| > It would be like someone saying that antivirus is useless because if someone doesn't have a virus then it doesn't do anything. Suppose you have an "antivirus" program that works like this: The system makes a list of every program that runs as root during boot and then at the end of boot the antivirus program checks the list for unexpected programs and if it finds any it displays an error and refuses to display the login prompt to prevent the user from typing their password into a compromised device. That "antivirus" system is useless, because if a malicious program did run as root during boot then it could just reconfigure the system to display the login prompt unconditionally. The way attestation is nominally supposed to work is that a remote system cryptographically verifies the state of the local machine before giving it some secret. But that doesn't work in this case because the secret -- the thing that allows the user to sign in -- is coming from the local user rather than a remote machine. The attacker doesn't need to perform attestation or retrieve anything from a remote machine in order to display a local login prompt and collect the user's credentials, and that's the end of the game. > Rooted android devices can be set up in a way that malicous apps can gain root and then read it. So can PCs, or various non-rooted android devices that bank apps run on even though they have known unpatched vulnerabilities. > But this comes with a different risk profile. A bank can reduce risk for a subset of their customers. How is it reducing risk for anyone? Each person still has the same risk profile as before. The person with a locked Android device still has a locked Android device, the person with an unlocked Android device is now forced to use a PC which is an inconvenience with no security advantage. |
A bank may not want to put in the extra effort of supporting 3 platforms of secure phones, insecure phones, and insecure web and would prefer to support less and potentially dropping features from the web platform.