Ask HN: Why do banking apps care about your phone OS

I seriously wonder if there is any empirical evidence that safetynet and this play protect stuff leads to less incidents. Funny thing is that I am only rooting my phone to actually fake the attestation checks again because I want to run lineage OS with uptodate security patches on my China phone.

Besides the security part, many companies us that data in their Machine Learning models. I've used it myself extensively over the past 10 years in Fintech.

As a small tidbit of information, did you know iPhone users are ~40% less likely to default on a small loan than Android users (at least in my country).

And the differences go all the way to specific models, OS versions, installed apps, IP range, browser of choice...

There are a lot of security guarantees that go away with a rooted phone, and I wonder if "in the wild" more often rooted devices are malware than user rooted.

From the perspective of a company, these things boil down to numbers. They have the data, and they can review it. If they find a correlation like that they lost large numbers to rooted phone, they will ban it.

I have had email forwarders and @protonmail.com accounts get blocked only because they are more likely to be fraudulent and companies can just block because the hassle isn't worth it.

Related: does anyone know of a bank that allows you to waive all security and protective measures in exchange for ease of use? I would happily sign a contract that basically says "if you get hacked, it's your fault and you lose all your money no matter what" if it means no 2FA, payment verification, fraud detection etc. I'm not sure if this would even be legal in many jurisdictions though.

Here in Brazil, many banks require the use of an invasive "security" browser plugin to access your bank account through the browser, and that plugin obviously exists only for desktop browsers. And it's also not uncommon to require a confirmation through the phone app whenever doing a transaction through the web.

The root cause is malware. Intercepting the online banking session in the desktop browser to steal your money used to be very common.

Honestly they're just trying to cover all bases / their asses. It's a totally clueless act, but root detection is something that exists and therefore they use it. Realistically it's not making anything truly safer, but it exists in security reports and audits and whatnot, so they're putting it in. It makes managers happy.

Source: I've had to add this to some apps I've worked on. I tried convincing managers and gave up. They _really_ think it adds security. Our apps didn't even handle sensitive user data or anything. It just looked good on some security report they ordered.

Was thinking about installing Lineage but haven't done it yet. How do you make sure you can still run banking apps?

Probably keeps their support burden lower. If your rooted Android 4.0 device can run a new enough browser, the browser might work well enough and it's on you if it doesn't. If they let you run the app, when it doesn't work, you're going to tie up their support lines.

So just use the web site.

Typically, the only thing an app offers that the web site doesn't is paper check scan and deposit. Do you really need this? I don't.

Lots of people seem to be unaware that a web site can be pinned to your home screen with an icon --- just like an app.

They care that it’s not got malware

55M. Never used a banking app. What’s the point when they have a website?

I don't know, but I agree it seems foolish.

I also loathe that US banks don't use standard TOTP (which they could implement for free) but instead only offer SMS or app-based Symantec tokens, which are either insecure or impossible to backup.