Ask HN: Why do banking apps care about your phone OS

Besides the security part, many companies us that data in their Machine Learning models. I've used it myself extensively over the past 10 years in Fintech.

As a small tidbit of information, did you know iPhone users are ~40% less likely to default on a small loan than Android users (at least in my country).

And the differences go all the way to specific models, OS versions, installed apps, IP range, browser of choice...

There are a lot of security guarantees that go away with a rooted phone, and I wonder if "in the wild" more often rooted devices are malware than user rooted.

From the perspective of a company, these things boil down to numbers. They have the data, and they can review it. If they find a correlation like that they lost large numbers to rooted phone, they will ban it.

I have had email forwarders and @protonmail.com accounts get blocked only because they are more likely to be fraudulent and companies can just block because the hassle isn't worth it.

I seriously wonder if there is any empirical evidence that safetynet and this play protect stuff leads to less incidents. Funny thing is that I am only rooting my phone to actually fake the attestation checks again because I want to run lineage OS with uptodate security patches on my China phone.

So just use the web site.

Typically, the only thing an app offers that the web site doesn't is paper check scan and deposit. Do you really need this? I don't.

Lots of people seem to be unaware that a web site can be pinned to your home screen with an icon --- just like an app.

Here in Brazil, many banks require the use of an invasive "security" browser plugin to access your bank account through the browser, and that plugin obviously exists only for desktop browsers. And it's also not uncommon to require a confirmation through the phone app whenever doing a transaction through the web.

The root cause is malware. Intercepting the online banking session in the desktop browser to steal your money used to be very common.

Related: does anyone know of a bank that allows you to waive all security and protective measures in exchange for ease of use? I would happily sign a contract that basically says "if you get hacked, it's your fault and you lose all your money no matter what" if it means no 2FA, payment verification, fraud detection etc. I'm not sure if this would even be legal in many jurisdictions though.

Probably keeps their support burden lower. If your rooted Android 4.0 device can run a new enough browser, the browser might work well enough and it's on you if it doesn't. If they let you run the app, when it doesn't work, you're going to tie up their support lines.

They care that it’s not got malware

Security consultancy companies need to always point out something that needs to be changed, even though it is not really important to show themselves as useful.

And executives don't have enough tech knowledge to discern between security measures that are actually effective or not, so to avoid risks they just make their tech teams implement it because the consultancy said it should be done

Had a similar situation in my current job, and unfortunately it is not something worth picking a fight with senior leadership for.

Ironically most of these companies allow access from Web Browsers (which are completely controlled by the client).

If they could force you to use a terminal with hardware issued by the bank, they would. This is the next best thing.

The website is a legacy option and it will be removed eventually. Already many banks require to use their app in order to sign in to the website or approve transactions. New "challenge banks" are app-first. For example, Starling Bank will not let you create an account without a Google or Apple smartphone.

I read that sometimes banking apps will not work if Developer Options is enabled. Is this common.

I don't know, but I agree it seems foolish.

I also loathe that US banks don't use standard TOTP (which they could implement for free) but instead only offer SMS or app-based Symantec tokens, which are either insecure or impossible to backup.

Honestly they're just trying to cover all bases / their asses. It's a totally clueless act, but root detection is something that exists and therefore they use it. Realistically it's not making anything truly safer, but it exists in security reports and audits and whatnot, so they're putting it in. It makes managers happy.

Source: I've had to add this to some apps I've worked on. I tried convincing managers and gave up. They _really_ think it adds security. Our apps didn't even handle sensitive user data or anything. It just looked good on some security report they ordered.

Was thinking about installing Lineage but haven't done it yet. How do you make sure you can still run banking apps?

55M. Never used a banking app. What’s the point when they have a website?

[dead]