Hacker News new | past | comments | ask | show | jobs | submit login

A lot of banking apps store cached transaction data and authentication tokens on the "protected" (not accessable to non-root from other apps) part of the data partition. If you run without encryption or with either unlocked bootloader or TWRP installed, someone could just pull that from a device in recovery mode. That's also why unlocking the bootloader wipes your data partition usually.

And that matters how?

At least all German banks have to have an open API for transactions, and I can run my transactions with curl if I wanted to.

A banking app shouldn't care about how I run it, otherwise I'll just throw it out and use one of the open apps for HBCI.

This should be OR. If you have FDE enabled, then the data is encrypted and it doesn't matter if your bootloader is unlocked or you have a custom recovery installed -- all caveats about the trustworthiness of the crypto and strength of your key still apply.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact