• Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    English
    arrow-up
    55
    ·
    9 months ago

    This seems to match the standard, at least for RCS payments (something Google may be working on?):

    The device OEM should ensure any RCS client is not modified since it was released, e.g. using integrity checks. The service provider and MNO could potentially rely on such assurance from the OEM. For example, the RCS client should not be running on a device that has ‘root access’ or is ‘jailbroken’.

    How very unfortunate.

    • RobotToaster@mander.xyzOP
      link
      fedilink
      English
      arrow-up
      72
      arrow-down
      1
      ·
      9 months ago

      We really need to move away from the idea that a user having control over his/her device is insecure.

      I can use online banking and paypal with windows logged in as administrator or GNU/Linux logged in as root[0], why shouldn’t I be able to use google wallet pay wallet with root?

      [0] yes I know you shouldn’t log in as root, but that doesn’t change that you can do it.

      • Yurgenst@lemmy.world
        link
        fedilink
        English
        arrow-up
        26
        arrow-down
        3
        ·
        9 months ago

        “why shouldn’t I be able to use google wallet pay wallet with root?” Because little innocent Google won’t be able to build their advertising profile of you. Can’t have that!

      • Wes_Dev@lemmy.ml
        link
        fedilink
        English
        arrow-up
        15
        ·
        9 months ago

        No my friend, our overloads have decided that you shouldn’t have control over your desktop either.

      • Programmer Belch@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        9
        ·
        9 months ago

        Does rooting your device make you the root user or just gives you access to superuser utilities?

        In linux systems the root user shouldn’t be used for daily use, you just make an user account with permission to use sudo, doas or su.

        • u/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          15
          arrow-down
          2
          ·
          9 months ago

          If you root your phone, at least with most tools, you don’t become the root user. Apps that use root access have to request it, and you’ll have to allow it in the root tool you flashed.

          Example pop-up from SuperSU:

          • Programmer Belch@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            7
            ·
            9 months ago

            So google is lying about rooted devices, they seem as secure as an OEM letting an user sideload apps or google themselves letting malware apps inside their store

          • evo@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            9
            ·
            9 months ago

            Lol. So if you use an exploit to gain SU what makes you think a malicious app can’t do the same? Or better yet, find a new exploit in the SU management software you installed. As soon as you root, you can no longer guarantee root activities are not taking place unbeknownst to you…

            • michaelmrose@lemmy.world
              link
              fedilink
              English
              arrow-up
              14
              ·
              9 months ago

              if you use an exploit to gain SU what makes you think a malicious app can’t do the same

              They can. 99% of computer security is still not installing malware or being tricked into taking actions that enable your own harm. That said often rooting methods involve physically pressing keys while booting to access the boot loader, ADB, running things with with expansive permissions. Malicious apps install via play store with reasonable permissions will generally have a much harder time breaking out of the sandbox.

              Or better yet, find a new exploit in the SU management software you installed

              Historically “sudo” tools haven’t been the source of many issues whereas a multitude of problems flowed from complex memory unsafe code.

              As soon as you root, you can no longer guarantee root activities are not taking place unbeknownst to you

              You can never guarantee this however if you are careful what you install you will remain safe same as it was before.

            • notfromhere@lemmy.ml
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              2
              ·
              9 months ago

              That goes for unrooted phones as well. The danger with rooting a phone comes from the automated software that is doing the initial rooting. It could install anything in there and the user would be none the wiser. Once it’s rooted and permissions are requested via the superuser app, it’s not any more dangerous than a non-rooted phone, assuming nothing malicious was installed during the rooting process, that is.

              • evo@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                2
                arrow-down
                4
                ·
                9 months ago

                Once it’s rooted and permissions are requested via the superuser app

                And you expect this piece of community software (that is often closed source to avoid detection by safetynet) is perfect? Never had any bugs or exploits?

                it’s not any more dangerous than a non-rooted phone

                The SU software itself is an attack vector. One with the ultimate payoff (root access). When you root the device you install a window in what was otherwise a solid wall. It is inherently less secure and I can’t understand how a knowledgeable person would argue otherwise.

                • notfromhere@lemmy.ml
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  edit-2
                  9 months ago

                  I agree with what you’re saying, but all software is insecure and it should be up to the user what their risk tolerance is. Instead, users’ control of their equipment is whittled down and before long the only choice will be deal with it or don’t play. Pinephone comes to mind as a phone with root access that is somewhat secure, but it also has latent vulnerabilities that could be exploited as its version of sudo is also an attack vector. Everything is a trade off especially in software/tech.

                  • evo@sh.itjust.works
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    arrow-down
                    1
                    ·
                    9 months ago

                    but all software is insecure and it should be up to the user what their risk tolerance is

                    Yes. And app developers/companies should in turn do the same. A banking app and a lemmy app probably don’t have the same security requirements. Each needs to apply the appropriate security constraints, and if that means not allowing rooted decices that’s fair imo.

                • michaelmrose@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  9 months ago

                  SU software has been a thing for about as long as android about 20 years or about. Has otherwise legitimate su been a source of unattended exploiting?

                  The obvious risk factors are that users shall be tricked into granting inappropriate permissions to otherwise malicious or compromised software that they have deliberately installed. Outside of mobile platforms this is considered an acceptable risk that competent users can consistently successfully manage on their own hardware.

                  In fact if you look at actual users even those with very limited technical know how the primary thing that

                  The secondary risk is that users with no legit source of tools to root

      • BoofStroke@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        7
        ·
        9 months ago

        I’m not even rooted and gpay keeps breaking on crdroid for me, despite passing safetynet. I’ve given up and just got another credit card that I can use with my garmin watch that works every time without the hassle.

      • Skull giver@popplesburger.hilciferous.nl
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        5
        ·
        edit-2
        9 months ago

        The problem with root access is that malware uses root access to take funds out of Google Wallets and banking apps. They’re not protecting you, they’re protecting themselves from having to pay their users their money back for losing all of their savings to TotallyLegitWhatsAppUpdatev0.1alpha.apk.zip.

        • dejected_warp_core@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          ·
          9 months ago

          I must be missing something. How would Google be at all liable for restoring funds stolen by software that they themselves didn’t furnish, on a device that’s out of their control?

          • ForgotAboutDre@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            ·
            9 months ago

            A judge may not see it that way. They may perceive it as Google failing to provide adequate protections to their users.

            If user installed the app created by Google and did not share any login credentials. It’s easy to claim Google is liable.

            The equivalent would be a bank leaving the back door to their vault open. An intruder going in and removing your funds. Despite following all the banks instructions, the bank has not replaced the funds.

            The banks is responsible for people gaining unauthorised access to your account. Especially when you don’t share your login credentials with anyone (even unknowingly). If they can’t protect against root access attacks then, they shouldn’t permit use of their app on those devices.

            Apps have convenience features, especially related to easy sign in. Their website logins don’t have these features. They require the user to enter passwords, challenge codes, card reader etc. If someone gets access to a password manager, the user is at fault. The bank likely stated you shouldn’t write down or record your password.

          • Skull giver@popplesburger.hilciferous.nl
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            Google has a contract with the banks. They get exclusive payment provider access, but in exchange must make sure that customer funds don’t get stolen.

            When CandyCrushHack.apk drains someone’s bank account, the victim will first go after the bank, who should’ve seen the fraud and acted. If the user can prove that they did not authorize the transactions, in many cases, the bank is forced to restore the customer’s balance. That’ll be expensive as hell, and someone will need to pay. The bank knows damn well that Google is on the hook, because their payment gateway could’ve and should’ve detected that the phone was compromised, so Google will either need to pay for the damages, or win an expensive court case with an army of expensive finance lawyers.

            So now there’s a small risk of “user gets hacked, we need to pay back millions” that’s put up against “a sliver of a percentage of our user base can’t do contactless payments with their phone”. I don’t know about you, but I don’t think I would go “let’s blame the users! rooted phones for everyone!” if my pay check was on the line.

            Alternatively, the user is left without a retirement fund and is now forced to work until they die. The news will feature another “picking Android ruined my life” story, Google stock drops, Samsung stock drops, iMessage gains a new set of users.

            That said, my bank allows me do pay by card through the bank app no problem, even without trying to hide root access. Clearly, they trust their anti fraud systems much more than Google trusts theirs.

        • x6a61686e@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          ·
          9 months ago

          Tried installing the most recent WhatsApp update but it’s failing. I think a virus is blocking the update, better try again with secure browsing off…

      • umbrella@lemmy.ml
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        9 months ago

        how would an unrooted but old, deprecated version of android be any better than an updated custom rom?

        those things baffle me, they just want to take away control dont they?

      • evo@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        10
        ·
        9 months ago

        Yeah, I’m going to get downvoted into oblivion for this…

        I’m sick and tired of reading this same uneducated argument. Your desktop browser and an app on your phone are entirely different paradigms security/development wise.

        Your desktop browser is expected to be insecure. Nobody stores data there besides cookies. Most processing happens somewhere else on a server.

        Apple and Google have changed this stance entirely because they knew apps could be a lot more powerful if they did. The API’s that exist to build apps on your phone are designed around the concept of having a secure, sandboxed environment per app. Apps can run offline and manipulate data quickly because data can be synced down and stored locally. I know it sucks for rooted users, but I don’t blame developers for refusing to support those devices one bit.

        • Norodix@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          5
          ·
          9 months ago

          We all get that the design paradigm is “a secure, sandboxed environment per app”. We just know its a retarded design.

    • EpicVision@monero.town
      link
      fedilink
      English
      arrow-up
      13
      ·
      9 months ago

      The standard seems to be complete and utter garbage. It was garbage from the very beginning, which is why I never understood why people were getting so incredibly hyped up about RCS support.