Comment by Llamamoe

> Seriously though, can anyone tell me why the fuck banking apps try so hard to find any possible excuse to not run on customised devices?

As an early cyanogen mod adopter I really don’t want to lose ability to side load etc. but to answer your question this is probably for the lowest common denominators safety. Anecdotal example - a scammer tricked my parents into sideloading an apk which automatically forwarded all sms messages to the said scammer. This lead to 2FA code from bank go through and allowed them to perform some transactions. There were many red flags during this ‘call from a bank’ and I’d say some blame lies on my parents here, I guess this is the only way to lock down bad actors? I am not entirely sure it is.

Banks have stupid rules probably made by people who don't understand the matter. A relative recently got victim to phishing and gave away some of his banking details (fake e-banking login screen on a website). After locking the account, the bank said it would only unlock it after the phone got wiped, which obviously doesn't add anything in this situation.

Another pet peeve is that they prevent screenshots simply because they can, and it feels safer. I know, 3rd-party apps which can do screenshots etc., but this is fighting the threat the wrong way. And yes, it's partially the fault of the platform, which could just allow user-initiated screenshots. Or at least make it configurable.

It may not be banks themselves doing this.

For example, my bank here in Hungary, Erste Bank has announced that the central bank requested that they stop allowing their android app to run on "modified" devices.

They even have a workaround: switch to SMS-based 2FA and use their website (which works well on any screen and has all the features of the app except 2FA)

If you run a pentest, allowing rooted devices will almost certainly show up as a vulnerability. It'll be marked "low risk", but you'll also be told that you don't want to "accept risk" for too many "low risk" vulnerabilities.

So somebody then needs to say that this is not something they worry about rather than doing the easy thing and remediating it.

At most banks, the absolute control belongs to risk and regulation department. A bank must safeguard their license above all else, and it is very easy for them to loose it if the bank is found doing something it should not (though for the big ones, they sometimes operate in a gray zone, which means they manage to keep their licenses despite relatively steep fines). Even for the simplest ui/ux change, risk department has the final say. Source: I’ve been working 15+ years in the banking industry.

Probably because it makes it easier to observe and/or intercept API calls and other data exchange between the client and the server. It's trivial to disable things like SSL cert pinning, etc. on rooted devices.

Insurance, they don't want to be on the hook if you get robbed.

How useful is it to have a unique global ID, that the target willingly carries and manages, but doesn't have any meaningful control over?