[AnthonyMouse]

> Android has proper sandboxing which means that other apps can't read the token owned by the bank app.

Let's consider this alternative as well:

Scenario 1: Device has no malicious code at all; same as scenario 1 before.

Scenario 2: Device has a malicious app but the malicious app doesn't have root and the OS (regardless of whether it's Android or something else) enforces proper sandboxing. The malicious app can't extract the bank authentication token regardless of attestation.

Scenario 3: Device is fully compromised; malicious code has root. Same as before, if you enter your credentials into this device the attacker gets them.

The problem is that the only useful thing for attestation to do is to distinguish between 1 or 2 vs. 3, but that's the thing it can't do because if the malicious code is privileged it can replace the bank app with one that exfiltrates the credentials without requiring attestation, so the only cases where attestation is happening are the ones where it isn't needed.

[charcircuit]

If the device is fully compromised then it can just take the authentication token. It's already game over.

[AnthonyMouse]

That's the point. The device being compromised to the point that malicious code is actually meddling with the bank app is the only time that having it fail attestation would be useful. The other cases are useless/vexing false positives. But attestation doesn't happen in the one case it would be useful because then the attacker-controlled code won't even attempt to do it, it will just exfiltrate the user's credentials to the attacker.