would most likely stumble upon XDA or other forums that would have proper instructions. and even then, they are not very beginners friendly as they aren't usually supposed to be followed by people with little to no experience with using the command-line, drivers, how Android phones work internally, etc.
  
  Making my point for me. Those short form videos have very little chance of being right or accurate. They may have you going to some sketchy link and download and app that is supposed to do it for you etc etc.
  My point is the people at risk don't know they are participating in a risky activity. (not if they successfully rooted their phone or not).
- I unrooted my phone because Google making things harder every time was just not worth the benefit to me anymore.
- But what about those of us who are running degoogled GrapheneOS.
  
  I think you probably fall into that 3% I talked about in my other comment. I bet you know how to block apps from detecting root too, so probably not a good faith argument.

Btw, have you guys heard of Taler? It's pretty interesting and I think you will be able to use it with a libre app
NGI TALER is a pilot funded by the European Commission and the Swiss State with the very concrete objective to roll out a new, best-in-class electronic payment system that benefits everyone: people, merchants, banks, financial authorities, auditors and anti-corruption researchers. The project doesn't have to start from scratch either, but builds on the strong foundations of GNU Taler — the privacy-preserving digital payment system developed by the GNU community and Taler Systems SA with support from the NGI initiative. This offers privacy for those that make payments, while enforcing transparency on those that sell. By providing micro payments at very low overhead, GNU Taler permits internet business models to shift away from advertising revenue or subscription models, especially for online publishers. No-risk transactions can lower transaction fees and open online payments for the underbanked population and citizens marginalized from digitalisation.
https://nlnet.nl/taler/
- I tried reading the website, but Im not really sure I get it. What it's supoosed to be? A way how to make FIAT payments thats open-sourced and private (so you dont have to pay stupid fees to banks), and it integrates into the current banking system, or is it some kind of digital currency that's not blockchain based?
  If it's the former - isnt any kind of payment without KYC almost impossible, since its heavily regulated? So, you can't really have private payments in environment where there's stupid amount of laws about how much you can actually pay without it being identifiable, for example the super small monthly limit on anonymous prepaid debit cards?
  
  It's not a currency - just a new payment system, but I don't know how it works exactly. In order to make payments with it, your bank has to support it. Some banks are working on integrating it now. It's supposed to be anonymous and the transaction history is supposed to be private. Currently only cryptocurrency has such features, but it looks like Taler will change that.
  
  Oh, I see. Oh well.
  Can I send money to my friends with Taler? Taler supports push and pull payments between wallets (also known as peer-to-peer payments). While the payment appears to be directly between wallets, technically the operation is intermediated by the payment service provider which will typically be legally required to identify the recipient of the funds before allowing the transaction to complete.
  
  I played around with GNU Taler a while back. The payer is anonymous but verifiable (so I can't pay with the same €3 ten times to ten people) but the recipient is known and the payment connected with the recipient, to satisfy avoiding tax evasion and fraud.
  It still anticipates merchants taking some fee, but that fee should be able to be much less, as it doesn't depend on Blockchain (requiring so much work) but is a suitable cryptographic algorithm so 3rd party merchants can compete.

It's the banking equivalent of turning your device off for aircraft take off and landing.
If you keep doing stupid shit for long enough you can turn it into a religion. Huge profits will follow. It's also why the unexamined life is no life at all.

bUt sEcuRiteeeEeeeEEE

There is no banking app for authenticating transactions for desktops?
- Web browsers.
  Edit: Nevermind, I don't know what this even is.
  
  At least in the EU web browsers don't allow for authenticating transactions (beyond a limit of e.g. 30€). Either an additional authenticator app or a standalone card reader is mandatory.
  Luckily my banking apps work flawlessly on GrapheneOS and even microG, likely because of they care about the bootloader being locked again.
  
  Not for authentication. No idea if this is not a thing, but banks here in Germany all have their weird proprietary TOTP app that checks if your device is rooted or now even if it is a "Google certified OS".
  You can use some weird hardware device instead with the obvious drawbacks.
- Your browser?

Rooted mobile devices are a reasonable signal they been have hacked and security features might be disabled or work as expected.
It just banks, a lot of corporate security polices don’t allow rooted devices, as they could bypass mobile device management policies for devices owned by the company.
With laptops it’s a different story. Whether users have Mac, Linux or Windows, there’s a reasonable chance they have admin access too, so checking for root access is not such a useful signal there.
- Rooted mobile devices are a reasonable signal they been have hacked and security features might be disabled or work as expected.
  Rooted mobile devices are a reasonable signal that someone wants to actually own what they buy, and corporations want to make sure as few people think that as possible.
  
  Windows/Macos/Linux are designed around the fact that the person managing the device has root access, Android and iOS are designed around noone having root access.
  Sure it's fine to mess around with rooted phone and look what's inside, but essentially for your daily operations having rooted phone is unnecessary security risk.
- So just warn the user that it's their own responsibility and all claims are waived, instead of just saying "no" ?
  
  There is parallel with masking. The bank values the safety of the whole rather than the freedom to root for an individual. You stand to lose only your own bank balance. The bank stands to lose the funds of every rooted phone that contains a banking app exploit targeting them.

I just want my bank to allow me to use some other form of authentication besides just a password.
- I just want my bank to accidentally deposit $1m into my account
- Oh yeah? How about SMS? Or you can install this proprietary Symantec bullshit!

"Magisk hide" doing fine for me tho

I said i have no Smartphone and the gave me the same app for Windows or mac, after asking twice vor more times. It runs in Virtualbox for years now. (I know i know. KMV would work better but i don't change it aslong as it works.
- I just use a web browser on my laptop, never use mobile banking apps at all. I have accounts with more than 3 financial institutions and this works fine for all.

Google/Linux == Android?
- Actually its phone OEM googled AOSP linux or as ive started calling it OEM+Google+AOSP/Linux /s
  Googled android or "Google/AOSP" is probably correct

Not only rooted. If you have de-googled Android image like LineageOs, CalyxOs, iodé, etc.... It also detects it as rooted, even if it's not.
- Probably a "safety net" thing, which depends on Play Services' binary blobs (which is spyware btw) and empty promises from Google.

Your bank most likely has an app on mobile. If you have Root and Xposed you can do crazy things to that app (and your phone). You don't use an app on a PC, you use their website.
- Yeah, but that's on you.
  It's not like you can use a hacked app to give you free money, unless they're doing something completely absurd like relying on client side security.
  
  It's not to stop you from abusing their systems but to stop scam victims from being screwed
  One easy example is that you can get around the "no screenshots" lock many bank apps use with root, allowing you to potentially expose security vital information to people.
  Should those of us who know what we're doing be allowed? Maybe.
  But it's there to protect the old people who will run the .exe that's designed to root their phone and then let them hand over data that would otherwise be locked down so that doesn't happen just because someone called them and said they're from the bank.
- Most bank apps nowadays are just a webview wrapper over their web app. And they only have two reasons to maintain that app, to be able to make contactless payments with the phone, and to farm your contacts (supposedly for easier money transfers).

There is no banking app for authenticating transactions for desktops?

Banks and Uma Musume. Uma Musume also gets mad if you don't pass Device Integrity

Is there a list of banks that do this? Some don't ban root users. Or at least some don't do as good a job as others at detecting it. Magisk has at least some kind of root hiding stuff in it.

First time I'm hearing of it.

I don't bank on my phone

because you use the root account on linux occasionally to do one thing but when you've got a rooted phone everything is done with the root account

186 comments