1017
Why don't banks like root on Android?
(lemmy.world)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 04 Apr 2024
1017 points (98.8% liked)
linuxmemes
19733 readers
1683 users here now
I use Arch btw
Sister communities:
- LemmyMemes: Memes
- LemmyShitpost: Anything and everything goes.
- RISA: Star Trek memes and shitposts
Community rules
- Follow the site-wide rules and code of conduct
- Be civil
- Post Linux-related content
- No recent reposts
Please report posts and comments that break these rules!
founded 1 year ago
MODERATORS
Rooted mobile devices are a reasonable signal they been have hacked and security features might be disabled or work as expected.
It just banks, a lot of corporate security polices don’t allow rooted devices, as they could bypass mobile device management policies for devices owned by the company.
With laptops it’s a different story. Whether users have Mac, Linux or Windows, there’s a reasonable chance they have admin access too, so checking for root access is not such a useful signal there.
Rooted mobile devices are a reasonable signal that someone wants to actually own what they buy, and corporations want to make sure as few people think that as possible.
Windows/Macos/Linux are designed around the fact that the person managing the device has root access, Android and iOS are designed around noone having root access.
Sure it's fine to mess around with rooted phone and look what's inside, but essentially for your daily operations having rooted phone is unnecessary security risk.
Yes and I consider that to mean I don't own the device. And there are plenty of Android forks specifically designed around you having root access.
The important question is why smartphones are designed around not having root access and computers are?
What are the incentives at play?
The answer is obvious, tech companies wouldn’t have given users access to root control on their computers either if they knew what they were doing and thought they could have gotten away with it.
It is just circular logic claiming smartphones have to be this way, circular logic that provides a rhetorical smokescreen for the process of corporations taking our agency away from us over our lives and the tools that sustain us.
You're free to install another operating system or variation on Android on your phone still. And if you decided to go with another Android such as Graphene, you'd still not want to root it because it's a security risk.
The issue is that you don’t want to give some random untrusted process root access. You, the user, have root access as long as you’re capable of running processes as root, but that doesn’t mean you should.
There could be tons of apps on the iOS App Store or Google Play Store that are completely benign under the existing security model but do nefarious things when run as root. No one knows that for sure because they aren’t tested under root by Apple or Google.
The problem with root is that it’s giving the process the keys to the Ferrari. That’s long since been decided to be a bad security model. Far better to have the process request permission to access particular resources and you grant them on a case by case basis.
It's been awhile since I've used anything but Magisk but usually you have to set root permissions per app, or you can get Magisk notification to request access.
I just want to point out, that what you are saying sounds good in an ideal world. But the realitiy looks different. (I actually typed out some points, but then I remembered that I don't want to engage in yet another lengthy internet-debate, that ultimately comes down to personal preferences and philosophy)
Ah but I love reading these specific philosophical discussions on tech, I don't blame you though
There's also the fact that on Win/Mac/Linux, you're interacting with the bank via a browser and not a bespoke app.
So just warn the user that it's their own responsibility and all claims are waived, instead of just saying "no" ?
There is parallel with masking. The bank values the safety of the whole rather than the freedom to root for an individual. You stand to lose only your own bank balance. The bank stands to lose the funds of every rooted phone that contains a banking app exploit targeting them.
I mean, they get that anyway with malware and security exploits. Except that rooted phones usually have a root manager, which asks for permission if an app wants to do more. And i don't think the root user listening into the app/their own account should be a problem; because in this case the problem is with the banks' security practice.
Well, at least my bank doesn't care about root or safety net.
The concern is not much phones rooted with intent by their owners, but phones rooted by malware without the owner’s consent:
https://thehackernews.com/2021/10/this-new-android-malware-can-gain-root.html
If there was a way to signal that a rooted phone was actually secure, malware would send that signal.