The biggest "evil" that has been committed (and is still being committed) against computing has been normalizing this idea of not having root access to a device you supposedly own. That having root access to your computer, and therefore being the ultimate authority over what gets run on it, is bad or risky or dangerous. That "sideloading" is weird and needs a separate name, and is not the normal case of simply loading and running software on your own computer.
Now, we're locking people out of society for having the audacity of wanting to decide what gets run and not run on their computers?
I think, practically, everyone will need at least a cheap-ish android or iphone, perhaps $300 (and a new one every few years ...), to be their locked-down "agent" for using financial or government services. It's not for you, it's for the government/banks, it is their agent for talking to you.
Kinda weird, if you think about it. But that seems to be the way it's heading.
> everyone will need at least a cheap-ish android or iphone, perhaps $300
No, the much more secure while at the same time liberty-preserving way to do this are heavily sandboxed secure enclaves with attestation, or even better standalone tamper-proof devices capable of attestation.
Like the ones practically every bank customer already has in their wallet, and for which most phones have a built-in reader these days... The only thing missing is a secure input and output channel, like a small built-in display and a button or biometric input.
In any case, I somewhat empathize with banks in that they want to ensure that my transaction confirmation device is not compromised, but getting to dictate what software does and doesn't run on my own hardware outside of maybe a narrow sandbox needed to do that is a no-go.
Nah, if a bank or some other civic entity wants to have a "secure agent" for transactions/communication with me, then they should be the ones providing that.
Much like I expect my employer to provide me hardware, and that hardware is used exclusively for work.
I shouldn't have to spend my own money on another device, nor should they be asserting their desires for control onto my own devices.
Maybe in US. In Vietnam, $300 is the average monthly salary, and the minimum wage is around $150. Probably the majority of people don't have a primary phone worth more than $300.
A country that is a dictatorship - I can understand why their slaves have to go through this. I fail to see why a true democracy would do this though. There is zero need to be required to have a smartphone; all those transactions work perfectly fine on a desktop computer system too, under Linux. People then may have a second device at home, some card reader and/or a thing such as Yubiko or something like that. IMO not even this should be required, but to mandate an app that would not be permissive under Linux - that is true dictatorship. I am surprised the government of Vietnam went that way.
Phones are no longer ours. A bit like bought ebooks, games, movies,and the like. we just payfor the right to use them. ok the phones we can keep, so we pay a lot for the hardware, but the OS: not. They like to advertise it as part of the phonev but it' not. The little surveillance machines.
The idea that the government should have the right or ability to do this in the first place is actually insane. Ideally the government doesn't want to do this in the first place, but even if it does it shouldn't have the technical ability to.
No need for the scare quotes. Forcefully removing people's agency over themselves is pretty much the definition of evil. We do not hurt criminals as punishment anymore, in the civilized age, but we still lock them up.
Now, of course we should not equate physical prisons and digital prisons in any other way, but we should absolutely call both forms of imprisonment evil, plain and simple.
I grew up in the 90s during a time where the only way to get software was from the local computer store. Pop the disk into your computer and you're running the software, warts and all.
Now that physical media is all but gone, computer manufacturers (both personal computers and phones) found it behooved them to essentially control the market with regards to what can get installed on your computer. Oh, and conveniently, they charge a fee for developers to use this "service," and take a percentage of what the developer earns by selling software on their "service." And somehow in the late 2000s early 2010s, it just became normalized, and somehow the term for being able to install software on a device you supposedly own became a scary term, "jailbreak."
Granted, jailbreaking was often used for piracy, but the fact that there needed to be a process at all confounds me.
My mom has an iPhone and she manages to install a bunch of weird things on her phone, like anti-virus software that almost certainly don't scan for viruses, but are all too happy to take your money to make your phone more secure. These are things that the App Store "service" should have guarded against if they were indeed doing their jobs and protecting consumers from bad software.
And, I wouldn't be surprised if she'd be locked out of her banking app eventually because [insert entity here] deems her phone too old to update her banking app. She's "following the rules" and still getting screwed over.
I would guess it's because people blamed the device/OS manufacturer for when their device got infected with malware (which is almost always due to user error).
Through the 00s, Apple practically built their reputation on being "virus-free" which really just meant they locked out the user from being able to do anything too extreme.
Screaming into the void about how your device is so great it could be used for attestation, combined with a small but vocal security industry full of grifting chicken littles, virtually guaranteed this would happen.
The real irony here is the use of free software to tear down everything the free software movement stood for.
It is also interesting that yet another government is prepared to increase its reliance on American big tech.
I do not know whether Vietnam has any pretence of digital sovereignty, but many countries that do are doing this like this to actively move away from it.
Lots of American big tech is actually developed in Israel - like Microsoft Azure's cloud services. Israel also has a history of getting caught selling American technical secrets to countries like China. Almost every major VPN is owned and operated by an Israeli company.
I think in the future I will keep two phones, a secure phone for my data, communication and everything and an insecure old phone for banking and government apps.
This has nothing to do with security and everything with control. In whose interest is it that users have no control over what “their” hardware does or doesn’t do? Those OSs are not a product of Vietnam, they belong to, and are controlled by, Apple and Google. Now all Trump has to do is tell them to make all mobile phones in country X stop working, and they will do it. Now the U.S. government can brick a whole country with the flip of a switch.
Root access is irrelevant; modification detection is relevant. If your OS was sealed-attested, root wouldn’t matter (Macs have this in shipping production by default and it works fine for everyday users). For modding, go for it; your modded OS will be signed by your own crypto key (or none at all). Unfortunately, the media and the businesses and quite a lot of expert users confuse root-access-enabled as a convenient modification-detection method (presumably Google’s core is more competent than that, has anyone studied it?). Sigh.
Put like this, root access is indeed irrelevant. The ability to modify is what we want, i.e. what freedom of general-purpose computation is. The very thing banks and other businesses take away from us.
Exactly. Also the smaller stupidity - inability to add your own root certificates to the system store.
In fact this is what led me to unlocking the bootloader, swapping the OS and rooting my phone. The infuriating situation where if you setup so called "corporate owner" (or mdm) during the first login you can add your own certificates, but if you don't... Basically the "corporate owner" of your phone is Google.
Yes, literally, you do not own it.
Also it is worth noting certain countries where "rooting/bootloader unlocking is illegal" - namely China and the horrible stupidity of people claiming EU Gdpr prevents manufacturers from offering simple bootloader unlocks for their phones.
We absolutely need to vote with our walkers. I bought a Samsung before and a Xiaomi recently only because both allow relatively simple unlock (ok the Xiaomi requires you to wait to press "request unlock" exactly at midnight Beijing time", and it only works for non-Chinese phones, but still unlocks fine.
It’s not an evil at all. For 99% of people who aren’t “computer people”, when we gave them that, we got the Bonzai Buddy and 47 other malware toolbars installed. Did we forget 2003 already?
App sandboxing and system file integrity is one of the most beneficial security features of modern computing, and the vast majority of people have no desire to turn it off. You can buy rootable phones. People overwhelmingly choose iPhones instead.
Even if Apple sold the SRD at scale, nobody would buy the weird insecure hacker iPhone except us and maybe kids who realllly want Fortnite.
> App sandboxing and system file integrity is one of the most beneficial security features of modern computing,
You can have sandboxing and system integrity while still giving the user overrides. But hey this is not Google and Apple's business model because it makes you less dependent on them. And it interferes with their sweet 30% rent-seeking app stores.
Mobile security works this way not because it's best for us but because it's best for making them money.
> You can buy rootable phones.
Eh yeah but the problem is of course being locked out of apps if you actually root it.
I don't want Google or Apple to decide what I can do with my phone. Or the government like in this case. This also opens the door for evil spyware like chatcontrol in europe. Even today they are trying to enforce a backdoor into whatsapp to block "harmful content" which is of course impossible without breaking or circumventing the E2E on-device.
> People overwhelmingly choose iPhones instead.
Maybe in America, not here in Spain. I guess not in Vietnam either.
It is an evil because there are infinite ways to solve any problem, not just this one. Describing some problem in no way validates any particular response as being even worth the trade-off let alone flat out necessary and unavoidable.
Further, the people promulgating this sort of solution know this. The evil is that they are wittingly using a problem as the excuse and the cover to get something else they want which they would otherwise never get and have no right to.
For everyone who is doing this knowingly, there are countless other sincere but unwitting tools haplessly just buying the line sold to them. So you might be able to say you are not evil for supporting this kind of policy, but all that means is that you are either a witting or unwitting tool of the evil policy.
"Rapes happen behind closed doors, therefore we have to remove all doors. No one denies that rape happens and that it's a bad thing. And it's irrerfutable that without doors that close, no one would be able to get away with a rape. And so, the only grown-up thing to do is agree to give up doors that close. It's not an evil at all."
The problem is mostly that normal people can't be trusted with system-level access but some people can. And it's literally, provably not possible to tell them apart.
For the masses, lack of system-level access is a benefit because they won't be able to ruin their device. For hackers and hobbyists, lack of system-level access is a hindrance because they won't be able to control their device.
So, if you cannot cryptographically prove to a remote server that your device is running essentially unmodified, vendor-signed software, you are locked out of the economy?
The irrefutable part here is that the security model works. Locking down the bootloader and enforcing TEE signatures does stop malware. But it also kills user agency. We are moving to a model where the user is considered the adversary on their own hardware. The genius of the modders in that XDA thread is undeniable, but they are fighting a war against the fundamental architecture of modern trust and the architecture is winning.
As I mentioned in another post: By 2026, you'll need two phones. My current setup:
1) An unmodified iPhone SE (2022 model) with OS support until 2032. This runs all my authentication, banking, health, etc. It is in airplane mode 99% of the time unless I need it.
2) The second is a Pixel 9a with Graphene OS for daily use, routing and internet access.
This is expensive, but I found it to be the only viable solution to this problem.
Do you guys wear cargo pants to carry all these extra devices or are belt clips coming back into style?
If I could get away with carrying a tiny device again instead of lugging around a brick I would, but the world has made it as inconvenient as possible not to.
A BlackBerry from 15 years ago weighed just over 100g and did 80% of what your modern-day pocket computer can.
>An unmodified iPhone SE (2022 model) with OS support until 2032
What makes you think it'll be supported for a decade? Looking at the past models, the support period is around 5-7 years. If you count security updates that might get you to 10 years, but at the 7-9 year mark apps will eventually refuse to update because you're not on the latest ios.
Funny - in some ways I have the opposite. In my version:
The iPhone SE would be the one I use for calls, SMS, etc. It has the SIM card.
The Pixel 9a would be used for everything I don't need a data plan/SIM card (browsing etc).
My needs are a bit different from yours. I like to separate telephony and communication (i.e. WhatsApp, SMS) from everything else. This way, if I want quiet, I just turn that phone to airplane mode. I really don't want to get random pings while I'm doing "real" stuff on my phone.
That's what I do too (not iOS + GrapheneOS but the result is the same) as I was tired of fighting to make my bank apps and itsme (digital identity app in Belgium) work on my rooted phone.
Everytime I have to use a stock phone I'm appalled at the ads and I have absolutely no trust in any US or Chinese manufacturer. So I use them only for banking and digital id because that's presumably not what they actually care about.
It's not that expensive, I think many people have an old Android phone lying around, it doesn't have to be up to date.
I run a proxmox server on my home Lan with all the services and storage I want, including a wireguard server. My Android phone can then connect to my home LAN services from anywhere in the world (my ISP provides static public IP addresses).
My Android device is then a simple terminal to all my "stuff". It can be locked down as much as they want it to be, as long as it can run WireGuard. I have no use for a rooted phone. In fact I want it to be as hardened as possible in case of theft.
Pretty much the same setup here. Pixel 9 Pro GOS + iPhone 15 (USB-C everything!). The iPhone is a Canadian model that retains the SIM slot.
Most of my banking apps work fine on GrapheneOS, but I've adopted this because I'm confident they'll eventually break. And access to Apple Pay is nice.
Carrying two phones is annoying, but, agency over my main computing device is worth the price.
Wow, my comment has really taken off! In both directions! Let me clarify some things.
- I bought the iPhone SE 2022 second-hand for 150 EUR. I think this is a fair price, but it's still expensive given that I leave it lying around 99% of the time, which I still feel is a waste of resources, regardless of my motivation.
- My main reason for having two phones is pretty simple. I think browsing and daily internet use just don't go together anymore with authentication, banking and health. I also didn't want to carry a critical key to my digital infrastructure around with me every day, especially in bars (etc.). Having a separate phone helps me to treat different aspects of my life differently. No worries, I don't have to carry two phones with me all the time.
- Yes, I do other things to generally reduce my digital footprint: I use different browsers for different things, such as admin work and social media (in those rare cases where I still use it). I also self-host behind VPN and have moved many apps to my internal stack, which gives me better control over what communicates with what. For example, I use WhatsApp Bridge so I don't have to use the app directly on phones anymore. I self-host Invidious with privacy-redirect for Fennec for YouTube, etc. Over time, all of this has slowly helped me regain my freedom, and it actually feels liberating.
I do something similar but it's iPhone SE plus olympus camera plus laptop. The laptop is where all the libre software lives, and the camera is (of course) for taking pictures with. I don't use the phone for anything except boring essentials, for the most part.
I used to get a physical security key from my bank. Perhaps I should get a bank device with a touch screen for banking only and they could then stay the hell off of my personal phone.
> As I mentioned in another post: By 2026, you'll need two phones. My current setup:
Cheers, maybe by 2027 unattested devices won't be allowed on the internet. It's not a solution. The problem didn't exist a few years ago, the idea that it will not continue to its inevitable conclusion within a few years without real solutions is laughable.
Wait until Graphene is classified as a hacking tool and Estonia convinces the EU to fine a million Euros a day any company providing services to host its website. Wait until, "in the spirit of reconciliation," the US goes along with it, too.
Wait until unattested desktops aren't allowed on the internet.
Many of us would need the unmodified one to have a working SIM because a lot of those providers require SMS in their auth flow. Expensive for many of us. For me it'll mean I have to do these things on a computer. Until they come for that one too of course.
Need? Unless and/or until the ability to log in and do your banking, healthcare, etc. via desktop/laptop goes away, then you don't need a phone to do any of that. Yes, 2FA may be required but in the tangential experience of myself, my partner and my two closest friends, we have multiple 2FA options available to us for our banking/healthcare apps that don't require a smartphone.
I see this point all the time - "You can't bank or do important life stuff without a phone!!!" and it's just, largely, bullshit. I don't do any "important life stuff" on my phone.
Beyond that, even if you had to have a phone to perform those tasks, I'd strongly argue that if you feel you need a second phone, then, and I know this will come off as reductive and unproductive, I think the idea of spending less time on your phone and on the internet, and more time "touching more grass" and interacting with the community and world immediately around you, might apply.
With all due respect - I totally understand you may need a rooted phone, I’m just curious what you use it for? I’ve never had a modified or rooted phone so I don’t know of any of the reasons you might need one.
unrelated to phones a lot of (more professional) malware has moved to not persist itself in root space (or at all) as to not leaf traces (instead it will just rely on being able to regain root access as needed every time you reboot with all the juicy parts being in memory only (as in how often do you even roboot your phone))
I think (but am not fully sure) this also applies to phone malware.
I.e. no it doesn't work.
Not unless you
- ban usage of all old phone (which don't get security updates)
- ban usage of all cheap phones/phones with non reliable vendors
- have CHERY like protections in all phones and in general somehow magically have no reliable root privilege escalations anymore
Oh and advanced toolkits sometimes skip the root level persistence and directly go into firmware parts of all kinds.
Furthermore proper 2FA is what is supposed to make online banking secure, not make pretend 2FA where both factors are on the same device (your phone).
And even without proper 2FA, it is fully sufficient to e.g. classify rooted phones as higher risk and limit how much money can be transmitted/handled with it (the limit should ignoring ongoing long term automated repeated transactions, like rent).
I stopped using banking apps on my phones a few years ago - they got more and more annoying, and I don't buy into the "the device is secure and should be used as a trust token". So I'm now back to banking only on my computer, with a hardware token for TAN generation.
Hardware tokens are not allowed in Europe to authorize certain operations such as bank transfers: you need a device that can show the operation you are about to authorize ("enter 123456 to confirm your payment of 99.99 € to Pornhub"). And that essentially means using a phone.
Hyperbolic take - There won't be PCs, as we know them, for too much longer (both by way of being made into walled garden phone-like "appliances" by software, and by the hardware becoming unavailable).
> We are moving to a model where the user is considered the adversary on their own hardware.
That has been the model since day one, since you are using spectrum that, because the end users are not licensed, requires it. Radios in 100% of commercially available phones are locked to prevent user tampering.
You don't get root on your debit card either, despite it running a computer.
> That has been the model since day one, since you are using spectrum that, because the end users are not licensed, requires it. Radios in 100% of commercially available phones are locked to prevent user tampering.
Why, then, can users be root on PCs that have wifi cards, SDRs or cellular radios?
Consumer level security always has to contend with the lowest common denominator. As my 80 year-old mother‘s technical support team I can testify that she will download and install anything she sees on Facebook. The consumer security world has to protect us from people like her. It’s also the reason I will only allow her iOS devices.
Maybe people like her should just, uh, not use technology? Or not do it as much? The fact that the society so heavily pushes everyone — regardless of their technical literacy and willingness to learn — to use internet-connected devices is also a huge part of the problem.
Personally I just don't use a banking app. The website works fine? I don't like the idea of having to use something from the Apple App Store or the Google Play Store, both companies of which could randomly decide I don't need to exist and cut off my access. ... no thanks? So I don't run "apps" at all. If your business is only available that way, sorry! But "I don't have a smartphone" tends to signal to the receptionist that they'll need to explain the myriad of other ways to do business.
The problem is that we're supposed to use these "secure apps" on our own devices.. but since they need these enhanced security guarantees, our own devices cease to be ours.
Not that it excuses the withdrawal of user agency. But I've never used a banking app on my phone before. Anything important I still like to do on a desktop.
Though how much longer that's safe, who knows. Apple's model of requiring their permission to run code on your own device will probably spread to everything given enough time.
Much of the world uses mobile payment apps instead of credit or debit cards. Some banks allow a setting that using a card can require a ping to the banking app for verification of the transaction. I don’t know if it’s legal to turn down cash payments in Vietnam, but some vendors may only accept digital payments.
I guess you could take your laptop out at the restaurant and in the taxi to pay. It seems a little strange. You might better just use a browser on the smartphone instead of the mobile app.
Yeah. Tech companies are coming for our hardware. Next step is OSes with agentic AI turning it from a system with frameworks and libraries with apps seperate from the base system, into a system that only runs AI models that the "owner" of the hardwre has no control over and the lines between the OS and the AI is very blurred.
This totally beats the purpose of owning or using tech. Might as well go off grid and live a non-tech life.
Big tech wants to colonize our hardware completely because data centers alone ain't cutting it.
1$ Trillion has to be paid back to the investors plus interests. They screwed up with AI and we have to pay for it. Or maybe they didn't screw up because big money always gets bailed out by the plebs.
I really like this comment. I similarly don't like that banking is, from no collusion just internal incentives, locking out any users not opted into the Chromium hegemony.
> The irrefutable part here is that the security model works.
Yes! And that business model should be allowed.
This leads me to worry the notion of "user agency" may be misplaced, meaning, aimed at the wrong level of the stack. It would seem both open (general compute ethos) and secure devices (appliance ethos) have a right to be in the market. So…
### Perhaps user agency should be at the experience level. ###
We couldn't plug Sega Genesis cartridges into Nintendo 64. We understand this about consoles. If we remap mobile devices into consoles, it seems less obvious their internals should be opened and tinkered with by end users.
User agency seems more at the level of picking a console family, and it's often for the whole brand aura including both the console itself and safeness-to-permissiveness dial by which the brand curates its the cartridges (spectrum from Nintendo to Apple to Sony to Microsoft and Steam). A free market for mobile devices or desktops would likely sort out a similar spectrum of just-works to fidget-able. If you choose the Nintendo 64, you wouldn't expect to run arbitrary software on it as you would expect on Dell.
We hackers are capable of figuring out how to make Nintendo 64 software; our neighbor does not need or want those affordances, they want just works, no headaches. This idea that the user must be able to open their digital watch or toaster oven and change how it is wired glosses what users actually choose: the conveniently toasted meal.
At the same time, business models around the curation and appliancification of digital tools, blurring the lines from hardware through solid state through firmware to software into a single product users can choose, must be defended.
If I want to dev for a secure product, I similarly must be OK opting into the supply chain security model (with Apple, registering as a dev in order to exchange cert material and bypass consumer paths to loading software I'm making for the platform) that allows that product to be secure, and opted into by users with money to buy my app, that caused me to want to develop for it in the first place.
Users must have a right to buy an appliance that isn't fiddle-able. Not mandated to, as this article sounds, but allowed to as the EU is trying to deny. Such products have a right to exist, and such business models have a right to exist.
And then, user agency remains as simple as use dollars to buy a product offered through a biz model that matches the user's goals, rather than regulate to disable business offerings offerings/products that don't, and developer agency is to pour energy into the platform that aligns with one's ethos.
If more money is to be made on a platform with a different ethos, perhaps it's worth reflection rather than rants.
When I used to work on the Vanguard authentication team, we blocked Vietnam from access because of too much fraud (not my choice). But it was funny because we had Vietnam based clients, so there were a couple HNW clients in the logs that you could see who would log in from Vietnam/Russia/Wherever, get blocked, open their vpn, then log in from England. This was a while back, but even then there was a push for things like yubikey, and hardware tokens, so its not surprising the wind is blowing in this direction of just hardware authenticated people. Financial companies are just constantly fighting fraud in a million ways.
I'd be really interested to know whether a significant amount of fraud and fraud attempts involve devices with root or non-stock operating systems.
This has always struck me as a matter of checkbox compliance rather than a commonly-exploited attack vector, though I'll grant that's partially because few people actually use such devices.
Intuitively I'd say no, there's no way it's a significant amount of fraud. Number one because, as you said, it's rare, but number two because you just don't need a rooted phone to scam someone. You can very easily scam people on perfectly legitimate phones and with perfectly legitimate apps.
I worked in fraud compliance architecture at a bank.. they didn't checkbox anything. They had a lot of gathered data and justification for the limits they enabled. I'm sure not every bank does it that way, but they weren't trying to limit legit customer access, and they pained at enforcing limitations like this.
Devices that are easily rooted absolutely originate fraud. It's not like this is some wild claim. Look at how much financial fraud is driven by botnets running on old Windows PCs.
In my experience, people don't really care about rooted devices and non-stock Android -- if those devices are actually phones in the hands of human users.
The big fraud vector is running emulators in datacenters or skipping running the app entirely and talking directly to endpoints. Requiring that an entity making a request is from a real phone and is from (approximately) your app adds friction and is effective at reducing fraud.
I work at Grab (SEA rideshare and licensed bank, but not licensed in VN).
A significant amount of fraud comes from scammers convincing victims to installed malicious apps. They fake being a customer service provider.
Banks don't want their customer's to lose their money and they don't have the tools to protect them from themselves. For all the privacy reasons, app stores don't even banks enough tools to identify and block this fraud.
When I was running a home server as a kid, I IP-blocked the entire continent of Asia because I was constantly getting pings, portscans, HTTP path guesses, SSH auth attempts, etc randomly from there. Of course I secured my stuff to the best of my knowledge, but I still didn't want that harassment cause 1. who knows 2. could be ddos'd.
When finding help on how to do this, people were saying it's useless cause they can proxy/VPN anyway, but obviously that has some cost to them because they weren't doing that. So seeing how I had no legitimate traffic from there, it was an easy choice and cut out like 99% of abuse.
lol you should see how bad it is nowadays. Like 90% of my traffic is from SE Asia or germany trying to scrape my site. I blocked like a dozen countries because of it. Singapore itself is an insane amount of traffic for me.
Oh yeah I remember adding my Yubikey to Vanguard as early as 2019! It felt amazingly modern compared to any other bank. I assume this is your or your team’s work. Thank you!
I’ve also had other banks do the same. They provided me with a debit card that supports international transactions but they did not allow logging in from most Asian countries. So I would log in from Asia, be blocked, turn on my VPN and log in from the U.S. to check the balance on my card.
Yeah I was on the team that had yubikey working. It was kind of a pain because we had to support some ancient IE versions and Yubikey basically only worked on Chrome at the time IIRC.
> I’ve also had other banks do the same. They provided me with a debit card that supports international transactions but they did not allow logging in from most Asian countries. So I would log in from Asia, be blocked, turn on my VPN and log in from the U.S. to check the balance on my card.
Yeah it was kind of complicated. We blocked high fraud countries to just get rid of this low level fraud and port scanning. But if someone was actually a customer, then that was fine, it was just assumed they would know how to use a VPN and they're going to get everything verified. There's also some KYC rules that I am not too familiar with that it just became considered okay at that point.
I always thought Vanguard was behind the curve on these types of things. They don't even have support for TOTP from an authenticator, do they?
Separately, I couldn't even log onto their system this week from my desktop browser because of some bug. (Accessing from the US). It didn't recognize my username or password, let me change my password, then said it didn't recognize the new password.
There's a trend of online banks forcing the use of an app. I can't login to one of my banks' website since last year without using a QR code from their app.
Of course they slathered the app with tracking, 'security', and analytics SDKs, so rooted devices are rejected. I had no way to log into this bank account after they made that change, which is simply wonderful.
Anyways, they're not yet at the point where they've learned to do the checks server-side. For now it's a one line patch to skip the root screen. But the Play Integrity API is designed correctly, if they learn to use it, there will be no workaround without someone finding a hardware vulnerability somewhere.
Depends on what country you're in. In the UK, the banks are often held liable for various scams that involve the transfer of money, so they up the security over and over again. A bank will rightly argue why it's responsible for an old granny sending her life savings to her new lover in Namibia, so it seeks to block that transaction in the first place.
Some of that liability is fair but most of it is the government telling the banks to account for the loss when someone is scammed. They are obviously going to mitigate that as much as they can.
Yep, hardware attestation is becomming more common, even with websites.
This is why LineageOS is actually dead in the water, even though they're "in talks with hardware vendors". It doesn't matter when people can't use the apps and services they need.
Normiefication. Normies do everything on their phones; it’s the companies meeting the masses where they are. I’ve seen people fight for their lives to do a spreadsheet on their phones when there’s a laptop they own gathering dust less than 50 feet away.
This is a very condescending toward Vietnamese tech people. According to Twitter/X, Vietnam’s GDP just surpassed Thailand and it’s on its way to joining the Great East Asian prosperity zone by becoming the last country to become fully industrialized and very rich. Many tech jobs in the US will move to Vietnam in the coming few years. You will be surprised where your future Tech conferences will be located.
This trend makes me want to find a small town credit union.
I chose my current bank because it was one of the few that had proper token based access for 3rd party integration. An overwhelming majority of banks were relying on a 3rd party holding your actual username/password and saying "trust me bro". I wasn't comfortable with that.
Eventually though I suspect that web access to banks will be rescinded too, much like HMRC in the UK no longer permits companies to submit their taxes through the websites.
Don't like that. I'm of the "if you're going to do something important, do it on your PC" generation. I do not want a future where I lose my phone and I can no longer access my bank.
With HMRC, the reasoning is that this forces the company to have an accounting package. They don't care which, they just define the API. Not unreasonable. There are more issues with MTD IT (making tax digital, income tax) due to some detailed requirement decisions such as the need to report different income streams separately.
That seems to be the way the wind is blowing. Most new 'challengers' I've tried in the US either have no web access at all, or limited access that lets you view balance but not do things like transfers.
Would make a lot of sense for banks just to shut off online/mobile access and switch to in person only. That seems to be the way things are moving with KYC/AML and ensuring there is a material presence of the person in the banking jurisdiction in which they operate. Knowing the password / keys and providing a video 'proof of life' is no longer sufficient to presume you're dealing with the person you think you are and not just sold 'darks'.
I've heard 3rd hand of some banks already doing this in i.e. Armenia where a foreigner can come in and open account easily but they block any online access to lock the control of funds in country to make it harder for the FATF psychopaths to find fodder to clamp down on them.
Thai banks are required by regulation to have facial recognition when transferring over 50k THB in one transaction or cumulative in a day. I believe most banks have shutdown their internet banking as it's not worth it for the low number of users to implement web-based secure facial recognition that don't allow you to feed spoofed video input. One of the bank that I use will send a push notification to their mobile app for you to confirm the transaction.
I believe that previously internet banking, even before mobile banking, will limit the number of transfer recipients you can add per day/month. With the rise of QR payment I could see this limit being regularly hit if you scrape the web-based banking.
Since the Bank of Thailand claims that they technically don't block many things (mobile banking technical requirements seems to also require blocking root, but they never banned internet banking), I wish there's a new bank that try to disrupt the existing players. But the latest "branchless" banking license were only acquired by existing banking groups, so API-first personal banking remain impossible.
Maybe a tiny difference though is that a phone is moved all day long, with a lot of people around to mess with or pick it. Your laptop is a bit larger and your desktop .. well is behind your door. But yeah ultimately a bank should not rely on phone OS to have security.
TD Canada is forcing me to use their app. Every time I make an online transaction which to them is too large or fishy in some way, they make me login into the app on my phone to approve the transaction. That's the only way.
In Hungary, where the central bank created the same rule about not allowing banking apps on "unoffical" devices, they do, but you need either the app or SMS for 2FA. Apparently they consider SMS secure...
Many people also use their bank's app for mobile NFC payments though (more of a thing in EU than US), which you can't easily do with a device that doesn't fit in your pocket.
In some countries, it's already impossible to make online payments without the bank's phone app. Only a matter of time until all banking is restricted to phones.
yes. and the websites require you to verify transactions with (unrooted?) phone.
on the other hand phone does not require you to verify with your pc, so there's no second factor unless there is some unacessible secure island within the phone itself.
funny enough, you can probably use that website directly on the phone that you use as 2F, which probably circumvents the 2F idea (at least as long as you use SMS 2F instead of app that checks for root)
I assume the bank apps have functionality that their websites lack. Like being able to tap to pay for things, etc. Where a rooted phone might make fraud easier. If not, then this really makes no sense.
While they (mostly) have websites, a computer with root access is not sufficient by itself to access them. You also need to perform 2FA via push notification to a proprietary app on an Apple or Google approved device.
A rooted android device doesn't run apps as root either, not does it generally allow them to get root access without the user accepting a system prompt.
This is likely part of the Vietnamese and Thai governments' rollout of biometric linking for bank accounts, similar to KYC regulations in the United States. The deadline for Vietnamese biometric linking was December 19th, 2025 [1].
The Vietnamese government has reported a rise in account takeovers and other banking thefts [2]. SIM-swapping has been a tactic used. Adding difficulty for fraudsters to trick unsophisticated banking customers is a valid security layer.
Partially, but it's also connected with the VNeID project [0]. The goal is by 2030 [1], all Vietnamese nationals and foreign visitors will have a digital biometric ID attached to themselves, and all services linked to said ID.
Serious question, what is gained from this move? Why would a government care? Are rooted phones really that much of a problem?
Surely most people running a rooted phone are tech enthusiasts. Cybercriminals will just use regular phones bought under false names and dispose of them afterwards.
Viet Nam is in the process of rolling out mandatory biometric identification and verification as part of the VNeID project [0], and mobile operators are in the process of rolling out identity stamping if mobile devices using VNeID [1]
Viet Nam is also an authoritarian state who's current leader (To Lam) spent his entire career in Viet Nam's KGB (MPS/BCA). Unlike Westerners, Vietnamese know the red lines - this is why I and my SO (much to her chagrin due to my insistence) never travel back to VN with my personal accounts or devices, and why we keep some friends of friends on speed dial.
I am not sure what you are saying with respect to red lines.
Vietnamese government will not arrest a tourist foreigner for talking bad about the party or about Ho Chi Minh, it would decimate their tourist bottom line. If you don't deal with drugs or actively don't organise against the party, you will be fine.
There is a growing surveillance (which you cited well) but mostly for locals.
edit: oh I misread, you are Viet Kieu, not a western tourist. OK yeah that makes some sense.
Are you implying there's a big percentage of people getting their money stolen because they rooted their phones? I'd like to see some data on that if so.
They gain credibility with overseas banks. Otherwise, the banks can just say "why do we need to support Vietnam? Too much fraud" and block access from Vietnam and VPNs.
1. Don't people on HN realize Vietnam is a single party authoritarian state with a very active secret police (MPS/BCA)?
2. Vietnam has been in the process of rolling out national biometric identification for years now as part of the VNeID [0] project, and unifying that with banking and mobile phone identification is an important part of that such as with the recent FPT Telecom announcement [1]. The aim is to turn VNeID into a super-app by 2030 [2], and from what I've seen in rural areas of the Central Highlands, it's on track.
I really don't understand this. My line of thinking is that if someone is technical enough to root his phone he understands the risks. Why would they force banking apps to detect and not work on rooted phones? Why would the government care so much?
It's not to protect the user; it's DRM. Using a non-rooted phone means all apps get DRM for free. You can't simply press 'record screen' when the software sets a flag; you can't view the data that the app processes about you or make backups thereof; you can't control what the device does such as skipping any checks. Fraud detection and CAPTCHAs rely on security through obscurity.
> if someone is technical enough to root his phone he understands the risks
You're looking at this from the user's perspective. Indeed, the narrative is "for your safety, you cannot export your security tokens from your device's storage" or "software that runs as root can bypass all permissions, an attacker might exploit that!", as though users can't make that choice themselves on purchased-to-own hardware. Dropping privileges (https://en.wikipedia.org/wiki/Privilege_separation) has been a thing since as long as I'm alive. Don't be fooled that this "protection" is for you :(
A phone given for repair by a non-technical person can be rooted without their knowledge. The repair person potentially can install malware. We cannot assume the owners of the rooted phone themselves have rooted the phone.
Practically, verified boot is hard to not have a "this phone has been tampered with" message on boot, the backups generated often have encrypted user data that is usually wiped on boot-loader unlock, you'd also need to unlock the phone or have the user give the pin over and most of the apps that implement root checking SDKs would prevent them from working.
I'm not saying its impossible but it is hard to do at present in a way where if I came and picked up my phone again, I'd not know something happened to it.
Assuming the owner gave the shop the pin. If so, the shop can already steal a lot of data from the phone. Why bother with persistent malware at this point?
You already have to trust the repair shop with your data. Installing persistent malware on phones is already illegal. What's the point of this extra software protection in this case? To prevent a 0.00001% chance hack? The type of hack that would put the repair men in jail?
Not to even mention that modern phones are basically unfixable.
I think it has more to do with the phone being tied to an individual, the banking and spending activities being tied to the phone, and the government having some hardware attestation about how people are spending their money and with whom. If you root a phone, you can change things like the MAC addresses. You may be able to futz with a softSIM/eSIM. That makes you harder to track.
I don't think this is actually happening. There is an enormous loss to scams mostly by tech illiterate people using the preinstalled operating system. I don't think the losses that involve user installed OSes are in any way significant.
"detect unauthorized interference with the Mobile Banking application"
I wonder if this has become a feasible avenue for scammers to interfere via other apps they could convince someone to install on rooted phones. Or if they are worried about skilled people being able to debug/MITM and find vulnerabilities on the banks.
Though from that statement alone, sounds more of a measure to protect banks than customers.
It's a reliable signal for fraud. The legitimate users are simply noise against this backdrop. The police only think in one direction and never consider the broader consequences of their enforcement perogatives.
Like most people in this thread people who root their phones are clueless about how much of a security risk it is. So they are protecting people from making dangerous choices.
Somewhat. The most popular banks are SOEs owned by ministries, but private sector banks that are local (eg. SCB) or foriegn like Shinhan or HSBC, along with private sector fintech is booming.
> My line of thinking is that if someone is technical enough to root his phone he understands the risks.
Kinda like the Wall Street concepts of "Accredited" and "Sophisticated" investors - who could never possibly fall for a Ponzi scammer like https://en.wikipedia.org/wiki/Bernie_Madoff ?
Not to say I'm a fan of Vietnam, or familiar with their ban - but when people are having their money stolen at scale, there's a very strong tendency to blame the gov't and/or financial system. And it's extremely rare for stolen-at-scale funds to not be "reinvested" in further criminal activities - which again, the gov't is expected to deal with.
> My line of thinking is that if someone is technical enough to root his phone he understands the risks.
That is a terrible assumption. I had a rooted phone when I was 12 to pirate games. Friends asked me to root theirs. Rooting isn’t hard and lots of people do it (absolute not relative terms)
And the idea that so-called “technical” people know what they’re doing and are hack-proof is hot garbage machismo BS. Modern attacks use social engineering and extremely technical people fall for it all the time. There were several stories on here just this week.
A rooted phone is more capable of modifying the banking app itself and has 'freer reign' over the APIs that the app uses to interact with the bank.
Whereas previously the app displays a 'whitelisted' set of UI options to the user, the rooted user could use employee only methods. Somewhere or other every bank has methods that set balances on accounts.
To be honest a law like this makes security by the extremely modest obscurity of not having an "increase your balance" button on the app UI much more tempting.
Readit News
Now, we're locking people out of society for having the audacity of wanting to decide what gets run and not run on their computers?
Kinda weird, if you think about it. But that seems to be the way it's heading.
No, the much more secure while at the same time liberty-preserving way to do this are heavily sandboxed secure enclaves with attestation, or even better standalone tamper-proof devices capable of attestation.
Like the ones practically every bank customer already has in their wallet, and for which most phones have a built-in reader these days... The only thing missing is a secure input and output channel, like a small built-in display and a button or biometric input.
In any case, I somewhat empathize with banks in that they want to ensure that my transaction confirmation device is not compromised, but getting to dictate what software does and doesn't run on my own hardware outside of maybe a narrow sandbox needed to do that is a no-go.
Much like I expect my employer to provide me hardware, and that hardware is used exclusively for work.
I shouldn't have to spend my own money on another device, nor should they be asserting their desires for control onto my own devices.
Maybe in US. In Vietnam, $300 is the average monthly salary, and the minimum wage is around $150. Probably the majority of people don't have a primary phone worth more than $300.
A country that is a dictatorship - I can understand why their slaves have to go through this. I fail to see why a true democracy would do this though. There is zero need to be required to have a smartphone; all those transactions work perfectly fine on a desktop computer system too, under Linux. People then may have a second device at home, some card reader and/or a thing such as Yubiko or something like that. IMO not even this should be required, but to mandate an app that would not be permissive under Linux - that is true dictatorship. I am surprised the government of Vietnam went that way.
Just "a phone" with a bad update policy is $100.
No need for the scare quotes. Forcefully removing people's agency over themselves is pretty much the definition of evil. We do not hurt criminals as punishment anymore, in the civilized age, but we still lock them up.
Now, of course we should not equate physical prisons and digital prisons in any other way, but we should absolutely call both forms of imprisonment evil, plain and simple.
Singapore is quite civilized, and they conduct caning strokes.
Now that physical media is all but gone, computer manufacturers (both personal computers and phones) found it behooved them to essentially control the market with regards to what can get installed on your computer. Oh, and conveniently, they charge a fee for developers to use this "service," and take a percentage of what the developer earns by selling software on their "service." And somehow in the late 2000s early 2010s, it just became normalized, and somehow the term for being able to install software on a device you supposedly own became a scary term, "jailbreak."
Granted, jailbreaking was often used for piracy, but the fact that there needed to be a process at all confounds me.
My mom has an iPhone and she manages to install a bunch of weird things on her phone, like anti-virus software that almost certainly don't scan for viruses, but are all too happy to take your money to make your phone more secure. These are things that the App Store "service" should have guarded against if they were indeed doing their jobs and protecting consumers from bad software.
And, I wouldn't be surprised if she'd be locked out of her banking app eventually because [insert entity here] deems her phone too old to update her banking app. She's "following the rules" and still getting screwed over.
Through the 00s, Apple practically built their reputation on being "virus-free" which really just meant they locked out the user from being able to do anything too extreme.
The real irony here is the use of free software to tear down everything the free software movement stood for.
I do not know whether Vietnam has any pretence of digital sovereignty, but many countries that do are doing this like this to actively move away from it.
Deleted Comment
I really hope we can convince enough people to care about general computing.
Cory Doctorow lays it all out in his speech about the Post-American Internet: https://pluralistic.net/2026/01/01/39c3/#the-new-coalition
In fact this is what led me to unlocking the bootloader, swapping the OS and rooting my phone. The infuriating situation where if you setup so called "corporate owner" (or mdm) during the first login you can add your own certificates, but if you don't... Basically the "corporate owner" of your phone is Google.
Yes, literally, you do not own it.
Also it is worth noting certain countries where "rooting/bootloader unlocking is illegal" - namely China and the horrible stupidity of people claiming EU Gdpr prevents manufacturers from offering simple bootloader unlocks for their phones.
We absolutely need to vote with our walkers. I bought a Samsung before and a Xiaomi recently only because both allow relatively simple unlock (ok the Xiaomi requires you to wait to press "request unlock" exactly at midnight Beijing time", and it only works for non-Chinese phones, but still unlocks fine.
Dead Comment
App sandboxing and system file integrity is one of the most beneficial security features of modern computing, and the vast majority of people have no desire to turn it off. You can buy rootable phones. People overwhelmingly choose iPhones instead.
Even if Apple sold the SRD at scale, nobody would buy the weird insecure hacker iPhone except us and maybe kids who realllly want Fortnite.
There was never going to be anything preventing non-technical folks from buying iPhones. They can and should have what they like.
Why should there be a law that forces that same compromise onto anyone who can only afford a single device and needs to use it to access their bank?
You can have sandboxing and system integrity while still giving the user overrides. But hey this is not Google and Apple's business model because it makes you less dependent on them. And it interferes with their sweet 30% rent-seeking app stores.
Mobile security works this way not because it's best for us but because it's best for making them money.
> You can buy rootable phones.
Eh yeah but the problem is of course being locked out of apps if you actually root it.
I don't want Google or Apple to decide what I can do with my phone. Or the government like in this case. This also opens the door for evil spyware like chatcontrol in europe. Even today they are trying to enforce a backdoor into whatsapp to block "harmful content" which is of course impossible without breaking or circumventing the E2E on-device.
> People overwhelmingly choose iPhones instead.
Maybe in America, not here in Spain. I guess not in Vietnam either.
Further, the people promulgating this sort of solution know this. The evil is that they are wittingly using a problem as the excuse and the cover to get something else they want which they would otherwise never get and have no right to.
For everyone who is doing this knowingly, there are countless other sincere but unwitting tools haplessly just buying the line sold to them. So you might be able to say you are not evil for supporting this kind of policy, but all that means is that you are either a witting or unwitting tool of the evil policy.
"Rapes happen behind closed doors, therefore we have to remove all doors. No one denies that rape happens and that it's a bad thing. And it's irrerfutable that without doors that close, no one would be able to get away with a rape. And so, the only grown-up thing to do is agree to give up doors that close. It's not an evil at all."
For the masses, lack of system-level access is a benefit because they won't be able to ruin their device. For hackers and hobbyists, lack of system-level access is a hindrance because they won't be able to control their device.
The irrefutable part here is that the security model works. Locking down the bootloader and enforcing TEE signatures does stop malware. But it also kills user agency. We are moving to a model where the user is considered the adversary on their own hardware. The genius of the modders in that XDA thread is undeniable, but they are fighting a war against the fundamental architecture of modern trust and the architecture is winning.
If I could get away with carrying a tiny device again instead of lugging around a brick I would, but the world has made it as inconvenient as possible not to.
A BlackBerry from 15 years ago weighed just over 100g and did 80% of what your modern-day pocket computer can.
What makes you think it'll be supported for a decade? Looking at the past models, the support period is around 5-7 years. If you count security updates that might get you to 10 years, but at the 7-9 year mark apps will eventually refuse to update because you're not on the latest ios.
https://en.wikipedia.org/wiki/IPhone#Models
The iPhone SE would be the one I use for calls, SMS, etc. It has the SIM card.
The Pixel 9a would be used for everything I don't need a data plan/SIM card (browsing etc).
My needs are a bit different from yours. I like to separate telephony and communication (i.e. WhatsApp, SMS) from everything else. This way, if I want quiet, I just turn that phone to airplane mode. I really don't want to get random pings while I'm doing "real" stuff on my phone.
If they stopped, I think I would seriously consider swapping banks and whatever else instead of using a different OS.
https://privsec.dev/posts/android/banking-applications-compa...
https://grapheneos.org/usage#banking-apps
Everytime I have to use a stock phone I'm appalled at the ads and I have absolutely no trust in any US or Chinese manufacturer. So I use them only for banking and digital id because that's presumably not what they actually care about.
It's not that expensive, I think many people have an old Android phone lying around, it doesn't have to be up to date.
I run a proxmox server on my home Lan with all the services and storage I want, including a wireguard server. My Android phone can then connect to my home LAN services from anywhere in the world (my ISP provides static public IP addresses).
My Android device is then a simple terminal to all my "stuff". It can be locked down as much as they want it to be, as long as it can run WireGuard. I have no use for a rooted phone. In fact I want it to be as hardened as possible in case of theft.
Most of my banking apps work fine on GrapheneOS, but I've adopted this because I'm confident they'll eventually break. And access to Apple Pay is nice.
Carrying two phones is annoying, but, agency over my main computing device is worth the price.
- I bought the iPhone SE 2022 second-hand for 150 EUR. I think this is a fair price, but it's still expensive given that I leave it lying around 99% of the time, which I still feel is a waste of resources, regardless of my motivation.
- My main reason for having two phones is pretty simple. I think browsing and daily internet use just don't go together anymore with authentication, banking and health. I also didn't want to carry a critical key to my digital infrastructure around with me every day, especially in bars (etc.). Having a separate phone helps me to treat different aspects of my life differently. No worries, I don't have to carry two phones with me all the time.
- Yes, I do other things to generally reduce my digital footprint: I use different browsers for different things, such as admin work and social media (in those rare cases where I still use it). I also self-host behind VPN and have moved many apps to my internal stack, which gives me better control over what communicates with what. For example, I use WhatsApp Bridge so I don't have to use the app directly on phones anymore. I self-host Invidious with privacy-redirect for Fennec for YouTube, etc. Over time, all of this has slowly helped me regain my freedom, and it actually feels liberating.
- My path may not be your path.
Then you choose the flagship device you're going to use 99% of the time on the basis of how easily you can unlock the bootloader/root.
Is it really? £150 on backmarket for a phone which will last 10 years doesn't feel expensive.
Makes sense to me to run any banking on a secure device anyway.
Cheers, maybe by 2027 unattested devices won't be allowed on the internet. It's not a solution. The problem didn't exist a few years ago, the idea that it will not continue to its inevitable conclusion within a few years without real solutions is laughable.
Wait until Graphene is classified as a hacking tool and Estonia convinces the EU to fine a million Euros a day any company providing services to host its website. Wait until, "in the spirit of reconciliation," the US goes along with it, too.
Wait until unattested desktops aren't allowed on the internet.
the only way to disable any transmissions is to turn off the device
Need? Unless and/or until the ability to log in and do your banking, healthcare, etc. via desktop/laptop goes away, then you don't need a phone to do any of that. Yes, 2FA may be required but in the tangential experience of myself, my partner and my two closest friends, we have multiple 2FA options available to us for our banking/healthcare apps that don't require a smartphone.
I see this point all the time - "You can't bank or do important life stuff without a phone!!!" and it's just, largely, bullshit. I don't do any "important life stuff" on my phone.
Beyond that, even if you had to have a phone to perform those tasks, I'd strongly argue that if you feel you need a second phone, then, and I know this will come off as reductive and unproductive, I think the idea of spending less time on your phone and on the internet, and more time "touching more grass" and interacting with the community and world immediately around you, might apply.
Deleted Comment
The Coming War on General Purpose Computation
https://boingboing.net/2011/12/27/the-coming-war-on-general-...
unrelated to phones a lot of (more professional) malware has moved to not persist itself in root space (or at all) as to not leaf traces (instead it will just rely on being able to regain root access as needed every time you reboot with all the juicy parts being in memory only (as in how often do you even roboot your phone))
I think (but am not fully sure) this also applies to phone malware.
I.e. no it doesn't work.
Not unless you
- ban usage of all old phone (which don't get security updates)
- ban usage of all cheap phones/phones with non reliable vendors
- have CHERY like protections in all phones and in general somehow magically have no reliable root privilege escalations anymore
Oh and advanced toolkits sometimes skip the root level persistence and directly go into firmware parts of all kinds.
Furthermore proper 2FA is what is supposed to make online banking secure, not make pretend 2FA where both factors are on the same device (your phone).
And even without proper 2FA, it is fully sufficient to e.g. classify rooted phones as higher risk and limit how much money can be transmitted/handled with it (the limit should ignoring ongoing long term automated repeated transactions, like rent).
There really is no reason to ban it.
I stopped using banking apps on my phones a few years ago - they got more and more annoying, and I don't buy into the "the device is secure and should be used as a trust token". So I'm now back to banking only on my computer, with a hardware token for TAN generation.
Outdated but signed ROM with tons of unfixed CVEs will be still considered totally fine.
Latets Lineage OS or Graphene OS will be rejected.
That has been the model since day one, since you are using spectrum that, because the end users are not licensed, requires it. Radios in 100% of commercially available phones are locked to prevent user tampering.
You don't get root on your debit card either, despite it running a computer.
Why, then, can users be root on PCs that have wifi cards, SDRs or cellular radios?
Doesn't stop state approved malware in all its forms.
This is lazy control.
Not that it excuses the withdrawal of user agency. But I've never used a banking app on my phone before. Anything important I still like to do on a desktop.
Though how much longer that's safe, who knows. Apple's model of requiring their permission to run code on your own device will probably spread to everything given enough time.
I guess you could take your laptop out at the restaurant and in the taxi to pay. It seems a little strange. You might better just use a browser on the smartphone instead of the mobile app.
A lot of banks require using their banking app to get a 2FA token to log-in on a desktop web browser.
Here in Europe, good luck using any form of online payment without one due to 2FA requirements.
I have no idea about the kind of malware you're talking about.
Deleted Comment
I think we’ve been there at least since the first iPhone, and it’s now entirely normalized for the average user.
The only solution is to force some semblance of user agency on those models, such that the vendor isn’t imposing from above.
This totally beats the purpose of owning or using tech. Might as well go off grid and live a non-tech life.
Big tech wants to colonize our hardware completely because data centers alone ain't cutting it.
1$ Trillion has to be paid back to the investors plus interests. They screwed up with AI and we have to pay for it. Or maybe they didn't screw up because big money always gets bailed out by the plebs.
> The irrefutable part here is that the security model works.
Yes! And that business model should be allowed.
This leads me to worry the notion of "user agency" may be misplaced, meaning, aimed at the wrong level of the stack. It would seem both open (general compute ethos) and secure devices (appliance ethos) have a right to be in the market. So…
### Perhaps user agency should be at the experience level. ###
We couldn't plug Sega Genesis cartridges into Nintendo 64. We understand this about consoles. If we remap mobile devices into consoles, it seems less obvious their internals should be opened and tinkered with by end users.
User agency seems more at the level of picking a console family, and it's often for the whole brand aura including both the console itself and safeness-to-permissiveness dial by which the brand curates its the cartridges (spectrum from Nintendo to Apple to Sony to Microsoft and Steam). A free market for mobile devices or desktops would likely sort out a similar spectrum of just-works to fidget-able. If you choose the Nintendo 64, you wouldn't expect to run arbitrary software on it as you would expect on Dell.
We hackers are capable of figuring out how to make Nintendo 64 software; our neighbor does not need or want those affordances, they want just works, no headaches. This idea that the user must be able to open their digital watch or toaster oven and change how it is wired glosses what users actually choose: the conveniently toasted meal.
At the same time, business models around the curation and appliancification of digital tools, blurring the lines from hardware through solid state through firmware to software into a single product users can choose, must be defended.
If I want to dev for a secure product, I similarly must be OK opting into the supply chain security model (with Apple, registering as a dev in order to exchange cert material and bypass consumer paths to loading software I'm making for the platform) that allows that product to be secure, and opted into by users with money to buy my app, that caused me to want to develop for it in the first place.
Users must have a right to buy an appliance that isn't fiddle-able. Not mandated to, as this article sounds, but allowed to as the EU is trying to deny. Such products have a right to exist, and such business models have a right to exist.
And then, user agency remains as simple as use dollars to buy a product offered through a biz model that matches the user's goals, rather than regulate to disable business offerings offerings/products that don't, and developer agency is to pour energy into the platform that aligns with one's ethos.
If more money is to be made on a platform with a different ethos, perhaps it's worth reflection rather than rants.
Dead Comment
This has always struck me as a matter of checkbox compliance rather than a commonly-exploited attack vector, though I'll grant that's partially because few people actually use such devices.
The big fraud vector is running emulators in datacenters or skipping running the app entirely and talking directly to endpoints. Requiring that an entity making a request is from a real phone and is from (approximately) your app adds friction and is effective at reducing fraud.
A significant amount of fraud comes from scammers convincing victims to installed malicious apps. They fake being a customer service provider.
Banks don't want their customer's to lose their money and they don't have the tools to protect them from themselves. For all the privacy reasons, app stores don't even banks enough tools to identify and block this fraud.
When finding help on how to do this, people were saying it's useless cause they can proxy/VPN anyway, but obviously that has some cost to them because they weren't doing that. So seeing how I had no legitimate traffic from there, it was an easy choice and cut out like 99% of abuse.
I’ve also had other banks do the same. They provided me with a debit card that supports international transactions but they did not allow logging in from most Asian countries. So I would log in from Asia, be blocked, turn on my VPN and log in from the U.S. to check the balance on my card.
> I’ve also had other banks do the same. They provided me with a debit card that supports international transactions but they did not allow logging in from most Asian countries. So I would log in from Asia, be blocked, turn on my VPN and log in from the U.S. to check the balance on my card.
Yeah it was kind of complicated. We blocked high fraud countries to just get rid of this low level fraud and port scanning. But if someone was actually a customer, then that was fine, it was just assumed they would know how to use a VPN and they're going to get everything verified. There's also some KYC rules that I am not too familiar with that it just became considered okay at that point.
Separately, I couldn't even log onto their system this week from my desktop browser because of some bug. (Accessing from the US). It didn't recognize my username or password, let me change my password, then said it didn't recognize the new password.
Of course they slathered the app with tracking, 'security', and analytics SDKs, so rooted devices are rejected. I had no way to log into this bank account after they made that change, which is simply wonderful.
Anyways, they're not yet at the point where they've learned to do the checks server-side. For now it's a one line patch to skip the root screen. But the Play Integrity API is designed correctly, if they learn to use it, there will be no workaround without someone finding a hardware vulnerability somewhere.
Some of that liability is fair but most of it is the government telling the banks to account for the loss when someone is scammed. They are obviously going to mitigate that as much as they can.
This is why LineageOS is actually dead in the water, even though they're "in talks with hardware vendors". It doesn't matter when people can't use the apps and services they need.
I chose my current bank because it was one of the few that had proper token based access for 3rd party integration. An overwhelming majority of banks were relying on a 3rd party holding your actual username/password and saying "trust me bro". I wasn't comfortable with that.
In the future, everything will need an 'app'.
I've heard 3rd hand of some banks already doing this in i.e. Armenia where a foreigner can come in and open account easily but they block any online access to lock the control of funds in country to make it harder for the FATF psychopaths to find fodder to clamp down on them.
I believe that previously internet banking, even before mobile banking, will limit the number of transfer recipients you can add per day/month. With the rise of QR payment I could see this limit being regularly hit if you scrape the web-based banking.
Since the Bank of Thailand claims that they technically don't block many things (mobile banking technical requirements seems to also require blocking root, but they never banned internet banking), I wish there's a new bank that try to disrupt the existing players. But the latest "branchless" banking license were only acquired by existing banking groups, so API-first personal banking remain impossible.
The banks that allow you to do everything on their website trend towards legacy and US-centric.
on the other hand phone does not require you to verify with your pc, so there's no second factor unless there is some unacessible secure island within the phone itself.
funny enough, you can probably use that website directly on the phone that you use as 2F, which probably circumvents the 2F idea (at least as long as you use SMS 2F instead of app that checks for root)
From they you can keylog. Highjack input listeners, basically do anything you want.
While they (mostly) have websites, a computer with root access is not sufficient by itself to access them. You also need to perform 2FA via push notification to a proprietary app on an Apple or Google approved device.
The Vietnamese government has reported a rise in account takeovers and other banking thefts [2]. SIM-swapping has been a tactic used. Adding difficulty for fraudsters to trick unsophisticated banking customers is a valid security layer.
1. https://vietnamnet.vn/en/biometric-deadline-nears-millions-o...
2. https://evrimagaci.org/gpt/vietnam-faces-surge-in-sophistica... (expands upon https://vneconomy-vn/techconnect/mobile-banking-phat-trien-manh-tai-viet-nam.htm)
You fight SIM-swapping by outlawing the moronic practice of using SMS for anything security sensitive. Not by blocking user modified OSes.
[0] - https://vneid.gov.vn/
[1] - https://tuoitre.vn/thieu-tuong-nguyen-ngoc-cuong-nang-cap-vn...
Surely most people running a rooted phone are tech enthusiasts. Cybercriminals will just use regular phones bought under false names and dispose of them afterwards.
Viet Nam is in the process of rolling out mandatory biometric identification and verification as part of the VNeID project [0], and mobile operators are in the process of rolling out identity stamping if mobile devices using VNeID [1]
Viet Nam is also an authoritarian state who's current leader (To Lam) spent his entire career in Viet Nam's KGB (MPS/BCA). Unlike Westerners, Vietnamese know the red lines - this is why I and my SO (much to her chagrin due to my insistence) never travel back to VN with my personal accounts or devices, and why we keep some friends of friends on speed dial.
[0] - https://vneid.gov.vn/
[1] - https://vtv.vn/nha-mang-ho-tro-kich-hoat-sim-truc-tuyen-bang...
Vietnamese government will not arrest a tourist foreigner for talking bad about the party or about Ho Chi Minh, it would decimate their tourist bottom line. If you don't deal with drugs or actively don't organise against the party, you will be fine.
There is a growing surveillance (which you cited well) but mostly for locals.
edit: oh I misread, you are Viet Kieu, not a western tourist. OK yeah that makes some sense.
and that's enormous power for those who want to centralize power into their hands.
2. Vietnam has been in the process of rolling out national biometric identification for years now as part of the VNeID [0] project, and unifying that with banking and mobile phone identification is an important part of that such as with the recent FPT Telecom announcement [1]. The aim is to turn VNeID into a super-app by 2030 [2], and from what I've seen in rural areas of the Central Highlands, it's on track.
[0] - https://vneid.gov.vn/
[1] - https://tuoitre.vn/vneid-mo-rong-dich-vu-so-dang-ky-internet...
[2] - https://tuoitre.vn/thieu-tuong-nguyen-ngoc-cuong-nang-cap-vn...
Dead Comment
> if someone is technical enough to root his phone he understands the risks
You're looking at this from the user's perspective. Indeed, the narrative is "for your safety, you cannot export your security tokens from your device's storage" or "software that runs as root can bypass all permissions, an attacker might exploit that!", as though users can't make that choice themselves on purchased-to-own hardware. Dropping privileges (https://en.wikipedia.org/wiki/Privilege_separation) has been a thing since as long as I'm alive. Don't be fooled that this "protection" is for you :(
I'm not saying its impossible but it is hard to do at present in a way where if I came and picked up my phone again, I'd not know something happened to it.
You already have to trust the repair shop with your data. Installing persistent malware on phones is already illegal. What's the point of this extra software protection in this case? To prevent a 0.00001% chance hack? The type of hack that would put the repair men in jail?
Not to even mention that modern phones are basically unfixable.
My guess is:
1. Person with rooted phone uses a bank app, is hacked, has their money stolen.
2. Guess where the person turns to for help? The government.
I wonder if this has become a feasible avenue for scammers to interfere via other apps they could convince someone to install on rooted phones. Or if they are worried about skilled people being able to debug/MITM and find vulnerabilities on the banks.
Though from that statement alone, sounds more of a measure to protect banks than customers.
But you do understand. If someone is technical enough to root their phone, then he is the risk.
[cough]Monero[cough]
banking is very risk averse area. and it is good precaution.
Kinda like the Wall Street concepts of "Accredited" and "Sophisticated" investors - who could never possibly fall for a Ponzi scammer like https://en.wikipedia.org/wiki/Bernie_Madoff ?
Not to say I'm a fan of Vietnam, or familiar with their ban - but when people are having their money stolen at scale, there's a very strong tendency to blame the gov't and/or financial system. And it's extremely rare for stolen-at-scale funds to not be "reinvested" in further criminal activities - which again, the gov't is expected to deal with.
That is a terrible assumption. I had a rooted phone when I was 12 to pirate games. Friends asked me to root theirs. Rooting isn’t hard and lots of people do it (absolute not relative terms)
And the idea that so-called “technical” people know what they’re doing and are hack-proof is hot garbage machismo BS. Modern attacks use social engineering and extremely technical people fall for it all the time. There were several stories on here just this week.
Whereas previously the app displays a 'whitelisted' set of UI options to the user, the rooted user could use employee only methods. Somewhere or other every bank has methods that set balances on accounts.
To be honest a law like this makes security by the extremely modest obscurity of not having an "increase your balance" button on the app UI much more tempting.
Exposing these types of APIs in any way outside the bank ever would be gross negligence.