this post was submitted on 04 Apr 2024
1019 points (98.8% liked)

linuxmemes

20880 readers
9 users here now

I use Arch btw


Sister communities:

Community rules

  1. Follow the site-wide rules and code of conduct
  2. Be civil
  3. Post Linux-related content
  4. No recent reposts

Please report posts and comments that break these rules!

founded 1 year ago
MODERATORS
 
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 244 points 7 months ago (3 children)

They 100% would stop you if they could.

It's why Google's website DRM thing was so scary.

[–] [email protected] 51 points 7 months ago (1 children)

Was? What did I miss? Even if it was discarded, there will aways be another attempt.

[–] [email protected] 91 points 7 months ago (2 children)

Basically Google wanted to put checksums in webpages and then not render the page period if the checksum didn’t match and said checksum could only be verified by “approved” browsers that had the correct certificate (which surprise was Chromium only browsers such as Chrome and probably Edge). As such you wouldn’t have been able to run any adblockers as that would change the checksum and the way the page was rendered. They could also then go one step further and do a Denouvo type set up to make sure the OS wasn’t being altered.

[–] [email protected] 48 points 7 months ago

Super useful technology for security purposes!

Super scary technology for literally everything else.

[–] [email protected] 23 points 7 months ago

Yes, I know about what they attempted (actually published some of it already in an official repo).

But why you talk in past tense? Have they reverted the changes and publicly pinky-promised not to do it?

[–] [email protected] 20 points 7 months ago (1 children)

not was, is.

i dont think they dropped it.

[–] [email protected] 14 points 7 months ago (1 children)

Okay, so I originally was going to go in a long rant about how they're still doing it, but decided that it didn't really add much to the comment, so removed it.

Afaik they've, for now at least, shelved it in browsers, but are still going ahead in Android webviews (as part of their war on Youtube Vanced).

load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 136 points 7 months ago (3 children)

I actually heard something about that in class not long ago

The story is that Android's security heavily relies on the compartmentalization of apps that lives in the android layer, over the Linux kernel. Apparently, that functionality works in part because only this layer can perform operations that require root access, no app or user can. So software that allows you to root your phone apparently breaks this requirement, and makes the whole OS insecure. He even heavily implied that one should never root their phone with 'free' software found on the internet because that was usually a front for some nefarious shit regarding your data.

I'm just parroting a half-understood and half-remebered speech from a security expert. His credentials were impressive but I have no ability to judge that critically, if anyone knows more about this feel free to correct me.

[–] [email protected] 74 points 7 months ago (3 children)

Isn't saying that allowing apps to have root lets them access anything just describing what root is? A rooted phone doesn't have to give superuser access to every app.

[–] [email protected] 25 points 7 months ago (1 children)

A rooted phone doesn't have to give superuser access to every app.

Sure, but apps that run as superuser can access anything, including the data and memory for banking apps. A big part of Android's security model is that each app runs as a different user and can't touch data that's exclusively owned by another user.

[–] [email protected] 34 points 7 months ago (1 children)

It just means you need to trust apps that you give root access to, or only give elevated privileges during the very specific times when apps need them. Root isn't something people who don't know what they're doing should be messing around with, I guess. But I'd think a lot of people who root their phone know and accept the risks.

[–] [email protected] 17 points 7 months ago* (last edited 7 months ago) (5 children)

People like you or I may know what we're doing with a rooted device, but I think the issue for the banks is that they can't guarantee that someone with a rooted phone knows what they're doing or isn't using a malicious app, so they have to be cautious and block all rooted phones.

An app that requires root may look like a normal app but it could be a trojan that modifies banking apps in the background (eg patches them on disk or in RAM so transfers done through the app go to a different recipient). There's been malicious apps in the Play Store in the past, and rooted apps have way less oversight - some are literally just APK files attached to XDA-Developers posts or random blog sites.

load more comments (5 replies)
load more comments (2 replies)
[–] [email protected] 53 points 7 months ago (3 children)

I wouldn't even feel compelled to root my phones if Google would actually back up my phone instead of whatever 1/4 baked shit they've done thus far.

load more comments (3 replies)
load more comments (1 replies)
[–] [email protected] 78 points 7 months ago (10 children)

Because they want to "protect" you from "yourself". Imagine, you could scrape your own data that you can already see.

I'd be really worried if the security of server operation for my bank depended on the client-side. But playing devils advocate, some people will most likely point out that a root exploit on a phone may be unintentional and used to spy on people, to which I answer:

  • show me a big scary box where I can "accept the risk" and move on
  • keep in mind that if I am root on my phone, I can hide the fact that I am root on my phone and you'll be none the wiser

Currently, option 2 is in effect, sadly.

[–] eluvatar 21 points 7 months ago (1 children)

The issue with option one is that scammers get old (or not technical) people to do stuff when they don't know what they're doing and click the box not knowing what they just did. So yes very frequently they need to protect people from themselves because they're dumb, but I still expect banks to do business with those dumb people, sooo.... Option 2 it is.

[–] [email protected] 21 points 7 months ago (3 children)

Ok but also What tech illiterate person roots there phone

[–] [email protected] 14 points 7 months ago

That's where this part becomes relevant

a root exploit on a phone may be unintentional and used to spy on people

load more comments (2 replies)
load more comments (9 replies)
[–] [email protected] 60 points 7 months ago* (last edited 7 months ago) (5 children)

The reason is very simple: They rely on Google Safetynet (basically self-diagnosis). And that will immediately tell you off if it notices your device is rooted. And while you can have a lengthy discussion regarding whether this makes your phone less secure or not, this is another simple argument from Google's POV: The device has obviously been tampered with, we don't want to put any resources into covering this case. As far as we are concerned, you shouldn't use our OS like this.

So basically laziness.

load more comments (5 replies)
[–] [email protected] 59 points 7 months ago (1 children)

Banks when you use browser 3 years of updates behind on Windows XP with multiple unpatched CPU vulnerabilities:

load more comments (1 replies)
[–] [email protected] 59 points 7 months ago (1 children)

Google and Apple have been very successful at convincing everyone, including banks, to see the idea of users having control over their own phone-like computers as dangerous.

load more comments (1 replies)
[–] [email protected] 58 points 7 months ago (2 children)

Because as per usual they don't understand security. I have started choosing my bank based on software they have. If software looks competent, that's my most significant influence.

They think rooted device = insecure device, but at the same time PC is even less secure and yet all the business users use them and more to the point have passwords written on a sticky note glued to the screen. My old bank at one point "upgraded" their software system and then started asking me for weird characters in password and then asked for maximum length which was the final sin I allowed them to commit. Left them that week.

[–] [email protected] 30 points 7 months ago (9 children)

My bank keeps their app up to date with all the latest anti-root stuff but allows passwords made of 5 digits. ¯\_(ツ)_/¯

load more comments (9 replies)
[–] [email protected] 17 points 7 months ago (5 children)

You're better off with random different passwords for each service written on a sticky note than using the same password/email combofor multiple accounts.

load more comments (5 replies)
[–] [email protected] 53 points 7 months ago (3 children)

Does your bank have a Linux application? Of course not, you're using the website. So why not use the website on your phone?

[–] [email protected] 34 points 7 months ago

Most of the mobile sites I visited seemed to have only one goal, to get you to use the app and the mobile interface is often so bad that you'd better use the app

[–] [email protected] 21 points 7 months ago (11 children)

many banks require use of the app, regardless

load more comments (11 replies)
[–] [email protected] 15 points 7 months ago

Mobile web interfaces for banks are complete shit, and often can't be circumvented.

[–] [email protected] 52 points 7 months ago* (last edited 7 months ago) (1 children)

I was once working for a project in a bank, a developer answered me to why they go app only, because "you don't know what people do with their browser".

It's only about the feeling of control (and some paranoia), not about security.

[–] [email protected] 17 points 7 months ago* (last edited 7 months ago)

What I find interesting is that my bank has kind of the opposite stance. It allows you to do a lot more things if you login via their website and I think they overall trust your actions more if you do it over the browser, but you are required to pass a lot more security checks, while on the app a PIN is enough, but it also doesn't allow you to do as much.

[–] [email protected] 49 points 7 months ago (1 children)

It's not just root. They would prefer you not to have a custom keyboard either.

[–] [email protected] 20 points 7 months ago* (last edited 7 months ago) (3 children)

That's actually got a solid reason behind it.

It's because the OSK is just another program as far as Android is concerned. It can't directly look into the application, per Android specifications, but it CAN record key presses, even for passwords. It even receives context hints based on the metadata on the input box, so it knows when you're putting in a password. Then it can send your data off to unknown servers.

load more comments (3 replies)
[–] [email protected] 47 points 7 months ago* (last edited 7 months ago) (12 children)

I can't believe I'm saying this, but thank God my country developers are incompetent.

I was greeted with this message:"This app can't be used on a rooted device" And I was prepared to go through hoops to get it to work. you know, fucking safetynet and all. But it turns out that the solution was just enabling zygist on Magisk.

load more comments (12 replies)
[–] [email protected] 39 points 7 months ago (1 children)

My bank doesn't know for some reason. I don't even pass (~~as femme but that's not relevant~~) safetynet, but it doesn't seem to care. Sadly can't pay with my phone or watch tho

[–] [email protected] 38 points 7 months ago* (last edited 7 months ago) (14 children)

Let's be real here. Folks running Linux as thier desktop have a high chance of knowing what they are actually doing. Folks with rooted android phones have a high chance of having watched a 12 year old tell them how to root thier phone on TicTok. Which of these groups is participating in the more risky activity?

[–] [email protected] 29 points 7 months ago (12 children)

I never heard of someone rooting their phone due to a 12 year old on tiktok telling them to

[–] [email protected] 22 points 7 months ago (1 children)

To be fair, I jailbroke my iPhone 3GS when I was 13 because I saw someone do it on YouTube.

load more comments (1 replies)
load more comments (11 replies)
[–] [email protected] 25 points 7 months ago* (last edited 7 months ago)

This is the real problem.

Far too many people with rooted phones having no business with a rooted phone, installing whatever from wherever with no regard to the security implications.

At least people with root on a Linux system, by default, are going to be more knowledgeable in that regard.

[–] [email protected] 23 points 7 months ago

12 year old tell them how to root thier phone on TicTok

The real pros learn from Indian guys on Youtube

load more comments (11 replies)
[–] [email protected] 35 points 7 months ago

It's the banking equivalent of turning your device off for aircraft take off and landing.

If you keep doing stupid shit for long enough you can turn it into a religion. Huge profits will follow. It's also why the unexamined life is no life at all.

[–] [email protected] 35 points 7 months ago (5 children)

Btw, have you guys heard of Taler? It's pretty interesting and I think you will be able to use it with a libre app

NGI TALER is a pilot funded by the European Commission and the Swiss State with the very concrete objective to roll out a new, best-in-class electronic payment system that benefits everyone: people, merchants, banks, financial authorities, auditors and anti-corruption researchers. The project doesn't have to start from scratch either, but builds on the strong foundations of GNU Taler — the privacy-preserving digital payment system developed by the GNU community and Taler Systems SA with support from the NGI initiative. This offers privacy for those that make payments, while enforcing transparency on those that sell. By providing micro payments at very low overhead, GNU Taler permits internet business models to shift away from advertising revenue or subscription models, especially for online publishers. No-risk transactions can lower transaction fees and open online payments for the underbanked population and citizens marginalized from digitalisation.

https://nlnet.nl/taler/

load more comments (5 replies)
[–] ICastFist 24 points 7 months ago

bUt sEcuRiteeeEeeeEEE

[–] [email protected] 18 points 7 months ago (10 children)

There is no banking app for authenticating transactions for desktops?

load more comments (10 replies)
[–] [email protected] 16 points 7 months ago (5 children)

Rooted mobile devices are a reasonable signal they been have hacked and security features might be disabled or work as expected.

It just banks, a lot of corporate security polices don’t allow rooted devices, as they could bypass mobile device management policies for devices owned by the company.

With laptops it’s a different story. Whether users have Mac, Linux or Windows, there’s a reasonable chance they have admin access too, so checking for root access is not such a useful signal there.

[–] [email protected] 32 points 7 months ago (9 children)

Rooted mobile devices are a reasonable signal they been have hacked and security features might be disabled or work as expected.

Rooted mobile devices are a reasonable signal that someone wants to actually own what they buy, and corporations want to make sure as few people think that as possible.

load more comments (9 replies)
load more comments (4 replies)
load more comments
view more: next ›