
Anger mounts over Barclays ban on rooted Android phones - edward
http://www.gomonews.com/anger-mounts-over-barclays-ban-on-rooted-android-phones/
======
darklajid
Anger mounted .. in November 2013 it seems. The article is that old, the
petition from 09/2013.

Maybe it's relevant today, but I don't see any news here and I suggest adding
a (2013) tag due to the linked article's age.

------
mistakoala
Sky's apps are the same. As a Barclays and Sky customer, this is a ball-ache.
Barclays I can kind of understand, because progress in British retail banking
happens at a snails pace, but I was surprised at Sky crippling their apps in
this way.

~~~
allyant
Sky only do it due to their contracts with the media providers, just like they
don't allow airplay. Its not their choice.

------
laggyluke
Purely technical fix: an app shouldn't be able to tell if the device is rooted
unless user grants it root permissions.

~~~
tomjen3
In general Android needs a permission fix - it should be possible to deny any
app the permissions it requests in such a way that it cannot detect that they
have been turned of (and for the user to enable/disable them as it wants). An
app that has been denied internet privileges would find that it suddenly can't
get a connection no matter when it tries, an app looking into the contacts
would find them containing only those it has added or random contacts, etc.

I have been waiting for _years_ for this feature, I can't believe Google
hasn't introduced it.

~~~
devicenull
Think about this from your average end users perspective. They somehow manage
to revoke permissions for an app, and parts of it stop working. They may not
even realize they have revoked permissions, they would likely just assume the
app is buggy.

Then they go and contact the developer for support, and make the developer
spend a bunch of time troubleshooting why features aren't working.

All a feature like this would do is waste a lot of developer time, and cause
users to unhappy with their phone/apps.

There appear to be a couple third party apps that do this: [http://www.xda-
developers.com/android/protecting-your-privac...](http://www.xda-
developers.com/android/protecting-your-privacy-app-ops-privacy-guard-and-
xprivacy/)

~~~
tomjen3
I can see that being the first question any dev would ask.

Also who offers support for a 1 usd app?

------
viraptor
Same for the lloyds app. I believe it got ~1k 1-star reviews after that. They
included some more stupid changes at the same time, so it's not just rooted
phone users, but it's going to be a large number anyway. At least the mobile
version of their website still works.

------
esquivalience
As much as the move is annoying and alienating for the tech-savvy (the same
market Barclays are trying to embrace), I can see some logic behind the
decision.

The type of person who roots their phone is almost always going to be
technologically experienced, or at least idea of dealing with money through
technology.

On the other hand, though, Pingit is new technology and is actually scary for
some people. When I enabled it in-branch, the advisor was surprised - even she
said she'd never trust it!

I imagine that internally for Barclays it's a big move and a sensitive one. A
security breach in the early stages would be catastrophic for the service and
their brand. They need security, and for that they need stability.

A rooted phone is not a stable environment for Barclays to run their software
- it could have been changed in any number of ways. It's a logical decision
for them to increase stability by removing the wildcard platforms where they
can't be sure what's going on.

~~~
Drakim
> I imagine that internally for Barclays it's a big move and a sensitive one.
> A security breach in the early stages would be catastrophic...

> A rooted phone is not a stable environment for Barclays to run their
> software - it could have been changed in any number of ways

This means it could be less stable, but I don't see how it would affect the
possibility of a "security breach". You are talking about two different kind
of issues as if they are related. Could you clarify?

~~~
onion2k
By definition a rooted phone is compromised - a user has obtained root level
privileged access. That's what 'rooted' means. The assumption is that it's the
phone owner's actions that caused that to happen, but that's not necessarily
the case. A third party could have rooted it. A local app exploit could have
rooted it. Some clever malware that _hasn 't even been written yet_ that
somehow escaped Android's security sandbox could have done it.

Ordinarily no one would care if a phone has been rooted or not. It's not
important. But the point here is that allowing an app that has access _to your
bank account_ to run on a rooted device is assuming that the device was
intentionally rooted by it's owner. For a bank that should be assuming _far
too much_.

~~~
icebraining
There's no reason for a clever malware to root your phone. "Rooting" only
makes sense if you want to replace 'su' to grant root to different apps. If a
malware escalates to root, it can just do whatever it wants, it doesn't have
to "root".

Besides, even if the malware really needed to "root" the device, it could just
use the same process has RootCloak[1] to hide that fact.

There's no valid security explanation; the app must designed assuming it's
running on an insecure system, because there's no way of knowing if the system
isn't lying.

[1]
[http://repo.xposed.info/module/com.devadvance.rootcloak](http://repo.xposed.info/module/com.devadvance.rootcloak)

------
andybak
Same for Natwest.

I believe the Channel 4 on Demand media player also does (did?) this.

~~~
davb
And Sky Go. Which is frustrating. I want both an open device I control (as
much as possible) _and_ to pay for my media legitimately. Stopping me
accessing media I've paid for on my rooted device makes me more likely to seek
it out elsewhere (I'm already paying for it, god dammit!)

~~~
dspillett
With 4OD and Sky Go it won't be about security/stability - it will be about
them worrying that you'll somehow either skip adverts and such and/or have an
easy way to permanently download the streams.

The advertising/tracking thing is presumably why 4OD refuses to operate in
incognito mode in Chrome (I see no valid more technical reason).

~~~
aianus
How does one detect incognito mode? I was under the impression it was the same
as any other Chrome session except for history and cookies being wiped
automatically upon closing the window.

~~~
dspillett
I've never looked into it. I just know it complains if you try use it in that
mode (or did last time I tried to run it).

------
taksintik
I can completely understand /agree with Barclays decision. I imagine apple
will do the same once it's payment system gets properly implemented within
iOS.

