Crafting a fake login page in your app is a totally different problem than transparently proxying the web interface.
First, if you copy the login page those assets are in the apk. This is easily detectable by bouncer and allows those apps to be denied (this happens today).
Second, stealing the assets opens the app up to dmca takedown, which also happens today.
Third, and most importantly, if you reverse proxy the page then the app will appear to users to actually work. This is crucial for the bad actor as it keeps the app from having a low rating in the App Store for not working. When they just steal the login page, the app gets downvoted quickly for being “broken”.
All of this adds up to making the bad actors have to work much harder, which is the goal.
> First, if you copy the login page those assets are in the apk.
You don't need to store the assets in the APK if you can load a webpage.
> Third, and most importantly, if you reverse proxy the page then the app will appear to users to actually work. This is crucial for the bad actor
You don't need to show the working bank app if it isn't advertised as one. Name it "Government assistance program" with "application process" requiring logging in with bank credentials (to confirm identity, because bank knows who you are). Then you can make it more convincing by adding some bs forms and stuff like "your application will be processed in two weeks".
I saw this stuff already implemented and used. They can add as many integrity protection layers as they want, but it won't trigger one. So it looks like a measure to say "bank apps are safe now we are great guys" without real effect.
I'd say that it may increase login thefts because users may get a false impression that anything they will install is safe now.
All of this adds up to making the bad actors have to work much harder, which is the goal.