I'm actually confused about why banks are so aggressive in denying users the ability to use their apps while rooted. Unlike Google and Apple I can't think of any financial incentives for this, and the security argument is quite obviously nonsense, as I don't think there has been a single person in history who managed to fall for a scam that made them follow the complicated procedure of rooting a smartphone. Nevertheless there is a clear continuous effort in developing new root detection methods to keep me from using their apps.
I believe the root detection is a form of security-by-obscurity. Bank applications are required to be obfuscated, so you can't simply statically decompile them. The other way to do that is to run the app and set runtime breakpoints, which you can't do on production firmware.
Once the application is decompiled the attacker then can proceed to pentest the bank backend, or find any frontend-only security measures to bypass. One attack I heard in local news is not even a hack at all - they simply make script that use the mobile application API to automatically move money between sock puppet bank accounts. Once a victim get scammed, the money move around quickly. For privacy banks do not provide information about unrelated cross-bank transfers so even cops can't easily trace the multiple hops. That specific bank got in the news for that "weak security"
Security of banking shouldn't depend on the client software, it should be enforced at the interface the clients use to talk to the bank. It shouldn't matter whether the banking app can be disassembled or not. As much as I detest browser-based authentication in general online banking websites got it right: you just use a browser (and it's in your best interest to use a trusted browser -- one trusted by you) but all the bank cares about is that the user has the necessary pieces for authentication, be it numerical codes, passwords, and 2FA tokens. The browser doesn't have to be a bank-signed edition of MS Edge, it can be Firefox or even a browser you wrote yourself. But a banking app is basically a black box that you would have to allow to run in your system in order for the bank to talk with the software the bank itself trusts.
> to fall for a scam that made them follow the complicated procedure of rooting
If you are unable to imagine how a 3rd party might root a device without the principal being aware of it, then maybe it is a shortcoming of your risk survey, not theirs.
Rooting an Android device generally requires completely wiping it and reinstalling the OS. It's quite impractical to do secretly!
I think in any scenario where the principal can do that without you noticing (which means things like reinstalling & logging you back into all your apps, logging the device into your google account successfully, restoring all your device settings, re-adding your fingerprint or device pin to unlock the device, etc) then it's game over regardless. If they can do that, they could get into your bank app anyway, or they could easily just replace your phone with another one entirely, and now you're just logging into your bank on a stranger's phone.
Barring a _very_ major Android zero-day (which probably would evade attestation anyway) unexpected rooting of your device is really not a plausible attack scenario.
I'd like a capability that I can run any application in a tight container that absolutely sees nothing what's on my phone. I can give it a real or fake or filtered network if needed, and anything else the app sees like contacts or files would look like a real phone but just originate from a fake null source. There's a mutual distrust with users and manufacturers and application vendors and technology can solve that.
Namely, that's what I do with proprietary software on my desktop. Nothing that's closed runs with access to my files. Further, a banking app shouldn't need to know I'm running a rooted device. For some reason, I can do banking with an open source browser on a rooted phone just fine. It's just the proprietary blob that comes with TPM shackles, and I think I should be the owner of those shackles because I own my phone.
What's even worse is that some won't even let you take a damn screenshot. "Disabled by your administrator." If that doesn't scream the fact that my device is in fact owned by someone else, I don't know what is.
the weird thing about banking apps is, if i don't install them and just log in via browser I don't need any of that bullshit. So why does my bank app need all that, if they're ok with browser just logging in? It all feels a little like something the app monkeys got sucked into because they don't know better and trust google more than they should.
They sometimes actively search for root evidence.