This isn't about the bank's security - it is about the users'.
Users are losing billions worldwide due to fraudulent apps. If a user has root and runs a malicious app, it can intercept what a legitimate banking app does. A scam app with root can draw over the screen and tell users to transfer money, or it can run a series of actions when the banking app is running, or do any of a hundred things to steal money.
Sure. But the people who are actually rooting their phones are advanced users and aren't going to install a malicious custom OS. Are naive users getting tricked into rooting their own phones? I'm dubious what the security benefit is of this decision.
These types of discussions on HN get confused because people aren't always clear what they mean by the word "rooting".
There are two ways to root a phone:
1. Unlock the bootloader, install a well designed and highly secure aftermarket OS, relock the bootloader. The device is still just as secure against malware as it was before. Remote attestation shows the vendor that you're running Graphene or Lineage or whatever.
2. Exploit a local vulnerability to drop a sudo binary somewhere. RA shows you're running an exploitable version of Pixel Android, etc.
(2) is absolutely exploitable by fraudsters. They convince the user to run an app or visit a website that exploits their browser or whatever, and the vulns are used to escalate to root and keep it. Now when the user logs into their banking app the HTTP requests are rewritten to command the bank to send money to the adversary. This is why devices that allow escalation to root are excluded via remote attestation.
(1) isn't but it requires more coordination than the industry has proven capable of so far. Binary images of a custom OS could in theory be whitelisted by banks if it was known to be as secure as other operating systems. But there's no forum in which that information can be exchanged. Like, RandOS turns up and the maintainer "xyzkid", identity: anime avatar, claims his OS is super secure. How does random overworked bank developer John Smith know if this is true or not? RandOS doesn't come with any audits, it doesn't have a well paid security team. The brand is a big question mark. And if John makes the wrong call, maybe the bank is now on the hook for millions in losses because someone installed RandOS to get the shiny icon theme or whatever, and then got hacked.
So it's a hard problem. It's not actually a technical problem. Remote attestation is very general. The hard part isn't the tech. It's a social problem. How do you create and rapidly communicate trust in a new binary OS image if you don't have the security resources of an Apple or a Google or a Samsung? Google runs a whole accreditation programme for Android where you can turn up as a phone OEM and get your custom OS builds considered to be secure by passing a huge test suite. So the only issue is OS hackers who fall below the threshold where they can do that.
There's an alternative of course: go full libertarian. Means, just use a "bank" that doesn't care if its users get hacked. This is what the Bitcoin community enabled. It's there if you want it.
I doubt banks or the government would ever white list something like Lineage that's not made by some megacorporation. Also IIRC most phones don't allow you to relock the bootloader after flashing a custom ROM.
>These types of discussions on HN get confused because people aren't always clear what they mean by the word "rooting".
Well it’s more the Dunning Krugerites who see the word “rooting” written by someone in a cyber context, lack that context entirely, and proceed to enter the discussion anyway based on their experience rooting their Android phone 3 years ago after clicking through a few UI buttons.
A rooted android device doesn't run apps as root either, not does it generally allow them to get root access without the user accepting a system prompt.
It is a constant source of confusion. I see it constantly discussed in various freelancer whats-app and freelance groups.
I used to get contracts checked to see if they were Outside IR-35 and I knew I wasn't the only one. So it isn't straight-forward as you suggest.
It can also scare companies off, I have personally experienced this. As a result there are far less Outside IR-35 work. Almost every contractor I know has had to go back perm.
I understand there were many Contractors that basically milked forever contracts, but it kinda screwed over loads of freelancers.
I personally hate being perm. I used to work about 6-9 months a year and I found it relatively easy to find another contract. I had plenty of free time. Now I get the standard 1 month and bank holidays. Really pissed off about the rule changes.
I've been running Wayland on a Framework laptop and it just works. Droves my 4K external monitor, quickly switches to single screen, does fractional scaling well, runs all my apps without complaint.
I had an old Chromebook which had Lubuntu on it - screen tearing was driving me crazy so I switched to Wayland and it is buttery smooth. No mean feat given the decrepit hardware.
I'm sure someone will be along to tell me that I'm wrong - but I've yet to experience any downsides, other than people telling me I'm wrong.
Someone once asked me how I found the time to read so many books. I just prefer reading to most other activities. I'd rather have my nose in a book than [your favourite activity].
It is the same with blogging. I'd rather spend time writing than I would watching YouTube, mowing the lawn, or whatever.
Although, since starting an adult gap year 12 months ago, I've actually been blogging less as I find more interesting things to do than work :-)
OP here - sorry you got the drunk theme. That shouldn't happen by default. Had you visited my site before? Are you using an esoteric browser I might not have tested?
Of the purchase price that the end-user pays, the retailer has to pay tax. That knocks off a variable percentage. It would be 20% in the UK.
There's also the cost of selling through Steam / Google Play / Whatever - typically 30%.
I assume the developer has some professional expenses - an accountant at a minimum, probably a lawyer, certainly insurance. Maybe they also have a PR team, advertising, and the like. I don't know whether they pay for testers, translators, and things like that.
Then we get on to things like buying a new development machine, going to tech conferences, taking an educational course, backups, and all the other things that a business needs to spend on in order to be effective.
Maybe a profit margin of 10% is unrealistically low - but developing software has legitimate costs. The margin is never going to be 100%.
I wrote a few times to my local MPs ("député", as we call them in France). I usually got a response, though I suspect it was written by their secretary with no other consequence. In one case (related to privacy against surveillance), they raised a question in the congress, which had just a symbolic impact.
It may be different in other countries. In France, Parliament is de-facto a marginal power against a strong executive power. Even the legal terms are symptomatic of this situation: the government submits a "project of law" while MPs submit a "proposal of law" (which, for members of the governing party, is almost always written by the government then endorsed by some loyal MP).
reply