If you’re upset that your hacked-to-bits, rooted, unlocked and/or unencrypted device is failing checks: I’d say, tough luck. Until we can create provably untampered app-containers, that level of access genuinely breaks TOS on apps and regulations on handling personal data.
Hard disagree. If you own the device, you should be in full control of what’s going on. Sure, attestation can give some extra security, but that decision should be up to the user. Everything else is just excuses for user hostile DRM: platforms levaraging technology to secure their own profit margin against the interests of user.
I don’t disagree with owning your hardware. I’m saying that a regulatory body can pose rules on where critical software can run.
Part of this is data exposure: A banking app running in a tampered environment makes some malwares possible, which is the side you want an “I know what I’m doing”-button for. But it also creates risk for the bank. In letting you look into network-traffic and memory-dumps, you may discover ways to manipulate an unrooted instance or the backend server.
This is security through obscurity and I’d much rather have everything open-source, but it’s what we’re dealing with.
On the other hand, the bank promises to cover damages, whenever they do mess up. You could give them an easy excuse by taking on that responsibility. But regulations don’t allow that, much like they don’t allow you to do your own high-voltage, high-current electricity. And frown upon you breaking load-bearing walls in a housing complex to have a more open kitchen. There is a line where “let me do what I want” becomes anarchy.
Now bringing DRM into this, misses the point. There is telemetry in these apps. But there is no piracy or copyright infringement to be had. The bank doesn’t fear you giving yourself a million dollars by changing your balance in memory. It’s all about responsibility in case something goes south. They would love to shift it all onto you, but they’re not allowed to do that.
Attestation was never about protecting you, it’s about protecting them from being blamed.
There is a bunch of parties making guarantees and complying with rulesets. Domino-ing all of them would make you extremely vulnerable. Which is why I opted for “tamper-proof containers running in a unproven host”, rather than signing an unlimited waiver.
Hard disagree. If you own the device, you should be in full control of what’s going on. Sure, attestation can give some extra security, but that decision should be up to the user. Everything else is just excuses for user hostile DRM: platforms levaraging technology to secure their own profit margin against the interests of user.
Yyyyyyupp
“Oh no, this device is rooted! :(” Yes because I know what I am doing, now show me my account balance you stupid piece of ahit banking app.
Banking app: “Oh no, your device does not conform to Google’s latest whim, terribly insecure, can’t let you make a SEPA.”
Baking website: “Opera on an outdated, pirated copy of Windows? Looks a-ok to me!”
I don’t disagree with owning your hardware. I’m saying that a regulatory body can pose rules on where critical software can run. Part of this is data exposure: A banking app running in a tampered environment makes some malwares possible, which is the side you want an “I know what I’m doing”-button for. But it also creates risk for the bank. In letting you look into network-traffic and memory-dumps, you may discover ways to manipulate an unrooted instance or the backend server. This is security through obscurity and I’d much rather have everything open-source, but it’s what we’re dealing with.
On the other hand, the bank promises to cover damages, whenever they do mess up. You could give them an easy excuse by taking on that responsibility. But regulations don’t allow that, much like they don’t allow you to do your own high-voltage, high-current electricity. And frown upon you breaking load-bearing walls in a housing complex to have a more open kitchen. There is a line where “let me do what I want” becomes anarchy.
Now bringing DRM into this, misses the point. There is telemetry in these apps. But there is no piracy or copyright infringement to be had. The bank doesn’t fear you giving yourself a million dollars by changing your balance in memory. It’s all about responsibility in case something goes south. They would love to shift it all onto you, but they’re not allowed to do that. Attestation was never about protecting you, it’s about protecting them from being blamed.
There is a bunch of parties making guarantees and complying with rulesets. Domino-ing all of them would make you extremely vulnerable. Which is why I opted for “tamper-proof containers running in a unproven host”, rather than signing an unlimited waiver.