[edent]

This isn't about the bank's security - it is about the users'.

Users are losing billions worldwide due to fraudulent apps. If a user has root and runs a malicious app, it can intercept what a legitimate banking app does. A scam app with root can draw over the screen and tell users to transfer money, or it can run a series of actions when the banking app is running, or do any of a hundred things to steal money.

[hackyhacky]

> A scam app with root

Sure. But the people who are actually rooting their phones are advanced users and aren't going to install a malicious custom OS. Are naive users getting tricked into rooting their own phones? I'm dubious what the security benefit is of this decision.

[mike_hearn]

These types of discussions on HN get confused because people aren't always clear what they mean by the word "rooting".

There are two ways to root a phone:

1. Unlock the bootloader, install a well designed and highly secure aftermarket OS, relock the bootloader. The device is still just as secure against malware as it was before. Remote attestation shows the vendor that you're running Graphene or Lineage or whatever.

2. Exploit a local vulnerability to drop a sudo binary somewhere. RA shows you're running an exploitable version of Pixel Android, etc.

(2) is absolutely exploitable by fraudsters. They convince the user to run an app or visit a website that exploits their browser or whatever, and the vulns are used to escalate to root and keep it. Now when the user logs into their banking app the HTTP requests are rewritten to command the bank to send money to the adversary. This is why devices that allow escalation to root are excluded via remote attestation.

(1) isn't but it requires more coordination than the industry has proven capable of so far. Binary images of a custom OS could in theory be whitelisted by banks if it was known to be as secure as other operating systems. But there's no forum in which that information can be exchanged. Like, RandOS turns up and the maintainer "xyzkid", identity: anime avatar, claims his OS is super secure. How does random overworked bank developer John Smith know if this is true or not? RandOS doesn't come with any audits, it doesn't have a well paid security team. The brand is a big question mark. And if John makes the wrong call, maybe the bank is now on the hook for millions in losses because someone installed RandOS to get the shiny icon theme or whatever, and then got hacked.

So it's a hard problem. It's not actually a technical problem. Remote attestation is very general. The hard part isn't the tech. It's a social problem. How do you create and rapidly communicate trust in a new binary OS image if you don't have the security resources of an Apple or a Google or a Samsung? Google runs a whole accreditation programme for Android where you can turn up as a phone OEM and get your custom OS builds considered to be secure by passing a huge test suite. So the only issue is OS hackers who fall below the threshold where they can do that.

There's an alternative of course: go full libertarian. Means, just use a "bank" that doesn't care if its users get hacked. This is what the Bitcoin community enabled. It's there if you want it.

[Magnusmaster]

I doubt banks or the government would ever white list something like Lineage that's not made by some megacorporation. Also IIRC most phones don't allow you to relock the bootloader after flashing a custom ROM.

[hackyhacky]

Thanks for clarifying. I was unaware that (2) was a widespread issue.

[jacobthesnakob]

>These types of discussions on HN get confused because people aren't always clear what they mean by the word "rooting".

Well it’s more the Dunning Krugerites who see the word “rooting” written by someone in a cyber context, lack that context entirely, and proceed to enter the discussion anyway based on their experience rooting their Android phone 3 years ago after clicking through a few UI buttons.

[dvngnt_]

> A scam app with root can draw over the screen and tell users to transfer money

On android, I believe this can be done rootless via accessibility permissions that can display on top of apps

[NoGravitas]

Yes, but you very much have to grant that permission in Settings. An app can't get it non-interactively.