It's not to protect the user; it's DRM. Using a non-rooted phone means all apps get DRM for free. You can't simply press 'record screen' when the software sets a flag; you can't view the data that the app processes about you or make backups thereof; you can't control what the device does such as skipping any checks. Fraud detection and CAPTCHAs rely on security through obscurity.

> if someone is technical enough to root his phone he understands the risks

You're looking at this from the user's perspective. Indeed, the narrative is "for your safety, you cannot export your security tokens from your device's storage" or "software that runs as root can bypass all permissions, an attacker might exploit that!", as though users can't make that choice themselves on purchased-to-own hardware. Dropping privileges (https://en.wikipedia.org/wiki/Privilege_separation) has been a thing since as long as I'm alive. Don't be fooled that this "protection" is for you :(

A phone given for repair by a non-technical person can be rooted without their knowledge. The repair person potentially can install malware. We cannot assume the owners of the rooted phone themselves have rooted the phone.

> Why would the government care so much?

My guess is:

1. Person with rooted phone uses a bank app, is hacked, has their money stolen.

2. Guess where the person turns to for help? The government.

It's a reliable signal for fraud. The legitimate users are simply noise against this backdrop. The police only think in one direction and never consider the broader consequences of their enforcement perogatives.

"detect unauthorized interference with the Mobile Banking application"

I wonder if this has become a feasible avenue for scammers to interfere via other apps they could convince someone to install on rooted phones. Or if they are worried about skilled people being able to debug/MITM and find vulnerabilities on the banks.

Though from that statement alone, sounds more of a measure to protect banks than customers.

> My line of thinking is that if someone is technical enough to root his phone he understands the risks.

That is a terrible assumption. I had a rooted phone when I was 12 to pirate games. Friends asked me to root theirs. Rooting isn’t hard and lots of people do it (absolute not relative terms)

And the idea that so-called “technical” people know what they’re doing and are hack-proof is hot garbage machismo BS. Modern attacks use social engineering and extremely technical people fall for it all the time. There were several stories on here just this week.

the idea is hackers in state sponsored countries can also root phones and have nefarous intentions.

banking is very risk averse area. and it is good precaution.

Vietnam is a one party state. Does the government control the banks?

>I really don't understand this. My line of thinking is that if someone is technical enough to root his phone he understands the risks.

But you do understand. If someone is technical enough to root their phone, then he is the risk.

[cough]Monero[cough]

> My line of thinking is that if someone is technical enough to root his phone he understands the risks.

Kinda like the Wall Street concepts of "Accredited" and "Sophisticated" investors - who could never possibly fall for a Ponzi scammer like https://en.wikipedia.org/wiki/Bernie_Madoff ?

Not to say I'm a fan of Vietnam, or familiar with their ban - but when people are having their money stolen at scale, there's a very strong tendency to blame the gov't and/or financial system. And it's extremely rare for stolen-at-scale funds to not be "reinvested" in further criminal activities - which again, the gov't is expected to deal with.

A rooted phone is more capable of modifying the banking app itself and has 'freer reign' over the APIs that the app uses to interact with the bank.

Whereas previously the app displays a 'whitelisted' set of UI options to the user, the rooted user could use employee only methods. Somewhere or other every bank has methods that set balances on accounts.

To be honest a law like this makes security by the extremely modest obscurity of not having an "increase your balance" button on the app UI much more tempting.