The first is that your phone is not compromised. In this case there is no other app trying to steal your bank's authentication token. This is true regardless of which OS you use or whether you have magisk installed or what other code you put on your phone that isn't trying to steal your bank's authentication token.
The second is that your phone is compromised. Then what prevents the device from capturing your bank credentials is the same as if you use a compromised phone running Google Android: Nothing. If you enter your bank credentials into a compromised phone, the attacker gets them. Attestation can't prevent this because the phone is compromised, so the login screen isn't from a bank app that requires attestation, it's from a scam app which is exfiltrating your credentials.
This is far from the truth assuming by compromised you mean that the user has installed a malicous app. Android has proper sandboxing which means that other apps can't read the token owned by the bank app. This is part of the Android security model and attestation is evidence that the Android security model is being enforced. Phishing apps are different from an app that steals existing authentication tokens on the device.
> Android has proper sandboxing which means that other apps can't read the token owned by the bank app.
Let's consider this alternative as well:
Scenario 1: Device has no malicious code at all; same as scenario 1 before.
Scenario 2: Device has a malicious app but the malicious app doesn't have root and the OS (regardless of whether it's Android or something else) enforces proper sandboxing. The malicious app can't extract the bank authentication token regardless of attestation.
Scenario 3: Device is fully compromised; malicious code has root. Same as before, if you enter your credentials into this device the attacker gets them.
The problem is that the only useful thing for attestation to do is to distinguish between 1 or 2 vs. 3, but that's the thing it can't do because if the malicious code is privileged it can replace the bank app with one that exfiltrates the credentials without requiring attestation, so the only cases where attestation is happening are the ones where it isn't needed.
That's the point. The device being compromised to the point that malicious code is actually meddling with the bank app is the only time that having it fail attestation would be useful. The other cases are useless/vexing false positives. But attestation doesn't happen in the one case it would be useful because then the attacker-controlled code won't even attempt to do it, it will just exfiltrate the user's credentials to the attacker.
You aren't responding to the scenario that was posed. You're assuming an isolated compromised app on an otherwise clean device. GP is assuming a compromised device.
Of course attestation does nothing to improve the "single compromised app" case since (assuming Android) that goes nowhere either way. The only thing attestation does is meddle in end user affairs.
And now you're being intentionally difficult. Please interpret things in the most plausible manner. Beyond common decency, it's part of the site guidelines.
By "not compromised" GP clearly meant a scenario where no malicious apps are present.
I agree that's a serious omission. I responded to your scenario (a nonzero number of malicious apps) in my earlier comment. Any Android device will defend against that regardless of the presence of attestation.
Any non-android device can still use online banking and thus attestation doesn't appear to accomplish anything legitimate. Building out proper support for hardware tokens would provide superior security in approximately all cases.
The specific "root on android" scenario isn't generally a concern. Typical implementations require explicitly granting the capability to a given app. A malicious app can't gain it without fooling the user, at which point it could more easily phish the credentials and possibly even proxy an entire session.
>Please interpret things in the most plausible manner.
Your suggestion is not plausible as every security feature has 0 security value if there is nothing malicous. It would be like someone saying that antivirus is useless because if someone doesn't have a virus then it doesn't do anything.
>Any Android device will defend against that regardless of the presence of attestation.
Rooted android devices can be set up in a way that malicous apps can gain root and then read it.
>Any non-android device can still use online banking
But this comes with a different risk profile. A bank can reduce risk for a subset of their customers.
>Building out proper support for hardware tokens would provide superior security in approximately all cases.
I think usually the hardware token gains you access to an authentication token. You don't sign every request you are making with a hardware only key.
>Typical implementations require explicitly granting the capability to a given app.
And the majority of users have no clue what an app is able to do. If root is given to it then it can do anything. This is in contrast to when root isn't available and users are protected by the sandbox the app is in.
What's protecting me when I do online banking in the browser, which I can do using more or less any device? The answer is that targeted attacks against the average middle to lower class individual are rare enough that there are far more worthwhile things to worry about. Such as the vast majority of banks (at least in the US) not supporting hardware tokens.
Not in the US, at least so far. If that were ever to come to pass I would be in danger of becoming unbanked. I flatly refuse to install third party proprietary software on my phone (I grudgingly accept firmware blobs for lack of a realistic alternative).
Here the majority continue to use SMS based 2FA rather than supporting TOTP or hardware tokens.
Note that TOTP can be handled by any app of the user's choosing, doesn't facilitate attestation or any other user hostile practices, and in practice means that an attack requires physical theft of the device. While the theory might differ, in practice the effective security level is equivalent to other (objectionable) schemes.
> Note that TOTP can be handled by any app of the user's choosing
The banks are probably using the same standard behind the scenes, but they don't allow alternate TOTP apps. There's no point where they give you a key to set it up in an alternate app.
I suppose part of the point is a lack of trust in users' ability to handle their own security, and the possibility that they may provide such a key to a compromised TOTP app.
> hardware tokens
It'd be excellent if banks moved back to purpose-specific hardware like that. Even better if it were some standard with multiple providers, like FIDO2.
Yes FIDO2 would be ideal. The stuff about TOTP was a digression regarding the relative security levels between the two. The extra hardware doesn't provide any practical benefit (at least IMO) for the typical person running a FOSS authenticator app on a mobile device with an up-to-date OS. Obviously if you're something like a high volume day trader then it might be a different story but the venerable $5 wrench attack still applies so even then it seems pretty questionable to me.
> The extra hardware doesn't provide any practical benefit (at least IMO) for the typical person running a FOSS authenticator app on a mobile device with an up-to-date OS.
For the user (and in the context of Pinephones), the benefit would lie in getting banks out of their phones. Banks want a device that's not under the control of the user to use as 2FA. A dedicated hardware key would be a compromise for that. They used to give them out, but I pessimistically imagine that today they might prefer to lose a customer.
And what does that buy you? The user goes to the bank website in a compromised browser, attacker gets their password. Bank sends a code to their phone, user types the code into the compromised browser, attacker gets the code.
The first is that your phone is not compromised. In this case there is no other app trying to steal your bank's authentication token. This is true regardless of which OS you use or whether you have magisk installed or what other code you put on your phone that isn't trying to steal your bank's authentication token.
The second is that your phone is compromised. Then what prevents the device from capturing your bank credentials is the same as if you use a compromised phone running Google Android: Nothing. If you enter your bank credentials into a compromised phone, the attacker gets them. Attestation can't prevent this because the phone is compromised, so the login screen isn't from a bank app that requires attestation, it's from a scam app which is exfiltrating your credentials.