[taosx]

I really don't understand this. My line of thinking is that if someone is technical enough to root his phone he understands the risks. Why would they force banking apps to detect and not work on rooted phones? Why would the government care so much?

[lucb1e]

It's not to protect the user; it's DRM. Using a non-rooted phone means all apps get DRM for free. You can't simply press 'record screen' when the software sets a flag; you can't view the data that the app processes about you or make backups thereof; you can't control what the device does such as skipping any checks. Fraud detection and CAPTCHAs rely on security through obscurity.

> if someone is technical enough to root his phone he understands the risks

You're looking at this from the user's perspective. Indeed, the narrative is "for your safety, you cannot export your security tokens from your device's storage" or "software that runs as root can bypass all permissions, an attacker might exploit that!", as though users can't make that choice themselves on purchased-to-own hardware. Dropping privileges (https://en.wikipedia.org/wiki/Privilege_separation) has been a thing since as long as I'm alive. Don't be fooled that this "protection" is for you :(

[netc]

A phone given for repair by a non-technical person can be rooted without their knowledge. The repair person potentially can install malware. We cannot assume the owners of the rooted phone themselves have rooted the phone.

[aiiotnoodle]

Practically, verified boot is hard to not have a "this phone has been tampered with" message on boot, the backups generated often have encrypted user data that is usually wiped on boot-loader unlock, you'd also need to unlock the phone or have the user give the pin over and most of the apps that implement root checking SDKs would prevent them from working.

I'm not saying its impossible but it is hard to do at present in a way where if I came and picked up my phone again, I'd not know something happened to it.

[h4x0rr]

How would you root without resetting it?

[taosx]

backup, root, recover?

[yjftsjthsd-h]

The only ways I know to take a full backup of an Android device require it to already be at least bootloader unlocked. There are unprivileged ways to take backups, but they don't work for all apps.

[plst]

Assuming the owner gave the shop the pin. If so, the shop can already steal a lot of data from the phone. Why bother with persistent malware at this point?

You already have to trust the repair shop with your data. Installing persistent malware on phones is already illegal. What's the point of this extra software protection in this case? To prevent a 0.00001% chance hack? The type of hack that would put the repair men in jail?

Not to even mention that modern phones are basically unfixable.

[baal80spam]

> Why would the government care so much?

My guess is:

1. Person with rooted phone uses a bank app, is hacked, has their money stolen.

2. Guess where the person turns to for help? The government.

[cestith]

I think it has more to do with the phone being tied to an individual, the banking and spending activities being tied to the phone, and the government having some hardware attestation about how people are spending their money and with whom. If you root a phone, you can change things like the MAC addresses. You may be able to futz with a softSIM/eSIM. That makes you harder to track.

[basilikum]

I don't think this is actually happening. There is an enormous loss to scams mostly by tech illiterate people using the preinstalled operating system. I don't think the losses that involve user installed OSes are in any way significant.

[6thbit]

"detect unauthorized interference with the Mobile Banking application"

I wonder if this has become a feasible avenue for scammers to interfere via other apps they could convince someone to install on rooted phones. Or if they are worried about skilled people being able to debug/MITM and find vulnerabilities on the banks.

Though from that statement alone, sounds more of a measure to protect banks than customers.

[NoMoreNicksLeft]

>I really don't understand this. My line of thinking is that if someone is technical enough to root his phone he understands the risks.

But you do understand. If someone is technical enough to root their phone, then he is the risk.

[cough]Monero[cough]

[themafia]

It's a reliable signal for fraud. The legitimate users are simply noise against this backdrop. The police only think in one direction and never consider the broader consequences of their enforcement perogatives.

[unparagoned]

Like most people in this thread people who root their phones are clueless about how much of a security risk it is. So they are protecting people from making dangerous choices.

[rk06]

the idea is hackers in state sponsored countries can also root phones and have nefarous intentions.

banking is very risk averse area. and it is good precaution.

[bsimpson]

Vietnam is a one party state. Does the government control the banks?

[alephnerd]

Somewhat. The most popular banks are SOEs owned by ministries, but private sector banks that are local (eg. SCB) or foriegn like Shinhan or HSBC, along with private sector fintech is booming.

[bell-cot]

> My line of thinking is that if someone is technical enough to root his phone he understands the risks.

Kinda like the Wall Street concepts of "Accredited" and "Sophisticated" investors - who could never possibly fall for a Ponzi scammer like https://en.wikipedia.org/wiki/Bernie_Madoff ?

Not to say I'm a fan of Vietnam, or familiar with their ban - but when people are having their money stolen at scale, there's a very strong tendency to blame the gov't and/or financial system. And it's extremely rare for stolen-at-scale funds to not be "reinvested" in further criminal activities - which again, the gov't is expected to deal with.

[concinds]

> My line of thinking is that if someone is technical enough to root his phone he understands the risks.

That is a terrible assumption. I had a rooted phone when I was 12 to pirate games. Friends asked me to root theirs. Rooting isn’t hard and lots of people do it (absolute not relative terms)

And the idea that so-called “technical” people know what they’re doing and are hack-proof is hot garbage machismo BS. Modern attacks use social engineering and extremely technical people fall for it all the time. There were several stories on here just this week.

[NiloCK]

A rooted phone is more capable of modifying the banking app itself and has 'freer reign' over the APIs that the app uses to interact with the bank.

Whereas previously the app displays a 'whitelisted' set of UI options to the user, the rooted user could use employee only methods. Somewhere or other every bank has methods that set balances on accounts.

To be honest a law like this makes security by the extremely modest obscurity of not having an "increase your balance" button on the app UI much more tempting.

[tvbusy]

It's never about security or end user protection. It's to give banks a blanket refusal of responsibility.

[lucasban]

This should be enforced by the backend, why should you ever trust the client to tell you what access you have?

[treyd]

> the rooted user could use employee only methods. Somewhere or other every bank has methods that set balances on accounts.

Exposing these types of APIs in any way outside the bank ever would be gross negligence.