[arun-mani-j]

Can someone explain what "security mechanisms" an Android phone has built-in that are "destroyed" when a phone is rooted or custom ROM is installed such that banking apps, etc. deny to open up?

If I understand right, rooting means getting administrative privileges like using sudo. But can't they be turned off even after flashing custom ROM? If yes, then why do those app deny to work if the phone uses custom ROM irrespective of rooting status.

(I'm a newbie in custom ROMS concept, so my assumptions above could be massively wrong :) )

[mid-kid]

Google's safetynet works by downloading a frequently updating and obfuscated binary from google and running it with the highest possible privileges (ARM trustzone on modern phones, bypasses the kernel), which then verifies the integrity of your system against a google-vetted list, preventing any sort of modification, root or not.

This is going to become nigh-impossible to bypass in the future as the binary is encrypted and verifies its signature, and encrypts the response with device-specific keys only available in trustzone. The current bypasses involve spoofing the uavailability of trustzone.

[bobdvb]

There's a thing called Trusted Execution Environments, they're provisioned by the phone manufacturer which is why most people who play with ROMs aren't familiar with them either. But they're heavily related to TPMs.

Basically TEEs allow code to be executed that the OS has no control over and the OS cannot hope to even touch the memory, it's hardware separated by the SoC (system on chip). There are cryptographic accelerators which can be used to sign things and encrypt things, again which the OS has no ability to see this and secrets can be held in ways that the OS can never touch.

Use of the TEE depends on the bootloader being signed and the OS boot process being authenticated. There are other aspects around Android as well, not specifically related to TEE, around user processes never being able to have privileged access, but TEE is a less known part of the modern Android ecosystem.

[mike_hearn]

Because:

a. Being rooted or in other abnormal device states is (perceived to be?) associated with fraud against the service provider. That's because it's hard to tell the difference between a device in which only the legit user has control, and one that's been remotely rooted by malware (in theory this can be done by using remote attestation but this requires a non-rootable supervisor layer to do that protocol, so you end up going around in circles as root is then not really root).

b. Users not having root means the service provider can (to some extent) reason about how the app will behave regardless of user wishes, which makes it easier to suppress abuse. As Google explain clearly in the article, this is done as an anti-spam measure. If the user doesn't have root then the OS can block automation of the app, protect signing keys, do remote attestations etc and that makes spamming much harder (you can't emulate the protocol). If the user has root then they can just inject code into the RCS app's address space and control it directly.

Consider also why games consoles don't give you root. It's because gaming is a two or three or even four sided transaction (gamer, game developer, console developer who sells at a loss and makes it up on licensing fees, other gamers on multiplayer). If you privilege one party over all the others then the ecosystem fails, so every successful platform exercises tight control over the purchaser of the hardware to ensure the other parties involved have their needs also respected.