Why does a mobile banking care about whether the phone is rooted or not

I recently (yesterday) got my official /e/ FP3+ and really like it so far.

But I did have some trouble with installing my online banking app from UniCredit when setting up the PIN code. In the end all I needed was to try a few times, and then it worked, but before I fixed it, this led me to search the forums …and resulted in a question I now have:

Why does a banking app need root access?

From the topic linked below it seems (some) banking apps require a rooted phone to work. Luckily in my case, the app seems to work, but it did complain on /e/ about root access. Oddly enough on my previous LineageOS phone the same app complained that the phone’s bootloader is unlocked.

It’s the other way around. You are hiding root with Magisc to get the app running. That’s it. eOS is prerooted for adb root access. And with Magisc this root is hide, so the banking app can’t ‘see’ it

3 Likes

OK, that makes more sense.

So it only gets the warning away, or does it actually do something?

In some cases (not in all) it makes the banking app working :smiley:

1 Like

Oh, as in “some banking apps don’t work otherwise”? Got it, thanks :slight_smile:

To answer the question of the topic:

Some banking apps refuse to work if they detect your device is rooted. This is a security measure from the banking apps site. On a rooted phone, app access rights and other security measures can be (not are) changed. The bank cannot guarantee that the user didn’t mess things up and that your device can be trusted with “banking level important” information. So they refuse to provide their services.

This puts a general distrust in the user (which is not nice in my opinion), but I can understand this from the perspective of a bank (liability, bad press about insecure apps, …).

1 Like

Did you root your phone? Because on the Fairphone 3 most bank apps should work just fine because the bootloader can be relocked unless you actually did root your phone.

@ljahn, thank, that makes a lot of sense, yes.

@TheLastProject, I haven’t done anything, I bought the FP3+ on /e/’s shop. Seeing that I don’t see a “bootloader unlocked” message when booting, I suspect that /e/ foundation relocked the bootloader before shipping me the phone.

Hello.
That’s probably the reason why banks use gg APIs and amazonaws… For customers’ security, of course :crazy_face:

1 Like

Yeah, it’s “funny” how the trust of companies (and governments) shifted from trusting individuals to trusting multi-national companies when it comes to privacy and security. Similar to TPM/SecureBoot – “the owner of the device is not allowed to run XY or mess with the boot sequence, the manufacturer and certain OS providers can”. …but we’re getting off-topic, I think :wink:

1 Like

To me, it all looks like downright insanity O_o

Why do we still have the root/administrator passwords for our Windows and Linux PCs, then, if as users we can’t be trusted?
Should we have our car hoods sealed, in case we put the wrong oil or illegally boost the engine ?
And indeed there is some hypocrisy when the keys of our devices are given to corporations which live on user data theft…

1 Like