They will just add a flag in the SafetyNet service to let other apps know if non "verified" apps have been installed.
You will not be able to use any of your banking apps without first removing all of those...
We need alternatives, this will not work and is a risk to freedom/democracy for all of us.
Switzerland is implementing a digital ID[1]. It will be made available to the most common devices and is open source. However Google and Apple can just remove it, what then?
Seriously though, can anyone tell me why the fuck banking apps try so hard to find any possible excuse to not run on customised devices?
I just can't see any good reason for it but my banking app has invested more work into detecting any possible hint of rooting than into its UX. It's absurd.
> Seriously though, can anyone tell me why the fuck banking apps try so hard to find any possible excuse to not run on customised devices?
As an early cyanogen mod adopter I really don’t want to lose ability to side load etc. but to answer your question this is probably for the lowest common denominators safety.
Anecdotal example - a scammer tricked my parents into sideloading an apk which automatically forwarded all sms messages to the said scammer. This lead to 2FA code from bank go through and allowed them to perform some transactions.
There were many red flags during this ‘call from a bank’ and I’d say some blame lies on my parents here, I guess this is the only way to lock down bad actors? I am not entirely sure it is.
Banks have stupid rules probably made by people who don't understand the matter. A relative recently got victim to phishing and gave away some of his banking details (fake e-banking login screen on a website). After locking the account, the bank said it would only unlock it after the phone got wiped, which obviously doesn't add anything in this situation.
Another pet peeve is that they prevent screenshots simply because they can, and it feels safer. I know, 3rd-party apps which can do screenshots etc., but this is fighting the threat the wrong way. And yes, it's partially the fault of the platform, which could just allow user-initiated screenshots. Or at least make it configurable.
For example, my bank here in Hungary, Erste Bank has announced that the central bank requested that they stop allowing their android app to run on "modified" devices.
They even have a workaround: switch to SMS-based 2FA and use their website (which works well on any screen and has all the features of the app except 2FA)
Is this is something small regional banks in the US do? I'd actually be very interested to know about who is providing, and who is taking such coverage if this is being (re)insured. If you have any market data/news, I would love to know.
If you run a pentest, allowing rooted devices will almost certainly show up as a vulnerability. It'll be marked "low risk", but you'll also be told that you don't want to "accept risk" for too many "low risk" vulnerabilities.
So somebody then needs to say that this is not something they worry about rather than doing the easy thing and remediating it.
At most banks, the absolute control belongs to risk and regulation department. A bank must safeguard their license above all else, and it is very easy for them to loose it if the bank is found doing something it should not (though for the big ones, they sometimes operate in a gray zone, which means they manage to keep their licenses despite relatively steep fines). Even for the simplest ui/ux change, risk department has the final say.
Source: I’ve been working 15+ years in the banking industry.
Probably because it makes it easier to observe and/or intercept API calls and other data exchange between the client and the server. It's trivial to disable things like SSL cert pinning, etc. on rooted devices.
… and then the return argument is that those who actually want to do this nefariously are already going to be able to hide device modifications/rooting.
> They will just add a flag in the SafetyNet service to let other apps know if non "verified" apps have been installed.
Sincere question: do you have any evidence for this?
I don't see anything in the article that backs it up, and your asserion seems to be at odds with the description of a side load capability for "risk tolerant" users. What you describe would certainly break much of the usefulness of side loading for me.
I certainly don't trust Google, or underestimate their capacity for duplicity. I'm just not sure about the outcome you describe.
It a projection of what they could do. ie. logical step
The whole SafetyNet and "secure chain" things are PITA, eg. ChatGPT app wouldn't work if the phone bootloader isn't signed by Google. Lots of banking app wouldn't work, HSBC banking app for instance wouldn't allow login if Android developer mode is enabled.
Some apps do this because of some minor audit crap with relation to screenshots (the devmode part) afaik. Others just always blank the screen image and tell the auditor to [insert crude metaphor].
Same none sense with root enabled. You must have a check, doesn't specify which one and as long as you can show it works once you are fine.
Of course, it wouldn't be HN if the previous claim that "the sky is falling" wasn't followed up with "well, it's not falling, but I saw some heavy rainfall!"
The digital ID e.g. eID is for example if you want to order a government document online. At the current time you need to print out your request and send a copy of your ID in the mail or go to the counter and show it. Same if you get a bank account or new phone contract although those usually let you scan your ID with your phone. A eID would make that more secure although people are already being tricked into doing face validations[1]...
Offline it would make it possible to verify your age at the self-checkout registers without having someone have to check in person.
In the future (if the law allows it, which it currently does not) it should be possible for you to purchase an item online completely anonymously, at least to the vendor. There would no longer be a possibility of leaked address, etc. as the vendor would not have it. All the vendor has are signed tokens. When they send a package they send it with a token to the post office and only the post office knows your address.
They removed the "ICE" app and if the US government has an issue with other Apps they bend over and do it.
Switzerland is currently dealing with a 39% and Brazil with a 50% tariff because Trump has a personal problem with them. It would not be far fetched for an administration to have another states app removed.
I just want to preface that I am not in support of Apple or Google in their closed ecosystem.
I was specifically referring to you saying "Switzerland is implementing a digital ID[1]. It will be made available to the most common devices and is open source. However Google and Apple can just remove it, what then?"
It seemed like you were saying that because it is open source, it will be removed. I simply disagreed with that. Plenty of opensource software exists in the app store.
I'm not disagreeing that they have the ability to remove software from their app stores. They have done that before as you mention. That is a fact.
> It seemed like you were saying that because it is open source, it will be removed. I simply disagreed with that. Plenty of opensource software exists in the app store.
Sorry if it came across that way. It is not what I meant, I just mentioned that it is open source. ESL...
The current US administration is not acting with logic nor reason. Switzerland is currently dealing with a 39% tariff for no reason. We are the 7th largest investor[1] in the United States with thousands of jobs and we are the worlds 3rd largest holder of US dollars[2].
You will not be able to use any of your banking apps without first removing all of those...
We need alternatives, this will not work and is a risk to freedom/democracy for all of us.
Switzerland is implementing a digital ID[1]. It will be made available to the most common devices and is open source. However Google and Apple can just remove it, what then?
[1] https://github.com/swiyu-admin-ch