Hacker News new | past | comments | ask | show | jobs | submit login

There's no root builtin, use Magisk with the Hide feature to prevent it from being detected by banking apps and such - even apps using the rather nasty SafetyNet work.

With that said, I highly question why any banking app would check root, mine doesn't and it seems to me like even if it did I could still use their website on my phone while rooted or my Windows machine with no sandboxing whatsoever. Requiring it just for the app seems pretty damn pointless.

A lot of banking apps store cached transaction data and authentication tokens on the "protected" (not accessable to non-root from other apps) part of the data partition. If you run without encryption or with either unlocked bootloader or TWRP installed, someone could just pull that from a device in recovery mode. That's also why unlocking the bootloader wipes your data partition usually.

And that matters how?

At least all German banks have to have an open API for transactions, and I can run my transactions with curl if I wanted to.

A banking app shouldn't care about how I run it, otherwise I'll just throw it out and use one of the open apps for HBCI.

This should be OR. If you have FDE enabled, then the data is encrypted and it doesn't matter if your bootloader is unlocked or you have a custom recovery installed -- all caveats about the trustworthiness of the crypto and strength of your key still apply.

Depends. I have a phone with LineageOS installed, and it only passes SafetyNet Basic Integrity. That's a nogo for Netflix or Android pay.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact