Hacker News new | ask | show | jobs
by zbrozek 1698 days ago
Google provides attestation and it's a constant cat-and-mouse game that the rooters are usually losing.

Websites can't tell, but lots of companies don't provide equivalent functionality via website. I know I can't upload check images for remote deposit unless I use the native banking app.
1 comments
IvanAchlaqullah 1698 days ago
It's called SafetyNet [1]

What irked me is sometime app developers are abusing it without asking themself "Does this app really need to check for rooted phones at all?"

I'm okay if banks apps are using that. But why does fast foods apps need to use that? Most people that I know are paying with cash when they order foods online (and you can't hack paper money with rooted android phones).

[1] https://developer.android.com/training/safetynet/attestation

link
josephcsible 1698 days ago
Here's a question I'd love for Google to answer: why do you need their special blessing to be able to make a file manager app, but not an app that uses SafetyNet?
link
rossy 1698 days ago
> I'm okay if banks apps are using that.

I'm not okay with it, to be honest. It's my money, and I trust a rooted LineageOS with it much more than I trust the default firmware of most phones. Besides, my bank lets you do the same operations from their website that you can do with the app, so in my case it's pure inconvenience, not security.

link
blibble 1698 days ago
probably becomes a tick on an auditor's checklist

like having to rotate your password every 3 weeks and requiring 4 special characters/...

link
ryanlol 1698 days ago
Platforms like deliveroo have lost tens of millions to fraud, I don’t blame them for enforcing safetynet.

Perhaps “food delivery” means pizza to you, but there are many places where it also includes thousand dollar bottles of wine.

link
zbrozek 1698 days ago
Could you explain how the locked-down phone is protection against fraud here?
link
novok 1698 days ago
Statistically people who do payment fraud crap use rooted phones more, probably to help with things like location spoofing to get around other fraud detection methods when apps use third party payment libraries, so you reduce your fraud cost with something that is a few lines of code. The cost/benefit ratio is too good which is why you see it everywhere that has a payment fraud risk of some sort.
link
ryanlol 1697 days ago
This way they can permanently ban your device. Fraud detection stuff works better too, but it’s mostly about the first.

Fraud becomes significantly less profitable and more of a pain in the ass if you need to set up a new phone for each account.

link