Let's be real here. Folks running Linux as thier desktop have a high chance of knowing what they are actually doing. Folks with rooted android phones have a high chance of having watched a 12 year old tell them how to root thier phone on TicTok. Which of these groups is participating in the more risky activity?
I for one, would NOT trust some rando 30 second clickbait video telling me how to root my phone, but you can sure as shit bet that a ton of school aged children are doing that to play some cracked APK they got from a sketchy website because their parents wouldn't buy them a 99c game.
Those same kids have bank and google pay apps setup on their phone so they can make purchases when they are out and about. I see kids using their phone for vending machine purchases ALL THE TIME.
Edit: Since this is a meme community, little bit of rage bait for ya: All the TikTokers coming out with the downvotes :)
No offense but you sound SO old lol. Tiktok isn't just full of 12 year old's and hasn't been since, well, probably since covid started. With what a shit show standard search engines are these days I don't blame them for searching what they know. There's plenty of good info on tiktok that's being presented by people that know their craft. The short format is nice too because it keeps them from telling their whole life story before they show me what I need to know.
The fact that you're just basing your whole opinion here on an article kinda says it all really. I would have hoped my generation would outgrow this boomer bullshit but here we are.
Y'all are so worried about using things like Google pay but it's going to become a standard whether you like it or not. It's just another way to pay for shit and banks reimburse scammy bullshit just like they do if your card info gets stolen.
Nah, the article was something I went searching for after the fact. I guess "old" is in the eye of the beholder. My 8 year old thinks I'm old.
Just your bog standard Millennial here though. Started out with no tech growing up, and basically grew up along side and with the modern era of technology.
As for search engines, I agree, that's why I use a selfhosted SearXNG instance. It's not shoved down your throat google ads (much more akin to what google was 5 years ago or older), but TikTok surely isn't the answer for "specialists in their field", just like I wouldn't have used Vine to source specialist knowledge before that. The problem with the format is there is to much "jumping to the end" without understanding why. You literally cannot get into the "why" in short video format, it's a bit like "and now your draw the rest of the owl".
I actually feel like some of the youngest generations while "perceived" to be technical because they grew up with tech actually lack much of the deeper understanding of how that same technology works. This is gonna sound very much "in my day we had to walk uphill both ways" kinda thing, but we did actually have to struggle with technology growing up. If you wanted it to work, you had to frequently do it yourself, and figure out why something wasn't working with out reddit or online forums sourcing thousands of technical people. I use those skills to this day and it's a skill I try and mentor into new hires at work.
I recall once early in my career, I caught a co-worker attempting to perform a change on a server for a Fortune 500 financial company using instructions on a webpage that looked like it was from a 1990's Geocities website (this was probably 2012, so not sure where he even found it!). I slammed his workstation closed so fast and walked him into a conference room. Being "old" doesn't mean out of touch, but it does often mean wiser.
Edit: Also, not sure where you got that I'm against google pay, venmo, paypal, square, amazon pay or any of those apps, I have them all installed on my phone. What I AM saying is that those apps are at risk to people who root their phones and install applications from sketchy sources. My point about kids using their phones at vending machines was to prove they are probably MORE at risk because they don't understand the hows or whys to what they did when they rooted their phone and installed Minecraft (or any game!) from a sketchy crack page.
If any of the younger gens have a lack of understanding in tech then it's on us. It's on the older gens. We failed to guide them and push for the kind of education that they needed. Millennials, older millennials especially, were kind of privileged in this regard because we grew with the tech. We HAD to figure it out or just not interact with it. It's not like we're just built different or anything we just had different opportunities to learn. I don't see how "watching a 30 second video by a 12 year old on tiktok" is realistically different from watching the video by a 12 year old typing in a notepad on YouTube that I used the first time I rooted a phone.
I swear every single generation makes things easier for the next and then immediately complains about "kids these days" and their lack of struggles
Alright this wasn't supposed to be a TED talk but turns out I'm passionate about this and the Adderall kicked in...
I don't think it's on older gens on a user level for the most part.
I try to teach the kids in my life computer stuff all the time. I know lots of "my dad's in IT" kids that grew up understanding how computers work even on a basic level.
We who care, do so fervently, and are often drowned out by the noise.
Let's point the finger more accurately: It's 99% on how tech companies forced the evolution of computing to their benefit. They decided what "the future" would be, and sold us out to it.
Instead of fully functioning computers, "Kids these days" have grown up with flat little content-consumption devices that make sure you literally can't understand how they work. Everything is framed as some esoteric black box service brought to you by a cabal of qualified wizards. (Look at Windows' whole "We're doing things for you behind this pulsing blue screen" schtick. Funny how opaque an OS called "Windows" has become.)
The entire design motif of modern devices seems to scream:
"Don't ask questions. You're too stupid for that. Know your place. Just put a payment method on file and tap whatever you could want for just 99¢ more!"
They're black-box appliances that were aggressively marketed to families at home, and these companies shelled out tablets and chromebooks as "grants" to schools, to secure a mind-share of future customers who were "raised on it" and know nothing else.
The Silicon Valley titans have normalized addiction algorithms, invisible data mining, zero privacy, planned obsolescence of entire devices with non-replacable parts, browser-based-everything, subscription-tiers for everything, no ownership over purchases, and consumption-first design.
Computing knowledge has become a "magic box" to the point that colleges need to spend valuable time explaining file types and folders. Before college?
Hah! We're back to the 80's again: Only real nerds have a desktop in the house.
Elementary schools have replaced their computer labs with cheap e-waste-quality chromebooks where students do everything through a browser. Computing education went the way of arts, history, and music. Gone, unless it's a fancy private school.
They're stretched thin as it is, and the curriculum is increasingly based on standardized testing on "STEM" over everything else. Why?
Because employers want a large pool of punctual test-passers to choose from, and corporations want generationally vendor-locked customers to secure future earnings.
This is why, despite how the world runs on computers, to the majority, emails are space magic. Nobody knows nor cares about their privacy being sold off, and nobody bothers to learn about computers in the first place.
A "technical user" is super intimidating to "normies" because they know things like "There are multiple browsers" and "You can copy and paste". I'm not even kidding.
It's depressing as hell. Maybe some of it is on our generation, for not fighting harder for user rights.
This is why Linux has such a cult following: it flies in the face of this hypercapitalist customer-farm nonsense, and people find that refreshing. I'm happy to hear of more kids using it, and messing with things like Pis.
Because they want to "protect" you from "yourself". Imagine, you could scrape your own data that you can already see.
I'd be really worried if the security of server operation for my bank depended on the client-side. But playing devils advocate, some people will most likely point out that a root exploit on a phone may be unintentional and used to spy on people, to which I answer:
show me a big scary box where I can "accept the risk" and move on
keep in mind that if I am root on my phone, I can hide the fact that I am root on my phone and you'll be none the wiser
You deftly evaded the leading attack vector: social engineering. Root access means any app installed could potentially access sensitive banking. People really are sheep and need to be protected from themselves, in information security just like in anywhere else.
You don't get a "accept the risk" button because people don't actually take responsibility, or will click on those things without understanding the risk. Dunning Kruger at play.
Why is this prevalent on Android but not desktop Linux? Most likely a combination of 1) Google made it trivially easy to turn on, and 2) the market share of Android is significantly large enough to make it a problem warranting a solution.
The fact that you know how to circumvent it is inconsequential to the math above. Spoiler: you never were nor ever will be the demographic for these products, in their design, testing, and feature prioritisation.
Root access means any app installed could potentially access sensitive banking
That's not how it work. Having a rooted phone does not turn it into a digital farwest were every application can do anything. It becomes a permission like everything else; if you only grant it to safe stuff (like, for example, not granting root to a single app but using it to customize your phone through ADB), there's not much to see here.
The word “potentially” was critical in the parent’s comment. A banking app cannot be assured that other apps are prevented from accessing its data when the phone is rooted.
So? If I, the customer, want to access my banking info, on my phone, with whatever means I want, I should be able to. As I said, it's not like every app gets root access, if I, as the owner of the device, explicitly gave root access to something, it's for a reason.
And the main point that a rooted phone can basically hide itself from any app remains; these "detections" are trivially bypassed in the exact situation they're supposed to detect.
And if you don’t want to wear a mask on your face during a pandemic, you should be able to? Not everything is about you.
Banks practice defense in depth as other security practitioners do. Not every defense will stop every attack, so a layered, overlapping approach is used.
You really are missing the point that if the device is rooted there is nothing an app can do to protect itself. Defense in depth is layering (sometimes overlapping) solutions that do something. Detecting root and saying "nuh-uh" is not doing anything.
Your bank most likely has an app on mobile. If you have Root and Xposed you can do crazy things to that app (and your phone). You don't use an app on a PC, you use their website.
It's not to stop you from abusing their systems but to stop scam victims from being screwed
One easy example is that you can get around the "no screenshots" lock many bank apps use with root, allowing you to potentially expose security vital information to people.
Should those of us who know what we're doing be allowed? Maybe.
But it's there to protect the old people who will run the .exe that's designed to root their phone and then let them hand over data that would otherwise be locked down so that doesn't happen just because someone called them and said they're from the bank.
Most bank apps nowadays are just a webview wrapper over their web app. And they only have two reasons to maintain that app, to be able to make contactless payments with the phone, and to farm your contacts (supposedly for easier money transfers).
I actually heard something about that in class not long ago
The story is that Android's security heavily relies on the compartmentalization of apps that lives in the android layer, over the Linux kernel. Apparently, that functionality works in part because only this layer can perform operations that require root access, no app or user can.
So software that allows you to root your phone apparently breaks this requirement, and makes the whole OS insecure. He even heavily implied that one should never root their phone with 'free' software found on the internet because that was usually a front for some nefarious shit regarding your data.
I'm just parroting a half-understood and half-remebered speech from a security expert. His credentials were impressive but I have no ability to judge that critically, if anyone knows more about this feel free to correct me.
I've been using android since 2010, and it's gotten significantly better over the years. There's only a few things it doesn't back up, like text messages and app data, most of which you don't need.
It is not Android that is backing up most things though, it is mostly done by Google Services. That means that your data is effectively vendor locked-in if you want to use Android as an actual open source project. Google gutting the AOSP to this extent should be illegal (maybe even is, but might is right).
Isn't saying that allowing apps to have root lets them access anything just describing what root is? A rooted phone doesn't have to give superuser access to every app.
A rooted phone doesn't have to give superuser access to every app.
Sure, but apps that run as superuser can access anything, including the data and memory for banking apps. A big part of Android's security model is that each app runs as a different user and can't touch data that's exclusively owned by another user.
The problem is very simple - the majority of people are technically illiterate. Apple and Google saw the Windows XP security fiasco, looked at how many people use smart phones today and decided that giving users any rights is not worth the risk.
Rooted mobile devices are a reasonable signal they been have hacked and security features might be disabled or work as expected.
It just banks, a lot of corporate security polices don’t allow rooted devices, as they could bypass mobile device management policies for devices owned by the company.
With laptops it’s a different story. Whether users have Mac, Linux or Windows, there’s a reasonable chance they have admin access too, so checking for root access is not such a useful signal there.
Rooted mobile devices are a reasonable signal they been have hacked and security features might be disabled or work as expected.
Rooted mobile devices are a reasonable signal that someone wants to actually own what they buy, and corporations want to make sure as few people think that as possible.
Windows/Macos/Linux are designed around the fact that the person managing the device has root access, Android and iOS are designed around noone having root access.
Sure it's fine to mess around with rooted phone and look what's inside, but essentially for your daily operations having rooted phone is unnecessary security risk.
The issue is that you don’t want to give some random untrusted process root access. You, the user, have root access as long as you’re capable of running processes as root, but that doesn’t mean you should.
There could be tons of apps on the iOS App Store or Google Play Store that are completely benign under the existing security model but do nefarious things when run as root. No one knows that for sure because they aren’t tested under root by Apple or Google.
The problem with root is that it’s giving the process the keys to the Ferrari. That’s long since been decided to be a bad security model. Far better to have the process request permission to access particular resources and you grant them on a case by case basis.
The issue is that you don’t want to give some random untrusted process root access.
It's been awhile since I've used anything but Magisk but usually you have to set root permissions per app, or you can get Magisk notification to request access.
The important question is why smartphones are designed around not having root access and computers are?
What are the incentives at play?
The answer is obvious, tech companies wouldn’t have given users access to root control on their computers either if they knew what they were doing and thought they could have gotten away with it.
It is just circular logic claiming smartphones have to be this way, circular logic that provides a rhetorical smokescreen for the process of corporations taking our agency away from us over our lives and the tools that sustain us.
You're free to install another operating system or variation on Android on your phone still. And if you decided to go with another Android such as Graphene, you'd still not want to root it because it's a security risk.
There is parallel with masking. The bank values the safety of the whole rather than the freedom to root for an individual. You stand to lose only your own bank balance. The bank stands to lose the funds of every rooted phone that contains a banking app exploit targeting them.
I mean, they get that anyway with malware and security exploits. Except that rooted phones usually have a root manager, which asks for permission if an app wants to do more. And i don't think the root user listening into the app/their own account should be a problem; because in this case the problem is with the banks' security practice.
Well, at least my bank doesn't care about root or safety net.
Basically Google wanted to put checksums in webpages and then not render the page period if the checksum didn’t match and said checksum could only be verified by “approved” browsers that had the correct certificate (which surprise was Chromium only browsers such as Chrome and probably Edge). As such you wouldn’t have been able to run any adblockers as that would change the checksum and the way the page was rendered. They could also then go one step further and do a Denouvo type set up to make sure the OS wasn’t being altered.
