this post was submitted on 04 Apr 2024
1020 points (98.8% liked)

linuxmemes

21175 readers
850 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.

  • Please report posts and comments that break these rules!

    founded 1 year ago
    MODERATORS
     
    you are viewing a single comment's thread
    view the rest of the comments
    [–] johannesvanderwhales 74 points 7 months ago (3 children)

    Isn't saying that allowing apps to have root lets them access anything just describing what root is? A rooted phone doesn't have to give superuser access to every app.

    [–] [email protected] 25 points 7 months ago (1 children)

    A rooted phone doesn't have to give superuser access to every app.

    Sure, but apps that run as superuser can access anything, including the data and memory for banking apps. A big part of Android's security model is that each app runs as a different user and can't touch data that's exclusively owned by another user.

    [–] johannesvanderwhales 34 points 7 months ago (1 children)

    It just means you need to trust apps that you give root access to, or only give elevated privileges during the very specific times when apps need them. Root isn't something people who don't know what they're doing should be messing around with, I guess. But I'd think a lot of people who root their phone know and accept the risks.

    [–] [email protected] 17 points 7 months ago* (last edited 7 months ago) (2 children)

    People like you or I may know what we're doing with a rooted device, but I think the issue for the banks is that they can't guarantee that someone with a rooted phone knows what they're doing or isn't using a malicious app, so they have to be cautious and block all rooted phones.

    An app that requires root may look like a normal app but it could be a trojan that modifies banking apps in the background (eg patches them on disk or in RAM so transfers done through the app go to a different recipient). There's been malicious apps in the Play Store in the past, and rooted apps have way less oversight - some are literally just APK files attached to XDA-Developers posts or random blog sites.

    [–] johannesvanderwhales 11 points 7 months ago (2 children)

    I take your point, and I'm sure you're right about the banks' rationale, but in my own view it does not seem like it should be the banks' decision to make.

    [–] [email protected] 8 points 7 months ago (1 children)

    As soon as a bank offers any sort of fraud protection, though, security becomes a bank issue (in addition to a "you" issue).

    Not at all saying I agree with the banks on this, but I think that may be part of the thinking.

    [–] [email protected] 2 points 7 months ago

    This is a good point. The bank needs to do as much as they can to reduce fraud risk, and they've probably found some correlation between rooted phones and a higher likelihood of fraudulent transactions. Some banks block VPNs for a similar reason - when logging in from a VPN, it's harder for them to tell that it's actually you vs if it's an attacker that uses the same VPN service as you.

    [–] markstos 1 points 7 months ago

    Your risk exposure is that you could lose your bank account balance. The banks risk exposure is that they could lose every bank account balance exploited by the same rooted phone vulnerability. So they evaluate risk differently than you do.

    [–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

    bro I gave my nana root on her eye phone and by the end of the week she had hacked half of North Korea - the other half thought her actions were a good example of juche ideals. It was crazy ngl

    [–] cybersandwich 8 points 7 months ago

    I think he was trying to say apps get access to "root features" through an abstraction layer/API calls that is controlled.

    They don't/wouldn't have carte blanche root access to the underlying system. It's kinda like a docker container or VM or flatpaks/snap packages on Linux. They are sandboxed from everything else and have to be given explicit premission to do certain things(anything that would need root privileges/hardware access).

    [–] [email protected] 7 points 7 months ago

    No, but it can.