alt Hacker News> important security measure
It's a security measure against the owner of the device, in other words, an attack. Would you be okay with me using a remote control to forcibly slow down your car so I can merge? Using attestation this way is fundamentally incompatible with ownership. If the bank wants some assurance about a device, they need to sell or issue one to me, like credit cards or point of sale machines, which are explicitly not your property.
The fact that the assurance is provided by a third party you have little recourse against just adds insult to injury.
Replies
> If the bank wants some assurance about a device, they need to sell or issue one to me, like credit cards or point of sale machines, which are explicitly not your property.
In this example, a banking app is not making the entire Android device non functional when it refuses to work when remote attestation like Play Integrity fails.
>against the owner of the device
Would you consider MFA to be a measure against you, the owner of the device, because it makes it harder for you to login?
>If the bank wants some assurance about a device, they need to sell or issue one to me
They are offering you free software and are operating under a security model tied to these specific devices. You're still free to walk into their branches, or use their physical cards, if you prefer not use their limited selection of devices.
>Would you be okay with me using a remote control to forcibly slow down your car
Car manufacturers do this as well though. Some of this is for the benefit of their customers (preventing theft from easily cloned keys). Some of this is not for customer benefit, like locking down infotainment systems.
Banks however are only interested in preventing fraud.