TBF most of the developer options can't be exploited, but a handful absolutely do make it easier to steal credentials and data if you enable them AND install a malicious app. Some malicious apps will even guide you on enabling them to facilitate the attack.
Its a small issue but I do think they should split up the developer options to acknowledge that probably a few million users access them to change stuff like animation scaling but absolutely shouldn't be enabling some of the settings unless they know what they are doing.
Asus brought the animation settings to the display settings and they could be changed without enabling developer settings, I loved that. And why the hell aren’t the bluetooth audio extra settings in bluetooth settings already?
I hate that society has the expectation that phones should be locked-down. Those who want to can decompile the Java code anyways. And phishing is easy to do via WWW or email.
In my opinion, it depends. If banks are, by law (they are in some jurisdictions, but not everywhere), on the hook for any fraudulent transactions that result from the app, then they have a legitimate interest in "securing" the device (in quotes because arguably an unlocked device with a third party OS can be more secure than a locked down, unsupported, out of date device).
But the solution should be that you have to waive some of those statutory protections if you don't want to comply with all their requirements, not that you simply can't access the service.
Implying those scum aren't a cartel and have exact same terms.
Fuck, even credit unions gradually started being shit with that (and bitch about how people don't choose them over big bank somehow, lol).
Oh boy, oh boy.. There was like literally no gatekeeper on Android to prevent any app to check installed apps for a longtime. It required permission now on newer Android but pre-granted under omnibus permissions, so the situation has not changed much. Basically any app who want to read app lists can do it. Banking app wasn't even an outlier here.
Which is why desktop users tend to be stuck with websites, not apps, can’t stay signed in, get auto signed out quickly, and still need to use their phone(*) to approve transactions.
(*) or a dedicated hardware token, but banks are increasingly dropping support for those.
They are secure, if you use them properly. Android and iOS are secure from the user. Such as the stupidity of not being able to access my WhatsApp encryption key file.
Nothing really stops you from putting an interceptor between your phones NFC and the NFC card (other then it would look odd, though it is possible to force it in a case or something), but with the developer option ban the company can say they did their best to their insurance and that is all that really maters to them.
You can capture NFC data with developer options enabled, which makes using it for payment options a no-go so a ton of money apps will not work with it on.
This is pretty common by banks apps already if not all nearly all. Not country unique, it's pretty common. So that Lithuania banks do it as well is not uncommon, same everywhere.
The difference in this case, the Vietnam one, is that this a mandate that they have to comply with, that situation I am not sure how common it is.
That said, maybe what you mean is that is the case in Lithuania aswell, that is mandated at govern/central bank level, in which case you can ignore my comment.
There are ways to hide it, but it's usually a mouse/cat type of situations, I unfortunately gave up on root and custom roms years ago due to this, it brings too anoyances, if I want to play around with that stuff is not on my main phone.
If only we could have a dual-boot of sorts (I think there were ways but nothing official), with a safe OS for this kind of apps, and another where we can play around, altough a true dual boot wouldn't nice, it should be like an hypervisor with two different booted OS at same time or similar so you can switch between.
Which is shitty on the part of banks. The phone being rooted does not automatically make it insecure for the bank app. They're overstepping, seemingly with a questionable grasp on the security ramifications (where security is concerned, it's far less important than the phone being up to date, using 2FA, etc).
I'm all for them pointing it out or something, as certainly someone who hasn't rooted their phone should be surprised if it's been unexpectedly rooted. But they shouldn't be dictating that people can't use custom OSes. That's basically saying what I can do with my device.
Wait, suppose I have a browser on a desktop computer on which I have root or admin access. On the browser I can log in and do my banking. How is that any different of a threat than if I had root access on my phone? (From a banks cyber security standpoint?)
Generally speaking you have access to more features on a phone app than on the bank's web page. Transactions usually require 2FA via the phone app or SMS when done through web while they don't require anything on the phone app, payments can be done over NFC or QR codes, etc.
It's also the case for some financial apps in Indonesia. I have to use the Hide My Applist app just to deal with those. I get it, scams through malware APKs are rampant here so this is one of their solutions.
Some apps are kind enough to ask me for consent for scanning apps, but I always decline those and the pop up always persists every time I open the app. I hate the ones that require you to allow it just to use the app.
Frauds scheme and such are rampant in SEA to an insane amount. I feel like the governments are more desperate about that the your privacy of apps granted not like they care much in the first place
Seriously I have never heard of banking apps on a rooted phone being a source of criminal activity. Like I understand the implied risk, but I've never heard anything about anything actually happening.
It's because app devs are fucking stupid. They see Play Integrity and think "yes, we need the highest validation level", without even considering what that does.
There's apps out there (like our official 2fa identification app in Belgium) that even refuse to work when developer settings are enabled. Having that enabled indeed does not trigger Play Integrity, that is true.
That too, but go write a script to scrape odds from bet365's API if you think odds protection has nothing to do with it. You'll quickly discover how much effort they put into protecting their sportsbook.
I'm sure that's true but let's be real nobody is going to be scraping odds from a mobile phone lol it's going to be on a computer with a script like you said
Devs are stupid. They know transactions are done and validated server side. Nothing anyone can do on the device can affect that in any way.
The same website works on Windows and Linux PCs with admin/root privileges and they never thought twice about it. But when it comes top phones they turn into complete rtards.
Is that devs being stupid or management who wants an app thats no different than the website to not work on the "hackable" devices, requiring the devs to implement pointless protections?
Here's the thing. Rooted Androids are way more secure than stock iphones. Pegasus hacks iphones with ZERO user interaction, remotely. Never happened on a rooted phone.
Yet the bank/fucks never gave two shits about that.
It has to be a war on personal and individual freedoms. Because they have no excuse technically. Maybe legally they would need to show a warning message, and I would be okay with it.
Mobile-only still means they have a client / server infrastructure. It's not that their mobile apps has full DB access or the like...
It's just that the client, instead of being a web browser that can send HTTP commands, is an app (a program) that can send commands via an API endpoint (most probably, via HTTP REST).
Is it fucking stupid devs or sensible lawyers and compliance specialists dealing with regulations that are intentionally vague so as to place the onus of providing AND defining "sufficient security" on the bank? Asking because I work in another highly regulated industry and that's basically how it works. If there's a breach where a design decision lead in some foreseeable manner to the incident (such as not ensuring OEM OS integrity), it doesn't necessarily matter that the risk was low beforehand, especially if the mitigation is literally a single configuration value.
Play Integrity provides all kinds of different verifications. You can use it to make sure the app itself isn't modified (which is how the overwhelming majority of banking scams happen), and not to block anyone with an unlocked bootloader (which malware attacks don't target, because very little people do that).
Even if the latter is a concern, you can just warn the user about it, and still let them proceed at their own risk. Some banking apps do that instead.
I'm aware of multiple levels of integrity (even if not much of the specifics). That's all well and good but the fundamental question is whether regulators will see at as "protecting consumer choice and privacy with some well-mitigated risk of adverse outcomes" or "bank chose not to use established systems to protect against known risks of modified firmware/rootkits/etc stealing credentials". This will differ both by banks and jurisdictions because they very well may only find out when audited after a problem occurs.
It's not app devs. Banking apps are obligated to follow compliance rules and legal risk mitigation, not by what developers personally think is reasonable. Blocking rooted devices is about ticking audit boxes and reducing liability, not about any type of better security.
It's because you live in a country where most apps are downloaded from the Play Store. You get your news from a media organization through a news app. You have trusted mediators if you want any service.
In developing markets it's a lot more common for things to be a lot more decentralized. WhatsApp is big source for new or coordinating a lot of economic activity. And it's a lot more common for apps to be distributed as apks.
In these sorts of environments it's a lot easier for malware to get a foothold
Man, that's saying that you've never heard banking apps on Windows being a source of criminal activity. Rooting your phone fundamentally changes its security model and breaks chains of trust.
Unlocking the bootloader and rooting just gives me the same privilege level that I already have on my computer which has secure boot off and has my user in the sudoers file, which I can just use a browser in to send money like I can on my phone with the app.
Banks and google could go take their chain of trust and shove it up their ass.
Rooting your phone fundamentally changes its security model and breaks chains of trust.
That's the purported reason, except you're always able to use the browser version, which is also accessible from any other device regardless of security.
The browser version very often has limited features (that is if it even exists, app only banks are popular in 🇪🇺). At least this is my experience in 🇮🇹.
I guess it depends on the country. Chase and Discover don't limit me in the US. I can transfer money, use Zelle, all the bells and whistles, same as the app can. The only thing in the past I needed an app for specifically was depositing a check using the camera.
At least here in Germany, the browser and app version have the same featureset, and both require a 2FA token anyway. Hell I can even use HBCI and access my account from any random desktop app.
Why should banking apps care about the OS/device level chain of trust? Verify your own chain of trust, assume the device and the communication channel is NEVER to be trusted.
Because the developer of the application and the phone manufacturer bear enormous responsibility given that the vast majority of users are laypeople.
This unfortunately clashes with what the minority of expert or power users want. But it really can't be helped and I say that both as a software developer and as someone currently running a custom ROM. Banking apps and phone manufacturers need to consider people like my elderly parents who cannot grasp the concept of browser tabs or email. They can barely manage to make phone calls and are completely incapable of verifying their own chain of trust.
The only way any of this can work is if a phone manufacturer decides to create a line of phones specifically for us. Trying to cater to both will end up with laypeople being prioritized.
No it does not. There's nothing wrong with being an admin of the hardware you've purchased. I'm a Google Developer Expert in Android and have been making apps for years. There's literally no API that can catch a rooted device 100%. If your app rely solely on frontend security, you've fucked up
The only danger is another app accessing the banking app. Still, the banking app should encrypt itself, and there are unrooted custom ROMs which are still blocked.
Server side authentication should be the norm, bitch. As if the banking apps themselves are unhackable as long as OS isn't compromised. But again it's not like this's the first time banking systems are bad at cyber security…
The banking app needs to take user input to be useful. If that’s automatable, then a malicious app can use automation to transfer money out of your account.
Clause 2, Article 5: Amend and supplement Clause 4 of Article 8 as follows:
Implement solutions to prevent, combat, and detect unauthorized interference with the Mobile Banking application installed on customers' mobile devices. The Mobile Banking application must automatically exit or stop functioning and notify the customer of the reason if any of the following signs are detected:
a) A debugger is attached or the environment has a debugger running; or when the application is running in an emulator/virtual machine/emulator; or operating in a mode that allows the computer to communicate directly with the Android device (Android Debug Bridge);
b) The application software is injected with external code while running, performing actions such as monitoring executed functions, logging data transmitted through functions, APIs, etc. (hooks); or the application software is tampered with or repackaged.
c) The device has been rooted/jailbroken; or its bootloader has been unlocked."
I had a bank app like that with a savings account. Would refuse to let me login unless I went and toggled developer options back off again.
Granted, their app looked like it hadn't been updated in at least a decade and they had some other issues (on their end) that couldn't be resolved so I gladly closed the account.
I have a dozen different banking apps from banks much bigger (and also smaller!) then them and they don't care if I have dev options toggled on, it's just pure laziness and giving people a false sense of security.
I can’t figure out why GCash on my iPhone suddenly decided my phone was modified. Deleting Signulous and sideloaded apps didn’t fix it and neither did turning off developer mode.
The last time I jailbroke was probably the days of Pangu. Is it reading files in my backup from back then?
Guess I know now that Android won’t be of much help here.
Rooting will die, or at least it has fallen in popularity for the past 10 years in SEA. It's fine for a 2nd phone, but defininitely not useful since it's not able to use any banking/e-wallet apps when it's rooted.
Vietnam is crazy to even make a law for this but banking apps can simply block itself from running when installed.
It's already the case in Indonesia even without the legislation. You have to go through hoops and loops just to access your banking and e-wallet apps.
I'm not sure if they already have a method to detect an unlocked bootloader but if your Play Integrity is tripped and you have a "sus" root app, those apps won't let me in.
So if it isn't already the case for Vietnam, I'm honestly surprised.
Having used and and Frida it allows monitoring everything happening within the app in real time.
Not sure what use it is.
Honestly I believe the reasoning behind this is it would prevent you using a hacked phone to use your banking and lose your account details, passwords etc
I don't care about their reasoning for banning ABD, that wasn't my question at all.
I wonder how they plan to enforce it. It's not like ABD is part of the apps or Android. It's not even part of the OS. It's an executable used to interact with the phone via terminal/cmd. It doesn't make any sense for them to be able to ban it.
Doesn't affect me, but the logic behind this is dumb. A phone is a computing device. It works much like a PC. I have root access to my PC and do banking on it. So if it's ok on a PC, why is it a problem for mobile devices? I'm sure if they could lock down a PC the same way, they'd do it, ofc.
I can't load the page because it's on a hostile network that I've had to firewall. But sure, blocking banking on 3rd party OSes is what the country needs for cyber security.
The whole idea sounds dumb but they got tricks up their sleeves when it comes to the execution. Our banking apps till now do not use play integrity or bootloader unlocked checks at all, but some are very good at detecting... LineageOS based ROMs.
That's right. Nobody came with a solution for a year or two, then it got patched quite quickly. Every LineageOS based rom like Crdroid, Evolution X, etc. would not work.
Just love how the so-called "enthusiasts" on this sub claim its no biggie, while moves like this shut down any method to observe data collection by apps.
Looks like said "enthusiasts" only care about data leaks being discovered, and completely fine with it if it takes place behind secrecy.
Urgh... With / without the legislation in Vietnam or the rest of the world, this already is the norm for banking app for a while. So the act mostly just an official rubberstamp.
If anyone knows a hack for banking apps on rooted devices, please let us know. The only thing I can think of is gameguardian, but it's unlikely that adding money in my app is going to also add money in my bank account.
What damage could a unlocked device really do? Or in other words, what damsge could be done by someone knowledgeable enough, who would use a PC anyway?
It's not about the authenticated user doing anything nefarious with root, it's more about the damage somebody else can do to the user with an unlocked device
It's too easy to convince a user who has ADB on, to accidentally give ADB access to a random public charging, especially if the phone shop set ADB up for whatever purpose and never told the user what ADB even is. And then ADB access can be used to send touch events to the phone, capture the screen, and basically do all the steps needed to automatically send money to the scanner. Or install an app, which will then do the money sending.
Root is worse, not every root is Magisk, some devices just have a bare unauthenticated su binary lying around just because. And even with Magisk, it takes just one misclick - or 1 root-enabled application with a security flaw - for some malware to permanently and undetectably hold onto root forever and ever.
Anybody can access the website from anything, and banking websites are often designed with weird login schemes that aren't just a password pasted from a password manager on the user's PC
Whereas your phone has access to your SMS and authenticator app, the bank app is probably setup with biometric login or pin login, and it probably has the password stored in a password manager as well.
Apps was a mistake. Everyone should have been browser based. Although Google is also to blame. Apps shouldn't be able to determine whether your phone has locked or unlocked bootloader.
Can you illuminate me for a sec? It's been years since I used a rooted phone. What possible benefit you can have with an unlocked bootloader but no root?
At this point, people will start needing to budget for two phones, one with the bare minimum to run all the banking, state and work apps and nothing else, and another one where your actual personal data resides in a physically separate device. Same for PCs.
Could actually be a good idea from the point of view of security. A phone where you have only a few apps and don't use to navigate the internet or to download stuff should be much more safe from malware.
Thankfully here in Tunisia our baking apps don't even check for root my mother was able to use her banking apps without any tinkering/tweaks and they worked flawlessly
I use 3 banks. One bank requires you to use their app to open their bank account and do pretty much everything. Another one requires you to use their app for 2FA. One does have a website that lets you do everything the app can do, but they are going to phase SMS 2FA and make you use their app eventually.
I stopped unlocking and rooting because Outlook and Teams (for work) wouldn't run if it detected root. Yeah yeah there's all those people out there who don't want work shit on their own phone. Here's how I look at it - I can run out during the work day and run errands or go to the gym and still respond to work stuff (as if I were still in front of my laptop - to a certain extent).
Don't love my job but it's decent and this affords me some freedom during the work day so it's worth it. Plus once I switch to Google Pixels - I didn't really feel a strong urge to tinker with it like used to because it runs pretty well out of the box.
Ah yes banning that but not giving a fuck about companies that provide you with security patches every three to six months like Motorola why do tech illiterate ppl legislate stuff?
The foolproof solution is to use two different phones: a work phone for rather serious tasks (banking, office, work email, etc.), and a personal phone for everything else. Only tinker with the personal one.
Seriously. Getting banking apps to work on a rooted device is a painful experience. I would not like to experience that again. Banking apps are essential here.
Online banking via a web browser is extremely slow because you'd have to log in again every time you want to do anything. It's even more impractical in the case of Vietnam. People mostly transfer money thru their banking apps via a QR code, which is not possible on the web. Contactless payments via cards are only accepted in larger establishments. Cash will still work, but some stores might not accept cash because they don't have change.
And now you understand why banking apps don't want to run with root detected. Because the security model is broken once you root, so any bad actor, if your phone gets infected, could just deplete your funds without you realizing.
A few South East Asian banks will check if you have third party apps installed. If one is detected, the app will not allow you to continue.
My bank regularly does a "safety quiz" and one of the questions asked is "should you install an app that does not originate from the Google Play store?".
Of course, answering anything besides "no" sends you to an education page and then you're asked to do the quiz again.
It’s enough to create a separate profile accessible with a different fingerprint and keep the banking apps there without enabling Developer Mode, and the problem is solved.
In the meanwhile, no bank that I'm aware of lets you set ACTUAL security features such as having accounts with limited capabilities (only check your balance, send at most x money per day...).
And all the bank apps I saw are filled with random analytics/ads SDKs and of course closed source.
In Lithuania I can't use banking apps as they check for root, etc.
The app for my local bank in Florida checks if developer options are enabled, and won't let you proceed if they are. Absolutely ridiculous.
But what if someone changed their UI animation speed?!? The world as we know it would crumble to dust!!
TBF most of the developer options can't be exploited, but a handful absolutely do make it easier to steal credentials and data if you enable them AND install a malicious app. Some malicious apps will even guide you on enabling them to facilitate the attack.
Its a small issue but I do think they should split up the developer options to acknowledge that probably a few million users access them to change stuff like animation scaling but absolutely shouldn't be enabling some of the settings unless they know what they are doing.
should copy apple on that part and move the useful features to accessibility settings lol
Asus brought the animation settings to the display settings and they could be changed without enabling developer settings, I loved that. And why the hell aren’t the bluetooth audio extra settings in bluetooth settings already?
And as the owner of the device, it's my choice - not the bank's - whether or not to enable them.
Banks don't get access to check what other apps are installed on my laptop. It's none of their business what else is running on my phone.
I hate that society has the expectation that phones should be locked-down. Those who want to can decompile the Java code anyways. And phishing is easy to do via WWW or email.
In my opinion, it depends. If banks are, by law (they are in some jurisdictions, but not everywhere), on the hook for any fraudulent transactions that result from the app, then they have a legitimate interest in "securing" the device (in quotes because arguably an unlocked device with a third party OS can be more secure than a locked down, unsupported, out of date device).
But the solution should be that you have to waive some of those statutory protections if you don't want to comply with all their requirements, not that you simply can't access the service.
The bank sells you a service. You should take your business elsewhere if you don't agree with their terms.
Implying those scum aren't a cartel and have exact same terms.
Fuck, even credit unions gradually started being shit with that (and bitch about how people don't choose them over big bank somehow, lol).
You cannot live without a bank account though, so you are forced to use their services
Oh boy, oh boy.. There was like literally no gatekeeper on Android to prevent any app to check installed apps for a longtime. It required permission now on newer Android but pre-granted under omnibus permissions, so the situation has not changed much. Basically any app who want to read app lists can do it. Banking app wasn't even an outlier here.
It'd be a shame if people started accessing their bank through even more insecure operating systems like Windows and MacOS.
Which is why desktop users tend to be stuck with websites, not apps, can’t stay signed in, get auto signed out quickly, and still need to use their phone(*) to approve transactions.
(*) or a dedicated hardware token, but banks are increasingly dropping support for those.
They are secure, if you use them properly. Android and iOS are secure from the user. Such as the stupidity of not being able to access my WhatsApp encryption key file.
yes I'm the one who always changes the animation speed to make it faster
I just did this on mine. So much nicer.
The HSBC app won't launch if certain apps have accessibility access.
funny since HSBC was the favorite bank for money laundering, terrorists and crime in general.
Meanwhile banks in my countries have checked for at least one of these:
You can't open the apps if they detected these.
Because of this stupid requirement, I need to turn off the freaking MacroDroid and Shizuku everytime I want to open the apps. Freaking stupid.
At this rate, it is better to just get either an iPhone or 2nd cheap Android phone just for banking apps it is so ridiculous.
Using a dedicated locked-down device for finance access is more secure, btw.
Square won't let you accept NFC payments if developer options are on.
Thankfully the readers still work.
It's because you can capture NFC packet info with developer options on.
I assumed it was something like that, but still kind of dumb when you literally already have someone's card right there.
Security through obscurity.
Nothing really stops you from putting an interceptor between your phones NFC and the NFC card (other then it would look odd, though it is possible to force it in a case or something), but with the developer option ban the company can say they did their best to their insurance and that is all that really maters to them.
You can capture NFC data with developer options enabled, which makes using it for payment options a no-go so a ton of money apps will not work with it on.
In Sweden I couldn’t use my banking app because I swapped launcher and it had accessibility access.
Yeah same here for a 2fa identification app. Oh no, you sped up some animations, hereby your device is unsafe!
There is shizuku apps that can temporarily disable developer options when the selected app is the foreground (idk the name tho)
Aint that would disable USB Debugging which subsequently disable Shizuku?
Only during when the problematic is being used
The solution is very easy, make you sign physically a waiver statement, instead of just stopping me from using the bank app
This is pretty common by banks apps already if not all nearly all. Not country unique, it's pretty common. So that Lithuania banks do it as well is not uncommon, same everywhere.
The difference in this case, the Vietnam one, is that this a mandate that they have to comply with, that situation I am not sure how common it is.
That said, maybe what you mean is that is the case in Lithuania aswell, that is mandated at govern/central bank level, in which case you can ignore my comment.
There are ways to hide it, but it's usually a mouse/cat type of situations, I unfortunately gave up on root and custom roms years ago due to this, it brings too anoyances, if I want to play around with that stuff is not on my main phone. If only we could have a dual-boot of sorts (I think there were ways but nothing official), with a safe OS for this kind of apps, and another where we can play around, altough a true dual boot wouldn't nice, it should be like an hypervisor with two different booted OS at same time or similar so you can switch between.
I think all banks in Vietnam have done this for a long time
This does not happen in Australia
Which is shitty on the part of banks. The phone being rooted does not automatically make it insecure for the bank app. They're overstepping, seemingly with a questionable grasp on the security ramifications (where security is concerned, it's far less important than the phone being up to date, using 2FA, etc).
I'm all for them pointing it out or something, as certainly someone who hasn't rooted their phone should be surprised if it's been unexpectedly rooted. But they shouldn't be dictating that people can't use custom OSes. That's basically saying what I can do with my device.
Magisk can hide that from banking apps. At least it used to be able to... Been a while since I've had the need to root my phone.
adb banning is the bigger issue i believe.
We still can hide everything (root, Zygisk. Lsposed...etc). The only difficult thing is play integrity. It's still a cat and mouse game.
Me too, haven't rooted anything in a while.
Wait, suppose I have a browser on a desktop computer on which I have root or admin access. On the browser I can log in and do my banking. How is that any different of a threat than if I had root access on my phone? (From a banks cyber security standpoint?)
Generally speaking you have access to more features on a phone app than on the bank's web page. Transactions usually require 2FA via the phone app or SMS when done through web while they don't require anything on the phone app, payments can be done over NFC or QR codes, etc.
Swedbank is easily fooled by magisk hide
Well I in Lithuania can use them, you just need to hide root with a couple of modules.
Same in Hong Kong and we are even worse, all bank apps scan your app list for non Play Store apps. This is mandated by the HK Monetary Authority.
Situation is fucked up. My app list is my privacy not for every banks to have a peek.
It's also the case for some financial apps in Indonesia. I have to use the Hide My Applist app just to deal with those. I get it, scams through malware APKs are rampant here so this is one of their solutions.
Some apps are kind enough to ask me for consent for scanning apps, but I always decline those and the pop up always persists every time I open the app. I hate the ones that require you to allow it just to use the app.
Never heard of it being as far as scanning non-playstore apps. I encounter ones that don't allow developer mode to be on, but not much after that.
So if you installed Fortnite when it wasn't in the Play Store (IDK the local situation in HK), you couldn't use your bank?
Who knew Google was Hong Kong's strongest soldier
Frauds scheme and such are rampant in SEA to an insane amount. I feel like the governments are more desperate about that the your privacy of apps granted not like they care much in the first place
You can fake the apps being installed from the Play Store even if they’re not. It’s an hassle but it’s doable.
Seriously I have never heard of banking apps on a rooted phone being a source of criminal activity. Like I understand the implied risk, but I've never heard anything about anything actually happening.
I have paypal unlimited money apk
PayPal [UNLIMITED $$$] [TRACKING REMOVED] [NO ADS]
Average post on r/luckypatcher
https://preview.redd.it/l8jt2l93axcg1.jpeg?width=716&format=pjpg&auto=webp&s=d4c5ac4aa9f17355c63734c8e661e5505815d0bf
It's because app devs are fucking stupid. They see Play Integrity and think "yes, we need the highest validation level", without even considering what that does.
Nahhh it's not the devs that are asking for this. The app devs are the ones who have adb enabled on their phone, lol. Source: am app dev.
adb doesn't trip Play Integrity. Having an unlocked bootloader does.
There's apps out there (like our official 2fa identification app in Belgium) that even refuse to work when developer settings are enabled. Having that enabled indeed does not trigger Play Integrity, that is true.
Bet365 app as well.
That's a very real "security" measure for bet365. That's because they don't want people scraping their odds.
More likely to prevent location spoofing
That too, but go write a script to scrape odds from bet365's API if you think odds protection has nothing to do with it. You'll quickly discover how much effort they put into protecting their sportsbook.
I'm sure that's true but let's be real nobody is going to be scraping odds from a mobile phone lol it's going to be on a computer with a script like you said
Which I assume can conversely be made to work fine on a rooted phone that tells the app what it wants.
meanwhile, my banking apps don't care that I'm on grapheneOS...
Granted, the bootloader is locked, but I don't believe it passes Play Integrity
Square NFC on phones refuses to work if I have Developer Settings enabled, so I still have to carry their puck around to take payments. XP
Devs are stupid. They know transactions are done and validated server side. Nothing anyone can do on the device can affect that in any way.
The same website works on Windows and Linux PCs with admin/root privileges and they never thought twice about it. But when it comes top phones they turn into complete rtards.
Is that devs being stupid or management who wants an app thats no different than the website to not work on the "hackable" devices, requiring the devs to implement pointless protections?
You think the management knows what ADB and bootloader are? They only say they want "security", it's up to the devs to decide what "security" means.
Here's the thing. Rooted Androids are way more secure than stock iphones. Pegasus hacks iphones with ZERO user interaction, remotely. Never happened on a rooted phone.
Yet the bank/fucks never gave two shits about that.
It has to be a war on personal and individual freedoms. Because they have no excuse technically. Maybe legally they would need to show a warning message, and I would be okay with it.
? proof
But many banks are mobile-only.
Mobile-only still means they have a client / server infrastructure. It's not that their mobile apps has full DB access or the like...
It's just that the client, instead of being a web browser that can send HTTP commands, is an app (a program) that can send commands via an API endpoint (most probably, via HTTP REST).
Exactly, but I was just saying that most don't provide a website, which is extremely stupid.
Oh, ok sorry.
I agree...
You think devs wanna spend time implementing root checks?? Lol hell no, it's corporate customers that ask for these features for compliance reasons
can confirm, malaysia is proposing this too, and it's from the bosses who dont have proper performance indicators
Is it fucking stupid devs or sensible lawyers and compliance specialists dealing with regulations that are intentionally vague so as to place the onus of providing AND defining "sufficient security" on the bank? Asking because I work in another highly regulated industry and that's basically how it works. If there's a breach where a design decision lead in some foreseeable manner to the incident (such as not ensuring OEM OS integrity), it doesn't necessarily matter that the risk was low beforehand, especially if the mitigation is literally a single configuration value.
Play Integrity provides all kinds of different verifications. You can use it to make sure the app itself isn't modified (which is how the overwhelming majority of banking scams happen), and not to block anyone with an unlocked bootloader (which malware attacks don't target, because very little people do that).
Even if the latter is a concern, you can just warn the user about it, and still let them proceed at their own risk. Some banking apps do that instead.
I'm aware of multiple levels of integrity (even if not much of the specifics). That's all well and good but the fundamental question is whether regulators will see at as "protecting consumer choice and privacy with some well-mitigated risk of adverse outcomes" or "bank chose not to use established systems to protect against known risks of modified firmware/rootkits/etc stealing credentials". This will differ both by banks and jurisdictions because they very well may only find out when audited after a problem occurs.
It's not app devs. Banking apps are obligated to follow compliance rules and legal risk mitigation, not by what developers personally think is reasonable. Blocking rooted devices is about ticking audit boxes and reducing liability, not about any type of better security.
So we can agree it's bullshit?
It's because you live in a country where most apps are downloaded from the Play Store. You get your news from a media organization through a news app. You have trusted mediators if you want any service.
In developing markets it's a lot more common for things to be a lot more decentralized. WhatsApp is big source for new or coordinating a lot of economic activity. And it's a lot more common for apps to be distributed as apks.
In these sorts of environments it's a lot easier for malware to get a foothold
Also, the data is on the Bank's side...
Man, that's saying that you've never heard banking apps on Windows being a source of criminal activity. Rooting your phone fundamentally changes its security model and breaks chains of trust.
Unlocking the bootloader and rooting just gives me the same privilege level that I already have on my computer which has secure boot off and has my user in the sudoers file, which I can just use a browser in to send money like I can on my phone with the app.
Banks and google could go take their chain of trust and shove it up their ass.
That's the purported reason, except you're always able to use the browser version, which is also accessible from any other device regardless of security.
The browser version very often has limited features (that is if it even exists, app only banks are popular in 🇪🇺). At least this is my experience in 🇮🇹.
I guess it depends on the country. Chase and Discover don't limit me in the US. I can transfer money, use Zelle, all the bells and whistles, same as the app can. The only thing in the past I needed an app for specifically was depositing a check using the camera.
The browser version also requires a second factor to do anything, and increasingly the only option is the app.
At least here in Germany, the browser and app version have the same featureset, and both require a 2FA token anyway. Hell I can even use HBCI and access my account from any random desktop app.
Holy shit you live in a flag?
Why should banking apps care about the OS/device level chain of trust? Verify your own chain of trust, assume the device and the communication channel is NEVER to be trusted.
Because the developer of the application and the phone manufacturer bear enormous responsibility given that the vast majority of users are laypeople.
This unfortunately clashes with what the minority of expert or power users want. But it really can't be helped and I say that both as a software developer and as someone currently running a custom ROM. Banking apps and phone manufacturers need to consider people like my elderly parents who cannot grasp the concept of browser tabs or email. They can barely manage to make phone calls and are completely incapable of verifying their own chain of trust.
The only way any of this can work is if a phone manufacturer decides to create a line of phones specifically for us. Trying to cater to both will end up with laypeople being prioritized.
And yet, web based banking is still very much a thing. In a generic browser that cannot be trusted.
It will be gone, and your locked phone will become the only way
No it does not. There's nothing wrong with being an admin of the hardware you've purchased. I'm a Google Developer Expert in Android and have been making apps for years. There's literally no API that can catch a rooted device 100%. If your app rely solely on frontend security, you've fucked up
This is the correct answer.
It's not that the banking apps are a "source", but more like they are a target.
Once you break the trust/security model, your funds aren't secure anymore, because anything root-wise might do nasty things.
It can't do shit.
Rooting doesn't hurt banking in any way, transactions are validated and done server side.
The ability for a malicious app to trigger money transfers to wherever is not an issue in your mind?
What about the ability for a malware in your PC to steal the banking website session and do the same things?
If you have another device to confirm the operation, that works.
Maybe the banks should do this: if the device isn't Play Integrity compliant, the confirmation operation has to be done in another device.
The only danger is another app accessing the banking app. Still, the banking app should encrypt itself, and there are unrooted custom ROMs which are still blocked.
Server side authentication should be the norm, bitch. As if the banking apps themselves are unhackable as long as OS isn't compromised. But again it's not like this's the first time banking systems are bad at cyber security…
The banking app needs to take user input to be useful. If that’s automatable, then a malicious app can use automation to transfer money out of your account.
I can't even turn on developer mode on my phone because of the stupid banking app.
Here is the google translated version since auto mod didnt give an auto translate?
https://vanban-chinhphu-vn.translate.goog/?pageid=27160&docid=216580&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
Regulated in Circular 77/2025/TT-NHNN amending Circular 50 on online service security in the banking industry, to be in affect from March 1st:
https://vanban.chinhphu.vn/?pageid=27160&docid=216580
Clause 2, Article 5: Amend and supplement Clause 4 of Article 8 as follows:
a) A debugger is attached or the environment has a debugger running; or when the application is running in an emulator/virtual machine/emulator; or operating in a mode that allows the computer to communicate directly with the Android device (Android Debug Bridge);
b) The application software is injected with external code while running, performing actions such as monitoring executed functions, logging data transmitted through functions, APIs, etc. (hooks); or the application software is tampered with or repackaged.
c) The device has been rooted/jailbroken; or its bootloader has been unlocked."
Wait oh shit that's us
this is fucked up. hopefully this kind of legislation not spread in SEA, rooting will die
pretty sure most decent banking apps across the world already refuse to work on rooted or adb/bootloader unlocked phones anyways.
some banking apps already refuse to work if you enable developer mode even without rooting
Some even refuse working if you have accessibility mode on(like virtual lock button).
I know because my phone used to have a broken power button and i have to use virtual one.
That sounds like a pretty nice ADA payday.
ADA?
The US has accessibility laws with teeth. You can't just fuck over the disabled there.
I had a bank app like that with a savings account. Would refuse to let me login unless I went and toggled developer options back off again.
Granted, their app looked like it hadn't been updated in at least a decade and they had some other issues (on their end) that couldn't be resolved so I gladly closed the account.
I have a dozen different banking apps from banks much bigger (and also smaller!) then them and they don't care if I have dev options toggled on, it's just pure laziness and giving people a false sense of security.
The gov.br app (centralized app for anything and everything government services in Brazil) does this as well
Which is annoying as I like to use 0.5x transition animation
I can’t figure out why GCash on my iPhone suddenly decided my phone was modified. Deleting Signulous and sideloaded apps didn’t fix it and neither did turning off developer mode.
The last time I jailbroke was probably the days of Pangu. Is it reading files in my backup from back then?
Guess I know now that Android won’t be of much help here.
what does it say when my credit union's app doesn't give two shit about it but now Twitter won't let you log in anymore?
we’re doomed as a society?
Well yes.
(My credit union app also sucks, they update it once a year only to update the certificates anyway) lol.
They try to, but at least at one point you could unfuck their foolishness with Magisk. Not sure it still works though.
Yes Banks can do whatever, but this is actually makes it a legal code. Its a government overreach kind of thing.
Rooting will die, or at least it has fallen in popularity for the past 10 years in SEA. It's fine for a 2nd phone, but defininitely not useful since it's not able to use any banking/e-wallet apps when it's rooted.
Vietnam is crazy to even make a law for this but banking apps can simply block itself from running when installed.
It's already the case in Indonesia even without the legislation. You have to go through hoops and loops just to access your banking and e-wallet apps.
I'm not sure if they already have a method to detect an unlocked bootloader but if your Play Integrity is tripped and you have a "sus" root app, those apps won't let me in.
So if it isn't already the case for Vietnam, I'm honestly surprised.
No good app will work in custom third party OSes as they are security nightmares
It already is in Malaysia.
What does banning ADB even mean? App won't open if you have dev options/ usb debugging on?
Having used and and Frida it allows monitoring everything happening within the app in real time.
Not sure what use it is.
Honestly I believe the reasoning behind this is it would prevent you using a hacked phone to use your banking and lose your account details, passwords etc
Edit. This comment summarises well. A dodgy public charging port or point could send adb commands to silently open your banking app etc
https://www.reddit.com/r/Android/comments/1q87eid/vietnam_bans_adb_and_bootloader_unlocked_android/nymcump/
Lol adb is pretty limited. You can't do biometrics for example. It's literally impossible to "hack" with just adb
I don't care about their reasoning for banning ABD, that wasn't my question at all.
I wonder how they plan to enforce it. It's not like ABD is part of the apps or Android. It's not even part of the OS. It's an executable used to interact with the phone via terminal/cmd. It doesn't make any sense for them to be able to ban it.
ADB is part of Android OS. It's talking about banning when developer mode is enabled alongside with ADB in there
Yea it's just designed to not let you sign on.
Doesn't affect me, but the logic behind this is dumb. A phone is a computing device. It works much like a PC. I have root access to my PC and do banking on it. So if it's ok on a PC, why is it a problem for mobile devices? I'm sure if they could lock down a PC the same way, they'd do it, ofc.
I can't load the page because it's on a hostile network that I've had to firewall. But sure, blocking banking on 3rd party OSes is what the country needs for cyber security.
/s
The whole idea sounds dumb but they got tricks up their sleeves when it comes to the execution. Our banking apps till now do not use play integrity or bootloader unlocked checks at all, but some are very good at detecting... LineageOS based ROMs.
That's right. Nobody came with a solution for a year or two, then it got patched quite quickly. Every LineageOS based rom like Crdroid, Evolution X, etc. would not work.
Just love how the so-called "enthusiasts" on this sub claim its no biggie, while moves like this shut down any method to observe data collection by apps.
Looks like said "enthusiasts" only care about data leaks being discovered, and completely fine with it if it takes place behind secrecy.
Urgh... With / without the legislation in Vietnam or the rest of the world, this already is the norm for banking app for a while. So the act mostly just an official rubberstamp.
No, it's not. It's common in some regions, but not in other.
If anyone knows a hack for banking apps on rooted devices, please let us know. The only thing I can think of is gameguardian, but it's unlikely that adding money in my app is going to also add money in my bank account.
...hmmmmmmmmmmmmmm
What damage could a unlocked device really do? Or in other words, what damsge could be done by someone knowledgeable enough, who would use a PC anyway?
It's not about the authenticated user doing anything nefarious with root, it's more about the damage somebody else can do to the user with an unlocked device
It's too easy to convince a user who has ADB on, to accidentally give ADB access to a random public charging, especially if the phone shop set ADB up for whatever purpose and never told the user what ADB even is. And then ADB access can be used to send touch events to the phone, capture the screen, and basically do all the steps needed to automatically send money to the scanner. Or install an app, which will then do the money sending.
Root is worse, not every root is Magisk, some devices just have a bare unauthenticated su binary lying around just because. And even with Magisk, it takes just one misclick - or 1 root-enabled application with a security flaw - for some malware to permanently and undetectably hold onto root forever and ever.
So if the rooted user doesn't use the app and just uses the web browser it's magically secured again?
Anybody can access the website from anything, and banking websites are often designed with weird login schemes that aren't just a password pasted from a password manager on the user's PC
Whereas your phone has access to your SMS and authenticator app, the bank app is probably setup with biometric login or pin login, and it probably has the password stored in a password manager as well.
Those bank shills can't come up with a coherent response to this one, since forever.
The problem is most banks in VN require the app itself to be able to use web-based portals, or simply not offering website banking at all.
This is it, if they require a stock phone for the app, they should force them to have web access.
Apps was a mistake. Everyone should have been browser based. Although Google is also to blame. Apps shouldn't be able to determine whether your phone has locked or unlocked bootloader.
Why do we need banking apps. All of them are websites.
To pay. How would you pay by QR code without an app?
Why do we need money? Its all just paper
Same in mongolia. One of the major bank's app crashes if the phone has an unlocked bootloader.
Probably just play integrity check.
Isn't that the "new normal" already? I don't mod my phone nowadays cause I fear my banking apps are not gonna work.
Not really a thing in our country. Root/modded rom detection of some sort, yes, but not developer options/adb/bootloader unlocking.
Can you illuminate me for a sec? It's been years since I used a rooted phone. What possible benefit you can have with an unlocked bootloader but no root?
At this point, people will start needing to budget for two phones, one with the bare minimum to run all the banking, state and work apps and nothing else, and another one where your actual personal data resides in a physically separate device. Same for PCs.
Could actually be a good idea from the point of view of security. A phone where you have only a few apps and don't use to navigate the internet or to download stuff should be much more safe from malware.
Very convenient to go around with two phones
Yeah, personally not a good idea unless you have a job that requires an IT-provided device.
Thankfully here in Tunisia our baking apps don't even check for root my mother was able to use her banking apps without any tinkering/tweaks and they worked flawlessly
70% of the banking apps I've seen are just wrappers for the website. Will the banking websites be blocked too?
Not sure about Vietnam but in Malaysia. The banking apps are proper apps. Lots of features won't work if it's just a wrapper for the website.
I use 3 banks. One bank requires you to use their app to open their bank account and do pretty much everything. Another one requires you to use their app for 2FA. One does have a website that lets you do everything the app can do, but they are going to phase SMS 2FA and make you use their app eventually.
I stopped unlocking and rooting because Outlook and Teams (for work) wouldn't run if it detected root. Yeah yeah there's all those people out there who don't want work shit on their own phone. Here's how I look at it - I can run out during the work day and run errands or go to the gym and still respond to work stuff (as if I were still in front of my laptop - to a certain extent).
Don't love my job but it's decent and this affords me some freedom during the work day so it's worth it. Plus once I switch to Google Pixels - I didn't really feel a strong urge to tinker with it like used to because it runs pretty well out of the box.
Ah yes banning that but not giving a fuck about companies that provide you with security patches every three to six months like Motorola why do tech illiterate ppl legislate stuff?
Wait till they find out all computers come with root access out of the box.
They have taken care of that. Most bank transactions must be made with a phone.
Probably will be less and less bootloader unlocked phones in the future. Google might make it harder to root.
God damn that is so stupid
The foolproof solution is to use two different phones: a work phone for rather serious tasks (banking, office, work email, etc.), and a personal phone for everything else. Only tinker with the personal one.
So? Sorry but I don't get what you want to deliver 🥲
Me too. Banking app all over the world already doing these for sometime.
Yea, been a thing in Finland for ever. (Banking apps checking root, that is)
Seriously. Getting banking apps to work on a rooted device is a painful experience. I would not like to experience that again. Banking apps are essential here.
This is standard practice everywhere now. Even in the US. Most banking apps don't work on rooted devices.
[removed]
Some banks are app-only
This is the worst.
Online banking via a web browser is extremely slow because you'd have to log in again every time you want to do anything. It's even more impractical in the case of Vietnam. People mostly transfer money thru their banking apps via a QR code, which is not possible on the web. Contactless payments via cards are only accepted in larger establishments. Cash will still work, but some stores might not accept cash because they don't have change.
And now you understand why banking apps don't want to run with
rootdetected. Because the security model is broken once you root, so any bad actor, if your phone gets infected, could just deplete your funds without you realizing.Common Communist L
Here in Vietnam now. Just started happening.
A few South East Asian banks will check if you have third party apps installed. If one is detected, the app will not allow you to continue.
My bank regularly does a "safety quiz" and one of the questions asked is "should you install an app that does not originate from the Google Play store?".
Of course, answering anything besides "no" sends you to an education page and then you're asked to do the quiz again.
try incognito mode plus put browser from mobile to pc and check if bank will allow access, I'm curious 🤔
Dumb question, but one can use a browser on a rooted device to log into a bank's website right?
I already replied in another comment, web portals aren't usually accessible without a phone with the bank app installed for authentication. They know.
In Vietnam specifically? Cause that's not how it works in my country
It’s enough to create a separate profile accessible with a different fingerprint and keep the banking apps there without enabling Developer Mode, and the problem is solved.
snake oil security - rooting/jailbreaking was and is an act of self defence
Cory Doctorow calls this "war on general-purpose computing", and he's right.
Certain Insulin Pump companion apps also disallow rooted devices and devices which have developer options enabled.
cough cough Medtronic cough cough
It's ridiculous.
In the meanwhile, no bank that I'm aware of lets you set ACTUAL security features such as having accounts with limited capabilities (only check your balance, send at most x money per day...).
And all the bank apps I saw are filled with random analytics/ads SDKs and of course closed source.
Same with india! Very annoying can't fix the roads but will block rooted users
Now adb?