I don’t bank on my phone
They 100% would stop you if they could.
It’s why Google’s website DRM thing was so scary.
not was, is.
i dont think they dropped it.
Okay, so I originally was going to go in a long rant about how they’re still doing it, but decided that it didn’t really add much to the comment, so removed it.
Afaik they’ve, for now at least, shelved it in browsers, but are still going ahead in Android webviews (as part of their war on Youtube Vanced).
i guess they will probably try again with a new name later when the dust settles. can never trust them.
what about android webviews, i thought it isnt related to vanced? how do they plan to kill vanced this time?
Was? What did I miss? Even if it was discarded, there will aways be another attempt.
Basically Google wanted to put checksums in webpages and then not render the page period if the checksum didn’t match and said checksum could only be verified by “approved” browsers that had the correct certificate (which surprise was Chromium only browsers such as Chrome and probably Edge). As such you wouldn’t have been able to run any adblockers as that would change the checksum and the way the page was rendered. They could also then go one step further and do a Denouvo type set up to make sure the OS wasn’t being altered.
Super useful technology for security purposes!
Super scary technology for literally everything else.
Yes, I know about what they attempted (actually published some of it already in an official repo).
But why you talk in past tense? Have they reverted the changes and publicly pinky-promised not to do it?
MV3 is still happenning
Rooted mobile devices are a reasonable signal they been have hacked and security features might be disabled or work as expected.
It just banks, a lot of corporate security polices don’t allow rooted devices, as they could bypass mobile device management policies for devices owned by the company.
With laptops it’s a different story. Whether users have Mac, Linux or Windows, there’s a reasonable chance they have admin access too, so checking for root access is not such a useful signal there.
Rooted mobile devices are a reasonable signal they been have hacked and security features might be disabled or work as expected.
Rooted mobile devices are a reasonable signal that someone wants to actually own what they buy, and corporations want to make sure as few people think that as possible.
Windows/Macos/Linux are designed around the fact that the person managing the device has root access, Android and iOS are designed around noone having root access.
Sure it’s fine to mess around with rooted phone and look what’s inside, but essentially for your daily operations having rooted phone is unnecessary security risk.
Android and iOS are designed around noone having root access.
Yes and I consider that to mean I don’t own the device. And there are plenty of Android forks specifically designed around you having root access.
The issue is that you don’t want to give some random untrusted process root access. You, the user, have root access as long as you’re capable of running processes as root, but that doesn’t mean you should.
There could be tons of apps on the iOS App Store or Google Play Store that are completely benign under the existing security model but do nefarious things when run as root. No one knows that for sure because they aren’t tested under root by Apple or Google.
The problem with root is that it’s giving the process the keys to the Ferrari. That’s long since been decided to be a bad security model. Far better to have the process request permission to access particular resources and you grant them on a case by case basis.
I just want to point out, that what you are saying sounds good in an ideal world. But the realitiy looks different. (I actually typed out some points, but then I remembered that I don’t want to engage in yet another lengthy internet-debate, that ultimately comes down to personal preferences and philosophy)
Ah but I love reading these specific philosophical discussions on tech, I don’t blame you though
The issue is that you don’t want to give some random untrusted process root access.
It’s been awhile since I’ve used anything but Magisk but usually you have to set root permissions per app, or you can get Magisk notification to request access.
The important question is why smartphones are designed around not having root access and computers are?
What are the incentives at play?
The answer is obvious, tech companies wouldn’t have given users access to root control on their computers either if they knew what they were doing and thought they could have gotten away with it.
It is just circular logic claiming smartphones have to be this way, circular logic that provides a rhetorical smokescreen for the process of corporations taking our agency away from us over our lives and the tools that sustain us.
You’re free to install another operating system or variation on Android on your phone still. And if you decided to go with another Android such as Graphene, you’d still not want to root it because it’s a security risk.
There’s also the fact that on Win/Mac/Linux, you’re interacting with the bank via a browser and not a bespoke app.
So just warn the user that it’s their own responsibility and all claims are waived, instead of just saying “no” ?
There is parallel with masking. The bank values the safety of the whole rather than the freedom to root for an individual. You stand to lose only your own bank balance. The bank stands to lose the funds of every rooted phone that contains a banking app exploit targeting them.
I mean, they get that anyway with malware and security exploits. Except that rooted phones usually have a root manager, which asks for permission if an app wants to do more. And i don’t think the root user listening into the app/their own account should be a problem; because in this case the problem is with the banks’ security practice.
Well, at least my bank doesn’t care about root or safety net.
I actually heard something about that in class not long ago
The story is that Android’s security heavily relies on the compartmentalization of apps that lives in the android layer, over the Linux kernel. Apparently, that functionality works in part because only this layer can perform operations that require root access, no app or user can. So software that allows you to root your phone apparently breaks this requirement, and makes the whole OS insecure. He even heavily implied that one should never root their phone with ‘free’ software found on the internet because that was usually a front for some nefarious shit regarding your data.
I’m just parroting a half-understood and half-remebered speech from a security expert. His credentials were impressive but I have no ability to judge that critically, if anyone knows more about this feel free to correct me.
The problem is very simple - the majority of people are technically illiterate. Apple and Google saw the Windows XP security fiasco, looked at how many people use smart phones today and decided that giving users any rights is not worth the risk.
Isn’t saying that allowing apps to have root lets them access anything just describing what root is? A rooted phone doesn’t have to give superuser access to every app.
A rooted phone doesn’t have to give superuser access to every app.
Sure, but apps that run as superuser can access anything, including the data and memory for banking apps. A big part of Android’s security model is that each app runs as a different user and can’t touch data that’s exclusively owned by another user.
It just means you need to trust apps that you give root access to, or only give elevated privileges during the very specific times when apps need them. Root isn’t something people who don’t know what they’re doing should be messing around with, I guess. But I’d think a lot of people who root their phone know and accept the risks.
People like you or I may know what we’re doing with a rooted device, but I think the issue for the banks is that they can’t guarantee that someone with a rooted phone knows what they’re doing or isn’t using a malicious app, so they have to be cautious and block all rooted phones.
An app that requires root may look like a normal app but it could be a trojan that modifies banking apps in the background (eg patches them on disk or in RAM so transfers done through the app go to a different recipient). There’s been malicious apps in the Play Store in the past, and rooted apps have way less oversight - some are literally just APK files attached to XDA-Developers posts or random blog sites.
I take your point, and I’m sure you’re right about the banks’ rationale, but in my own view it does not seem like it should be the banks’ decision to make.
As soon as a bank offers any sort of fraud protection, though, security becomes a bank issue (in addition to a “you” issue).
Not at all saying I agree with the banks on this, but I think that may be part of the thinking.
This is a good point. The bank needs to do as much as they can to reduce fraud risk, and they’ve probably found some correlation between rooted phones and a higher likelihood of fraudulent transactions. Some banks block VPNs for a similar reason - when logging in from a VPN, it’s harder for them to tell that it’s actually you vs if it’s an attacker that uses the same VPN service as you.
bro I gave my nana root on her eye phone and by the end of the week she had hacked half of North Korea - the other half thought her actions were a good example of juche ideals. It was crazy ngl
I think he was trying to say apps get access to “root features” through an abstraction layer/API calls that is controlled.
They don’t/wouldn’t have carte blanche root access to the underlying system. It’s kinda like a docker container or VM or flatpaks/snap packages on Linux. They are sandboxed from everything else and have to be given explicit premission to do certain things(anything that would need root privileges/hardware access).
No, but it can.
I wouldn’t even feel compelled to root my phones if Google would actually back up my phone instead of whatever 1/4 baked shit they’ve done thus far.
I’ve been using android since 2010, and it’s gotten significantly better over the years. There’s only a few things it doesn’t back up, like text messages and app data, most of which you don’t need.
It is not Android that is backing up most things though, it is mostly done by Google Services. That means that your data is effectively vendor locked-in if you want to use Android as an actual open source project. Google gutting the AOSP to this extent should be illegal (maybe even is, but might is right).
Mine backs up my text messages, but I would prefer to backup my app data, authenticators, wallpaper, themes, games, etc., not every app is a shitty front-end to a website.
It’s not just root. They would prefer you not to have a custom keyboard either.
That’s actually got a solid reason behind it.
It’s because the OSK is just another program as far as Android is concerned. It can’t directly look into the application, per Android specifications, but it CAN record key presses, even for passwords. It even receives context hints based on the metadata on the input box, so it knows when you’re putting in a password. Then it can send your data off to unknown servers.
thats a bit ironic seeing how the default keyboard on most phones are a privacy nightmare.
That it is, but at least it’s not sending your card details to me.
Yeah but why it’s sending details at all. There are FOSS options which are completely radio silent. Some password managers come with their own board.
My bank doesn’t know for some reason. I don’t even pass (
as femme but that’s not relevant) safetynet, but it doesn’t seem to care. Sadly can’t pay with my phone or watch thoDoes your bank have a Linux application? Of course not, you’re using the website. So why not use the website on your phone?
Most of the mobile sites I visited seemed to have only one goal, to get you to use the app and the mobile interface is often so bad that you’d better use the app
Mobile web interfaces for banks are complete shit, and often can’t be circumvented.
many banks require use of the app, regardless
And desktop mode doesn’t help?
i need to app for proprietary 2fa.
Ah. That’ll do it.
Google and Apple have been very successful at convincing everyone, including banks, to see the idea of users having control over their own phone-like computers as dangerous.
Next thing you know, banks will try to convince its clients that they really don’t need to access all their money.
I said i have no Smartphone and the gave me the same app for Windows or mac, after asking twice vor more times. It runs in Virtualbox for years now. (I know i know. KMV would work better but i don’t change it aslong as it works.
Btw, have you guys heard of Taler? It’s pretty interesting and I think you will be able to use it with a libre app
NGI TALER is a pilot funded by the European Commission and the Swiss State with the very concrete objective to roll out a new, best-in-class electronic payment system that benefits everyone: people, merchants, banks, financial authorities, auditors and anti-corruption researchers. The project doesn’t have to start from scratch either, but builds on the strong foundations of GNU Taler — the privacy-preserving digital payment system developed by the GNU community and Taler Systems SA with support from the NGI initiative. This offers privacy for those that make payments, while enforcing transparency on those that sell. By providing micro payments at very low overhead, GNU Taler permits internet business models to shift away from advertising revenue or subscription models, especially for online publishers. No-risk transactions can lower transaction fees and open online payments for the underbanked population and citizens marginalized from digitalisation.
I tried reading the website, but Im not really sure I get it. What it’s supoosed to be? A way how to make FIAT payments thats open-sourced and private (so you dont have to pay stupid fees to banks), and it integrates into the current banking system, or is it some kind of digital currency that’s not blockchain based?
If it’s the former - isnt any kind of payment without KYC almost impossible, since its heavily regulated? So, you can’t really have private payments in environment where there’s stupid amount of laws about how much you can actually pay without it being identifiable, for example the super small monthly limit on anonymous prepaid debit cards?
Oh, I see. Oh well.
Can I send money to my friends with Taler? Taler supports push and pull payments between wallets (also known as peer-to-peer payments). While the payment appears to be directly between wallets, technically the operation is intermediated by the payment service provider which will typically be legally required to identify the recipient of the funds before allowing the transaction to complete.
Your bank already knows who you are, but with Taler you will be able to make payments using libre software and the bank won’t be able to track them. I guess if you send money to a friend, their bank will know they received the transaction, but won’t know who it was from. At least that’s my understanding.
It’s not a currency - just a new payment system, but I don’t know how it works exactly. In order to make payments with it, your bank has to support it. Some banks are working on integrating it now. It’s supposed to be anonymous and the transaction history is supposed to be private. Currently only cryptocurrency has such features, but it looks like Taler will change that.
Banks when you use browser 3 years of updates behind on Windows XP with multiple unpatched CPU vulnerabilities:
Banks and Uma Musume. Uma Musume also gets mad if you don’t pass Device Integrity
bUt sEcuRiteeeEeeeEEE
I just want my bank to allow me to use some other form of authentication besides just a password.
I just want my bank to accidentally deposit $1m into my account
Oh yeah? How about SMS? Or you can install this proprietary Symantec bullshit!
because you use the root account on linux occasionally to do one thing but when you’ve got a rooted phone everything is done with the root account
