The Vietnam government has banned rooted phones from using any banking app

The biggest "evil" that has been committed (and is still being committed) against computing has been normalizing this idea of not having root access to a device you supposedly own. That having root access to your computer, and therefore being the ultimate authority over what gets run on it, is bad or risky or dangerous. That "sideloading" is weird and needs a separate name, and is not the normal case of simply loading and running software on your own computer.

Now, we're locking people out of society for having the audacity of wanting to decide what gets run and not run on their computers?

So, if you cannot cryptographically prove to a remote server that your device is running essentially unmodified, vendor-signed software, you are locked out of the economy?

The irrefutable part here is that the security model works. Locking down the bootloader and enforcing TEE signatures does stop malware. But it also kills user agency. We are moving to a model where the user is considered the adversary on their own hardware. The genius of the modders in that XDA thread is undeniable, but they are fighting a war against the fundamental architecture of modern trust and the architecture is winning.

When I used to work on the Vanguard authentication team, we blocked Vietnam from access because of too much fraud (not my choice). But it was funny because we had Vietnam based clients, so there were a couple HNW clients in the logs that you could see who would log in from Vietnam/Russia/Wherever, get blocked, open their vpn, then log in from England. This was a while back, but even then there was a push for things like yubikey, and hardware tokens, so its not surprising the wind is blowing in this direction of just hardware authenticated people. Financial companies are just constantly fighting fraud in a million ways.

Do those same banks have websites that you can access from a computer with root access? Most likely, yes.

This is likely part of the Vietnamese and Thai governments' rollout of biometric linking for bank accounts, similar to KYC regulations in the United States. The deadline for Vietnamese biometric linking was December 19th, 2025 [1].

The Vietnamese government has reported a rise in account takeovers and other banking thefts [2]. SIM-swapping has been a tactic used. Adding difficulty for fraudsters to trick unsophisticated banking customers is a valid security layer.

1. https://vietnamnet.vn/en/biometric-deadline-nears-millions-o...

2. https://evrimagaci.org/gpt/vietnam-faces-surge-in-sophistica... (expands upon https://vneconomy-vn/techconnect/mobile-banking-phat-trien-manh-tai-viet-nam.htm)

Serious question, what is gained from this move? Why would a government care? Are rooted phones really that much of a problem?

Surely most people running a rooted phone are tech enthusiasts. Cybercriminals will just use regular phones bought under false names and dispose of them afterwards.

I really don't understand this. My line of thinking is that if someone is technical enough to root his phone he understands the risks. Why would they force banking apps to detect and not work on rooted phones? Why would the government care so much?

There are two plausible explanations for this:

1. Incompetence. The same reason why many banks al around the world do this without regulations. Some snake oil salesman sold them a security theater SDK or library that blocks user installed or modified OSes.

2. Government control and surveillance. Vietnam is authoritarian. It only makes sense for them to participate in the global war against general purpose computing to gain complete control over their citizens' devices allowing them to restrict software, displayed content and communication to require government approval and enable total surveillance of all activity without any way to bypass this. Instead of outlawing user controlled general purpose computing directly they do it through the backdoor of pretending that it is for people's own safety.

So what's the mechanism here? I did not find any sort of api like isPhoneRooted() But also, I did not look very hard.

I am probably missing something obvious(some sort of tpm key attestation) but it feels like it would be impossible task. I mean, theoretically higher layers can check that lower layers have the correct signed checksums, but they need to use the lower layer to do it and the lower layer could just lie to them. (if isSystemFile(f_name) then return originalFile(f_name); or provide a virtual tpm).

Unfortunately the answer here is to not abide by the law. If there is a reasonable way to bypass this (as the cat-and-mouse game always seems to continue), and there is reasonable expectation to not be caught, then I see no moral quandary with ignoring such a consumer-hostile rule.

The Vietnamese government has mandated all banking apps to detect if either the phone has been rooted, the bootloader has been unlocked, or ADB is enabled and force quit if that's the case.

As a person who was super into the rooting scene before getting iPhone-pilled in 2018 or so, I can see both sides to this issue.

On one hand, people that jump through the crazy hoops phone manufacthrers put up to get root are either technically-proficient or willing to become so and are, usually, responsible enough to keep their devices locked down and secure.

On the other hand, banks are subjected to literally all of the regulations, and breaking any of them usually incurs unbelieveable fines. Given that phones are the default computing device for most people these days and how (relatively) easily secrets can be extracted from rooted devices, blanket-banning them makes a lot of sense.

Nonetheless, modern Android is just as locked down as modern iOS, with a few exceptions (like adb access) and without the awesome hardware and software optimizations for that hardware that make video recording fast and web browsing even faster. Between this and nobody having a real answer to Apple Watch, I'll be an iOS stan for the foreseeable future.

I have a Vietnam bank account tho I live in the States now. I recently enabled developer mode in my Android phone, didn't think much of it. But later when I open my mobile banking app it told me to disable developer mode in order to open the app.

It's not just root that they block.

I don't understand the threat model that banks worry about on rooted phones.

What is it? I can access their websites on a PC running as root or Administrator. What is the problem with rooted Android phones?

>The Vietnam government has banned rooted phones from using any banking app

The Vietnam government has banned phones under their user's control from using any banking app.

There are a million legitimate reasons to root a phone (e.g. preserving the battery to minimize e-waste, blocking malicious trackers often allowed by Apple and Google, innovating on the UI, etc.). Apple/Google/Microsoft are run by uninspired, uncreative, and immoral people, and there is a world of innovation and forward thinking we lose out on by letting them rule our tech.

India doesn’t have a single “govt ban rooted phones from banking apps” rule, but RBI’s digital payment security controls explicitly allow banks to block mobile apps on rooted/jailbroken devices, and many do. Combine that with device+SIM binding requirements and platform attestation (e.g., Play Integrity), and the practical result is often “no banking/UPI on rooted phones.”

That link is to a page in that thread, but I guess it's supposed to be to this specific post: https://xdaforums.com/t/discussion-the-root-and-mod-hiding-f...

Isn't that what happens in Europe with most rooted phones and banks too? At least I can remember my banking apps stopped working.

Problem is that banks place a lot of trust on a locked-down phone and I have a hard time trusting a blackbox device I don't really own but only paid for.

That's the reason I mostly use online banking on the web, not on a device.

If it ever comes to that in my country I can also use my previous, unrooted backup phone to host these apps and keep it at home.

I'm not at all thrilled of the idea of carrying your credentials to your bank account on your phone, accessible via a 4-digit PIN out there in the world in the first place. For some reason, banks think it's great.

It's clear that we will need two phones: one personal day to day driver and one for banking/gov/other official things.

Security question:

Could we have the same level of security - or very close to it - from requiring a secure enclave like a vm running on the device for banking apps with hardware passthrough, or would there be no way for that vm to verify it has actual hardware passthrough and that it's not being tampered with?

That way you would just get the entire vm with the app from the Play Store or Apple, and nobody needs to worry about root?

And so it begins... Or continues...

Apple is already a walled garden, granting you only access to your hardware and they see fit. Google desperately wants to follow suit by enforcing developer registration (which is just the first step). And now this. This is will happen in the EU and US as well.

And always in the name of security, safety, or "will nobody think of the children?!"

My hardware, my choice, period.

I get the general skepticism and how this gives anti freedom vibes, but wouldn't this also prevent some actual rootkit like sideloaded apps stealing credentials?

Not deep into rooting scene but seems plausible to me that this has some merit if you squint at it from the right angle

> bans rooted phones

> malicious actors just compromise the firmware instead

surprised pikachu face

1. Don't people on HN realize Vietnam is a single party authoritarian state with a very active secret police (MPS/BCA)?

2. Vietnam has been in the process of rolling out national biometric identification for years now as part of the VNeID [0] project, and unifying that with banking and mobile phone identification is an important part of that such as with the recent FPT Telecom announcement [1]. The aim is to turn VNeID into a super-app by 2030 [2], and from what I've seen in rural areas of the Central Highlands, it's on track.

[0] - https://vneid.gov.vn/

[1] - https://tuoitre.vn/vneid-mo-rong-dich-vu-so-dang-ky-internet...

[2] - https://tuoitre.vn/thieu-tuong-nguyen-ngoc-cuong-nang-cap-vn...

Google is to blame, they're abusing device security by preloading their unremovable spyware with elevated privileges.. people then want to remove it but then find themselves unable to use banking apps because of this.

I'm not against having a separate secure phone to use with banking apps, but that phone must be designed for security, not for Google's ad driven business model..

One more reason for phones to be modularized. Separate the comms from the (owner-controlled) computer module until needed. Use different CPU module when needed. Swap out battery module.

Nothing to do with security, everything to do with control.

Free software, free society.

Just let me pair my Yubikey to my bank and use my Yubikey if I need my banking app.

the cage used to be golden. now it's digital.

Polish ones do that too, incl our govt ID app

Why can't rooted phones pretend to be non-rooted phones for the purpose of certain apps? What's the point of rooting if you can't even selectively pretend?

buy two phones if ur that crazy

One phone for banking and another one for browsing.

Simple solution: Get a second phone just for banking and all the other enshitifying apps and keep it at home where it doesn't bother you.

Don't mess with Vietnam please. My phone's CSC is set to Vietnam to enable call recording. I love that feature but I don't want to lose my banking apps.

odd they legislate for it, banks usually do this anyway

Socialist Republic of Vietnam: our phone

Of course if you have root, you can make other programs work as you please.

They need to go further to outlaw hide root apps, and then install special app to track the status of the phone to make sure it is not rooted. Then allow police to randomly check the presence of this app on people phones. Every phone needs to be registered and pass hardware inspection every year. Even better, make so called offices where people can come and deposit or transfer money, it will be super safe.

Government banning insecure open standards and then not providing a secure open standard is atrocious. If I must have an official authorizing thing to prove I'm who I say I am, make it as small as possible.

If you mandated that they have to support Yubikey or whatever on open platforms I'd take that as a decent alternative. But just "no you must use a device controlled by somebody else" is not acceptable.

[dead]

Smart phones are not personal computers. They're shopping/government/etc terminals. You don't and never have controlled them, even with root (re: tight integration of the baseband computer which only the telco has a license for, not you). Their best use re: computing is acting as wifi hotspot for their cell telco CNAT connection. The time to stop using them as computers is now, not when your local government passes these laws. Apple is already forcing it and Google has shown it's cards even if walked it back temporarily.