I’ve written this blog post about moving from rooted Samsung to a Pixel running GrapheneOS. It’s a list of every root tool that I used, with a note on whether I’ll miss it. I wrote it as a checklist for myself initially, and decided to add links and more comments and publish it. Turns out I don’t really need root, which truly surprised me.
Do you have any apps or tools that hold you back from leaving root?
This must be a European problem perhaps? I can’t understand why this is the deal breaker for so many.
Banks have web sites. I don’t know why anyone would ever allow their financial institutions access to their phone’s plethora of sensors and the available telemetry on what they are doing on their mobile device 24/7. That links confirmed ID + “trusted platform” + biometrics + transactions + location + all the metadata every other app hoovers up in one convenient place. The very same people across the pond are worried about having to verify ID to look at porn, but are cool with their bank knowing the position of their accelerometer while they’re taking a dump.
In my local bank you can choose between 2 ways of 2fa: in their app or sms. Sms is less secure and slower, as you have to wait a bit for the sms to arrive. And you have to use 2fa for each online purchase, and login to the website. But my bank’s app works perfectly fine on rooted phones.
However Revolut stopped working, and I gave up reading about workarounds. I have an old unrooted broken phone always at home, I use it for that only. Revolut’s website is limited, you can only see your balance and disable your cards if they were stolen, nothing else, you have to use the app for everything.
Wow, that’s an interesting one, thanks for that. That would be quite annoying to deal with.
In that case, since the 2FA is coming from the carrier, if you can disable 2G and 3G on your handset, the air link on LTE and above is AES-based encrypted at least, if the carrier configures it correctly, even though the channel itself often isn’t. Or if very paranoid you can use WiFi calling in airplane mode on a burner so the carrier sends the message over the wifi calling IMS-encapsulated-in-VPN-connection over the Internet.
The chance of someone being able to intercept that 2FA code in a way that could get into your bank account is pretty much absolutely scant.
Not trying to change how you do things either, though. Just knowing how terrible some banks can be at writing software, I’d be more apt to trust “weaker” methods versus apps. The future is quite exhausting.
With SS7 they can spoof your number, and the attacker gets the sms instead of you, it doesn’t matter how it’s encrypted.
Not sure what kind of apps you are into that know when you’re taking a shit but my banking apps have notification permissions and that is about it (camera when needed but yank it straight after). Most bank and broker websites are limited compared to the app. I have 8 finance related apps and it was constant musical chairs with which one will break after an update requiring hours of workaround research, if one is even available. Any version of Interactive Broker straight up refused to work on rooted device. You may personally be OK with giving up that functionality on your phone but not everyone is in the same boat as you.
They don’t need your permission to gather all sorts of data from most modern smartphones, nor can you really deny some of it. (Some you can, like camera, and microphone, allegedly.) Part of the whole banking<->handset manufacturer agreement also frequently allows “special access” outside of the traditional user-permission security model. For…“security” to “prevent fraud”.