Comment by the_biot
18 hours ago
It's fundamentally client-side security: the phone tells the server "no, I haven't been rooted" and the server believes it.
Any security system that relies on any form of client-side security is going to have other problems as well, since its designers haven't grasped this basic principle.
That used to be a core principle but might not be guaranteed anymore. Depending on the implementation it can be near impossible to bypass modern hardware backed security. As it should be!
The policy issue at this point is that users effectively aren't in control of their devices anymore.