There's a trend of online banks forcing the use of an app. I can't login to one of my banks' website since last year without using a QR code from their app.

Of course they slathered the app with tracking, 'security', and analytics SDKs, so rooted devices are rejected. I had no way to log into this bank account after they made that change, which is simply wonderful.

Anyways, they're not yet at the point where they've learned to do the checks server-side. For now it's a one line patch to skip the root screen. But the Play Integrity API is designed correctly, if they learn to use it, there will be no workaround without someone finding a hardware vulnerability somewhere.

▲

ljm a day ago | parent | next [-]

Depends on what country you're in. In the UK, the banks are often held liable for various scams that involve the transfer of money, so they up the security over and over again. A bank will rightly argue why it's responsible for an old granny sending her life savings to her new lover in Namibia, so it seeks to block that transaction in the first place.

Some of that liability is fair but most of it is the government telling the banks to account for the loss when someone is scammed. They are obviously going to mitigate that as much as they can.

▲

jdiff a day ago | parent | next [-]

Rooted devices don't enable that transaction. That's all social engineering.

▲

mike_hearn a day ago | parent | next [-]

It's all social engineering now but that's because phones are secure and remote attestation infrastructure is in place.

Go back fifteen years and malware is absolutely submitting bank transactions after the user does a 2FA.

https://krebsonsecurity.com/2010/03/crooks-crank-up-volume-o...

▲

jack_pp a day ago | parent | prev [-]

and grandmas don't root their devices.

	▲	pixl97 a day ago \| parent [-]
		As a devils advocate grandma would have no idea if she was buying or got her device rooted by someone else.

▲

themafia a day ago | parent | prev [-]

> so they up the security

They're upping the surveillance, not the security, quite demonstrably.

This is meant to protect /them/ from liability and not /you/ from loss.

▲

cons0le a day ago | parent | prev | next [-]

Yep, hardware attestation is becomming more common, even with websites.

This is why LineageOS is actually dead in the water, even though they're "in talks with hardware vendors". It doesn't matter when people can't use the apps and services they need.

▲

seanmcdirmid a day ago | parent | next [-]

This reminds me when living in South Korea used to require Internet Explorer/ActiveX to get anything done online:

https://en.wikipedia.org/wiki/Web_compatibility_issues_in_So...

▲

hyghjiyhu a day ago | parent | prev [-]

A solution could be having a tiny non-rooted Android system as a "coprocessor".

▲

ExpertAdvisor01 a day ago | parent [-]

This won't work. The tiny non-rooted system wouldn't get certified by Google and therefore not pass hardware attestation, which most banking apps use.

	▲	hyghjiyhu a day ago \| parent \| next [-]
		Well you could take a certified system off-the-shelf and integrate it into a bigger thing.
	▲	NoGravitas a day ago \| parent \| prev [-]
		I think they mean having a second non-rooted phone that is certified but cheap.

▲

adrr a day ago | parent | prev | next [-]

Bunch of fintechs only let your signup from an app. Easier to secure and prevent bots. Pin certs, detect virtualization, etc.

▲

lenerdenator a day ago | parent [-]

And, of course, easier to get the valuable data about the person setting up an account.

▲

adrr a day ago | parent [-]

Like what data? Curious because I built and launched a challenger bank.

▲

Ritewut a day ago | parent | next [-]

What app developers find most valuable is what other apps you use and what competitors apps you have so they can target you more effectively. If you have Peloton or Tonal, they want to know if you have the Strava app on your phone for example.

▲

adrr a day ago | parent [-]

Only on older versions of Android. Apps are very locked down on what you can get. I would have loved to be able to fingerprint a device when i was at the challenger bank and application list is very good for fingerprinting.. We would fingerprint on the web to detect bots.

	▲	JCattheATM a day ago \| parent \| next [-]
		> application list is very good for fingerprinting.. So is the personal, private content of my texts, why not go for that while you're at it?
	▲	itsgabriel a day ago \| parent \| prev [-]
		Did you know about this workaround? Afaik it's still active https://peabee.substack.com/p/everyone-knows-what-apps-you-u...

▲

lenerdenator a day ago | parent | prev [-]

Theoretically any sort of data that apps in a given OS can access through an API.

▲

jacobthesnakob a day ago | parent | prev | next [-]

Normiefication. Normies do everything on their phones; it’s the companies meeting the masses where they are. I’ve seen people fight for their lives to do a spreadsheet on their phones when there’s a laptop they own gathering dust less than 50 feet away.

	▲	nitwit005 a day ago \| parent \| next [-]
		Possibly, but companies seem strangely set on getting people to install apps, even when the feedback is negative. Offering a monetary reward for installing apps seems fairly common. Chevron had someone at my gas station offering something like $5 of free gas, plus $1 a gallon off of the next three purchases. If it was something the customers wanted, they wouldn't need to pay people to do it.
	▲	fuzzzerd a day ago \| parent \| prev [-]
		This term needs to catch on, this is the first I've seen it, bit it explains why so many prodict decisions are made and those who know better/different are just too small a minority to get any say. We're dragged into this kicking and screaming and yet normies think we're the crazy ones.

▲

al_borland a day ago | parent | prev | next [-]

This trend makes me want to find a small town credit union.

I chose my current bank because it was one of the few that had proper token based access for 3rd party integration. An overwhelming majority of banks were relying on a 3rd party holding your actual username/password and saying "trust me bro". I wasn't comfortable with that.

	▲	Ritewut a day ago \| parent [-]
		I use a small town credit union and its great.

▲

bugbuddy a day ago | parent | prev [-]

This is a very condescending toward Vietnamese tech people. According to Twitter/X, Vietnam’s GDP just surpassed Thailand and it’s on its way to joining the Great East Asian prosperity zone by becoming the last country to become fully industrialized and very rich. Many tech jobs in the US will move to Vietnam in the coming few years. You will be surprised where your future Tech conferences will be located.

	▲	lenerdenator a day ago \| parent [-]
		You're on the money with the rest of this, but... > Many tech jobs in the US will move to Vietnam in the coming few years. It would seem to me that India has that on lock.