Why you shouldn't install banking apps on rooted phones
- Thread starter TheMystic
- Start date
Physical security is the only real security.
Sometimes I go for hikes in the desert and forget my phone. Do I turn around to get it? Nope, not needed. I tend to ignore my smartphone when out anyway. Quiet waking time is important aspect of life never learned by many of today's "always available" kids.
What amuses me are the people who invest a lot of time in their smartphone but fail to regularly and redundantly backup their critical data. Then expect someone to be able to pull that data back from wiped and/or encrypted data hell
That's what the WW2 Nazis and Japanese encoders thought. Didn't work out too well...
Grab a paper and your pencil and start calculating the checksum yourself. The encoders would certainly have used better code back then if a modern PC had been around.
As I mentioned earlier, I have a lot of respect and appreciation for the honest developers here who have helped make the Android experience so much better.
But at the same time **** happens and it may be too late before one realises. It is always a good idea to play it safe.
If I have to use my banking and very confidential stuff on a phone, it will be completely stock.
We don't really give up freedom on an Android phone. It is extremely versatile in stock form too!
Is there any reliable entity auditing the codes continuously?
I can release a malware and keep the code open source. There is a good chance a lot of damage would be done before anyone finds it.
Was that a choice or just the times you grew up in?
I have read somewhere that a country's military and intelligence services have access to tools and technologies that are anywhere between 10 to 20 years ahead of what is commercially available or even known.
So what you think is impossible is true only for the technology that is currently known to you. But for advanced technologies that you aren't even aware of, this could be like a cup of tea.
So don't assume and take for granted that something is totally safe. It is safe only until you aren't a target.
What if I grabbed a quantum computer instead?
The evolution of a technology is what drives their countermeasures. If those countermeasures don't exist today, they soon will and vice versa.
Spy vs Spy, ever read that comic strip?
The code breakers used the best available computers at that time to reduce their work load.
Both the Japanese and Nazis failed because of their over confidence in their encryption. It was used frequently, easy to intercept and was of the highest priority to break. It had a huge bullseye on it... Changing the base system and codes frequently could've changed the course of the war. What if we had had no advanced waring of Midway?
Last edited:
Btw 256 bit encryption is ridiculously secure. 2 (binary) to the power of 256 = 115792089237316195423570985008687907853269984665640564039457584007913129639936 possibilities. You can't brute force that in a million years with all the computing power on the planet combined. That's why breaches rarely involve breaking encryption, but rather "social" methods to gain the key (password) used for the encryption. You can't break into the connection between a user and their bank, but you can pretend to be their bank and obtain their credentials.
The reason we were able to break German encryption was because we captured critical components such as the Enigma machine. We basically got lucky. The Japanese used poor encryption that made it easy to recognize patterns and cycles.
The reason we were able to break German encryption was because we captured critical components such as the Enigma machine. We basically got lucky. The Japanese used poor encryption that made it easy to recognize patterns and cycles.
Both
I think the Enigma code was cracked long before the first one was obtained.
In large part it was operational mismanagement that rendered it useless.
One hallmark of important codes that are broken is keeping that breach a secret to exploit its maximum potential and damage. History tends to repeat itself... never feel you're too secure.
An independent "source-code-reviewer"? No. Are there generally people who do this with other source code?
Yes, that's right. But you are facing this dilemma also in the Play Store, Microsoft Store, Amazon App Store, and a few others.
It would be pretty stupid if you crash the entire LineageOS project because you have installed malware. With that you have the legendary status for sure.
Of course it's not a checksum. I said exactly what it is. That's the number of possible combinations of a 256 bit binary string.
To determine the number of possibilities of any string, you take each digit's number of possibilities (2 for binary) to the power of however many places there are. So, since each binary bit in a 256 bit string has 2 possibilities, it's 2^256.
One nibble (four bits) has 16 possibilities: 0 to F
One byte (eight bits) has 256 possibilities: 2^8, 00 to FF. Or, for nibbles, 16^2
One word (two bytes) is 16 bits and has 65,536 possibilities: 2^16, 0000 to FFFF. Since there are two bytes with 256 possibilities each, this can also be 256^2
Two words (four bytes): 32 bits, 2^32 = 4,294,967,296, 00000000 to FFFFFFFF, 256^4
And so on.
256 bits means you have so many possibilities that it would take literally the entire computing power of the entire planet several billion years to break. 256 binary choices, 32 bytes with 256 potential combinations each:
115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 possibilities.
Last edited:
Yet people place too much reliance on open source projects. Everyone thinks someone else would have checked it but in reality no one would have bothered.
The mainstream ones such as OEM software tend to be under a lot of scrutiny because they cater to a very large number of devices. So anything suspect would be caught quite quickly.
Atleast they have a vetting process in place that will likely pick something up. With apps and mods that don't list in these stores, they are pretty much free to do what they want. Being open source isn't synonymous to being secure. That is a false presumption.
henonchschonleinpurp
Senior Member
Sir so we arent supposed to install bamking apps in rooted phones. What is your take on installing banking apps in non rooted secure custom roms like calyx and lineage os sir..
Last edited:
So this latest super exploit affects stock phones as well as rooted ones?
If you had said that rooting allows a "bad actor" to take control of a bank's app on the bad actor's own phone, and use it to spoof an innocent third party's ID, then you have the very good reason why banks, national governments, uber etc don't want their apps to run on rooted phones.
Or if you had said that this exploit allows that "bad actor" to secretly root an innocent third party's phone, again you have a good reason why banks etc don't want their apps to run on rooted phones.
But instead, you assert that because someone can secretly root my phone, I shouldn't root it myself first. Because to you, it's a bad idea.
That's what is known as false logic, or more classically a non sequitur.
Surely the conclusion you should draw is that, because someone can compromise my phone just by calling me, I should never install banking apps etc ever, regardless of whether I choose to root my phone or not.
Last edited:
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
5Using financial apps on a rooted device is fine....as long as you keep tight control over root access. I unlocked the bootloader on my Pixel 5 first thing out of the box, and it's been rooted ever since. Yes, root is a "vulnerability" but with managers such as Magisk, it's not possible for a process to get root permissions unless you specifically authorize it, unless there's a huge back door in your kernel.
I think it's important to be accurate on your facts, too. Yes, it is possible for an app to detect bootloader state...unless the property value is changed with root. The only 100% secure way that I'm aware of for an app to determine that a device has not been tampered with is to require the MEETS_STRONG_INTEGRITY label in Play Integrity, because this means that the software and device integrity are guaranteed by means of hardware backed attestation, such as verification of boot integrity and secure chain of trust all the way to the root certificate stored in hardware.
However...
No app to my knowledge requires this, likely because doing so would mean everyone using an Android phone running a version of 8.0 would not be able to use that app. Many apps require BASIC and DEVICE integrity responses, but these are available with basic attestation, and in fact are attainable by means of Magisk modules.
The only ways apps currently detect root are:
- Play Integrity API responses (BASIC and DEVICE can be "fixed" with Magisk module)
- Presence of a root app such as Magisk (doesn't work when app is disguised)
- Presence of modification traces such as xPosed (can be hidden with Shamiko)
- Presence of root binary (can be hidden with Shamiko)
- USB debugging enabled (can be hidden with Shamiko)
- Bootloader status (can be spoofed with props change)
Yes, the only absolute way to ensure your device is completely secure is to keep it consistently updated on a locked bootloader, but this is XDA, a haven of hackers...root is a state of mind, and we aren't about to give up freedom for security.4
Had mobile back in 1989.
Didn't own a computer until I was 45.
Didn't own a smartphone until I 54.
Crystal knowledge is a lot more useful than the internet; the internet only supplements it. In real time emergencies trying to think with your smartphone will leave you KIA. Keeping separation from the real world and the smartphone is essential when out and about.3
Damn straight. A paper and pencil will never run out of batteries, and there isn't a script kiddie in the world that can hack a locked filing cabinet. No one can drain your accounts if there isn't money in them, and they can't steal your identity if you don't have an online presence.2The latest type of hack, something I always thought was not possible, is to infect someone's phone with a mere phone call. You can read about it here.
There are very good reasons why banking apps refuse to work on phones with an unlocked bootloader. Installing random tools/ mods from unknown developers (XDA is no exception) to bypass built-in security to make them work is a very bad idea.
If you absolutely must root your main device (although I don't see too many benefits of rooting in 2023), it is advisable that you buy a 2nd phone and use that for your banking (or anything to do with money and other important things) needs. Even a super budget Android phone, COMPLETELY STOCK, will be fine.
Here's an analogy:
It is very important to follow speed limits on roads. The limits have a scientific basis and anyone who follows it will mostly be able to avoid a fatal accident. Just because accidents won't necessarily happen if the speed limit is breached, doesn't mean it is a safe thing to do.
The single biggest reason responsible for 99% of fatal accidents is overspeeding! If speed was under control, it is very highly likely that there won't be fatalities.
