[fiso64]

I'm actually confused about why banks are so aggressive in denying users the ability to use their apps while rooted. Unlike Google and Apple I can't think of any financial incentives for this, and the security argument is quite obviously nonsense, as I don't think there has been a single person in history who managed to fall for a scam that made them follow the complicated procedure of rooting a smartphone. Nevertheless there is a clear continuous effort in developing new root detection methods to keep me from using their apps.

[whs]

I believe the root detection is a form of security-by-obscurity. Bank applications are required to be obfuscated, so you can't simply statically decompile them. The other way to do that is to run the app and set runtime breakpoints, which you can't do on production firmware.

Once the application is decompiled the attacker then can proceed to pentest the bank backend, or find any frontend-only security measures to bypass. One attack I heard in local news is not even a hack at all - they simply make script that use the mobile application API to automatically move money between sock puppet bank accounts. Once a victim get scammed, the money move around quickly. For privacy banks do not provide information about unrelated cross-bank transfers so even cops can't easily trace the multiple hops. That specific bank got in the news for that "weak security"

[yason]

Security of banking shouldn't depend on the client software, it should be enforced at the interface the clients use to talk to the bank. It shouldn't matter whether the banking app can be disassembled or not. As much as I detest browser-based authentication in general online banking websites got it right: you just use a browser (and it's in your best interest to use a trusted browser -- one trusted by you) but all the bank cares about is that the user has the necessary pieces for authentication, be it numerical codes, passwords, and 2FA tokens. The browser doesn't have to be a bank-signed edition of MS Edge, it can be Firefox or even a browser you wrote yourself. But a banking app is basically a black box that you would have to allow to run in your system in order for the bank to talk with the software the bank itself trusts.

[adolph]

> to fall for a scam that made them follow the complicated procedure of rooting

If you are unable to imagine how a 3rd party might root a device without the principal being aware of it, then maybe it is a shortcoming of your risk survey, not theirs.

[pimterry]

Rooting an Android device generally requires completely wiping it and reinstalling the OS. It's quite impractical to do secretly!

I think in any scenario where the principal can do that without you noticing (which means things like reinstalling & logging you back into all your apps, logging the device into your google account successfully, restoring all your device settings, re-adding your fingerprint or device pin to unlock the device, etc) then it's game over regardless. If they can do that, they could get into your bank app anyway, or they could easily just replace your phone with another one entirely, and now you're just logging into your bank on a stranger's phone.

Barring a _very_ major Android zero-day (which probably would evade attestation anyway) unexpected rooting of your device is really not a plausible attack scenario.