FRESH

Hacker News

Home

The Vietnam government has banned rooted phones from using any banking app

533 points by Magnusmaster

by ryandrake

18 subcomments

The biggest "evil" that has been committed (and is still being committed) against computing has been normalizing this idea of not having root access to a device you supposedly own. That having root access to your computer, and therefore being the ultimate authority over what gets run on it, is bad or risky or dangerous. That "sideloading" is weird and needs a separate name, and is not the normal case of simply loading and running software on your own computer.
Now, we're locking people out of society for having the audacity of wanting to decide what gets run and not run on their computers?

by Fiveplus

21 subcomments

So, if you cannot cryptographically prove to a remote server that your device is running essentially unmodified, vendor-signed software, you are locked out of the economy?
The irrefutable part here is that the security model works. Locking down the bootloader and enforcing TEE signatures does stop malware. But it also kills user agency. We are moving to a model where the user is considered the adversary on their own hardware. The genius of the modders in that XDA thread is undeniable, but they are fighting a war against the fundamental architecture of modern trust and the architecture is winning.

by ecshafer

3 subcomments

When I used to work on the Vanguard authentication team, we blocked Vietnam from access because of too much fraud (not my choice). But it was funny because we had Vietnam based clients, so there were a couple HNW clients in the logs that you could see who would log in from Vietnam/Russia/Wherever, get blocked, open their vpn, then log in from England. This was a while back, but even then there was a push for things like yubikey, and hardware tokens, so its not surprising the wind is blowing in this direction of just hardware authenticated people. Financial companies are just constantly fighting fraud in a million ways.

by linkregister

2 subcomments

This is likely part of the Vietnamese and Thai governments' rollout of biometric linking for bank accounts, similar to KYC regulations in the United States. The deadline for Vietnamese biometric linking was December 19th, 2025 [1].
The Vietnamese government has reported a rise in account takeovers and other banking thefts [2]. SIM-swapping has been a tactic used. Adding difficulty for fraudsters to trick unsophisticated banking customers is a valid security layer.
1. https://vietnamnet.vn/en/biometric-deadline-nears-millions-o...
2. https://evrimagaci.org/gpt/vietnam-faces-surge-in-sophistica... (expands upon https://vneconomy-vn/techconnect/mobile-banking-phat-trien-manh-tai-viet-nam.htm)

by Arbortheus

15 subcomments

Do those same banks have websites that you can access from a computer with root access? Most likely, yes.

by grugdev42

4 subcomments

Serious question, what is gained from this move? Why would a government care? Are rooted phones really that much of a problem?
Surely most people running a rooted phone are tech enthusiasts. Cybercriminals will just use regular phones bought under false names and dispose of them afterwards.

by taosx

12 subcomments

I really don't understand this. My line of thinking is that if someone is technical enough to root his phone he understands the risks. Why would they force banking apps to detect and not work on rooted phones? Why would the government care so much?

by basilikum

0 subcomment

There are two plausible explanations for this:
1. Incompetence. The same reason why many banks al around the world do this without regulations. Some snake oil salesman sold them a security theater SDK or library that blocks user installed or modified OSes.
2. Government control and surveillance. Vietnam is authoritarian. It only makes sense for them to participate in the global war against general purpose computing to gain complete control over their citizens' devices allowing them to restrict software, displayed content and communication to require government approval and enable total surveillance of all activity without any way to bypass this. Instead of outlawing user controlled general purpose computing directly they do it through the backdoor of pretending that it is for people's own safety.

by Magnusmaster

1 subcomments

The Vietnamese government has mandated all banking apps to detect if either the phone has been rooted, the bootloader has been unlocked, or ADB is enabled and force quit if that's the case.

by fenaer

3 subcomments

Unfortunately the answer here is to not abide by the law. If there is a reasonable way to bypass this (as the cat-and-mouse game always seems to continue), and there is reasonable expectation to not be caught, then I see no moral quandary with ignoring such a consumer-hostile rule.

by Elfener

0 subcomment

That link is to a page in that thread, but I guess it's supposed to be to this specific post: https://xdaforums.com/t/discussion-the-root-and-mod-hiding-f...

by lucasjans

2 subcomments

I have a Vietnam bank account tho I live in the States now. I recently enabled developer mode in my Android phone, didn't think much of it. But later when I open my mobile banking app it told me to disable developer mode in order to open the app.
It's not just root that they block.

by curt15

1 subcomments

>The Vietnam government has banned rooted phones from using any banking app
The Vietnam government has banned phones under their user's control from using any banking app.

by roflmaostc

3 subcomments

Isn't that what happens in Europe with most rooted phones and banks too? At least I can remember my banking apps stopped working.

by nunez

0 subcomment

As a person who was super into the rooting scene before getting iPhone-pilled in 2018 or so, I can see both sides to this issue.
On one hand, people that jump through the crazy hoops phone manufacthrers put up to get root are either technically-proficient or willing to become so and are, usually, responsible enough to keep their devices locked down and secure.
On the other hand, banks are subjected to literally all of the regulations, and breaking any of them usually incurs unbelieveable fines. Given that phones are the default computing device for most people these days and how (relatively) easily secrets can be extracted from rooted devices, blanket-banning them makes a lot of sense.
Nonetheless, modern Android is just as locked down as modern iOS, with a few exceptions (like adb access) and without the awesome hardware and software optimizations for that hardware that make video recording fast and web browsing even faster. Between this and nobody having a real answer to Apple Watch, I'll be an iOS stan for the foreseeable future.

by pvsukale3

1 subcomments

India doesn’t have a single “govt ban rooted phones from banking apps” rule, but RBI’s digital payment security controls explicitly allow banks to block mobile apps on rooted/jailbroken devices, and many do. Combine that with device+SIM binding requirements and platform attestation (e.g., Play Integrity), and the practical result is often “no banking/UPI on rooted phones.”

by miki123211

1 subcomments

The point of blocking rooted devices often isn't to protect your account, it's to protect other (often unsophisticated) customers of the organization against automated attacks.
Rooted devices aren't the problem, Python scripts pretending to be rooted devices are. There's just no way to distinguish between the two. The only way to disallow automated Python scripts from logging to your grandma's bank account is to also disallow you from logging into yours if your phone isn't blessed by Google.

by somat

0 subcomment

So what's the mechanism here? I did not find any sort of api like isPhoneRooted() But also, I did not look very hard.
I am probably missing something obvious(some sort of tpm key attestation) but it feels like it would be impossible task. I mean, theoretically higher layers can check that lower layers have the correct signed checksums, but they need to use the lower layer to do it and the lower layer could just lie to them. (if isSystemFile(f_name) then return originalFile(f_name); or provide a virtual tpm).

by yason

0 subcomment

Problem is that banks place a lot of trust on a locked-down phone and I have a hard time trusting a blackbox device I don't really own but only paid for.
That's the reason I mostly use online banking on the web, not on a device.
If it ever comes to that in my country I can also use my previous, unrooted backup phone to host these apps and keep it at home.
I'm not at all thrilled of the idea of carrying your credentials to your bank account on your phone, accessible via a 4-digit PIN out there in the world in the first place. For some reason, banks think it's great.

by greentea23

0 subcomment

There are a million legitimate reasons to root a phone (e.g. preserving the battery to minimize e-waste, blocking malicious trackers often allowed by Apple and Google, innovating on the UI, etc.). Apple/Google/Microsoft are run by uninspired, uncreative, and immoral people, and there is a world of innovation and forward thinking we lose out on by letting them rule our tech.

by sgc

1 subcomments

Security question:
Could we have the same level of security - or very close to it - from requiring a secure enclave like a vm running on the device for banking apps with hardware passthrough, or would there be no way for that vm to verify it has actual hardware passthrough and that it's not being tampered with?
That way you would just get the entire vm with the app from the Play Store or Apple, and nobody needs to worry about root?

by GeoAtreides

0 subcomment

It's clear that we will need two phones: one personal day to day driver and one for banking/gov/other official things.

by Havoc

1 subcomments

I get the general skepticism and how this gives anti freedom vibes, but wouldn't this also prevent some actual rootkit like sideloaded apps stealing credentials?
Not deep into rooting scene but seems plausible to me that this has some merit if you squint at it from the right angle

by RachelF

0 subcomment

I don't understand the threat model that banks worry about on rooted phones.
What is it? I can access their websites on a PC running as root or Administrator. What is the problem with rooted Android phones?

by kachapopopow

0 subcomment

> bans rooted phones
> malicious actors just compromise the firmware instead
surprised pikachu face

by alephnerd

1 subcomments

1. Don't people on HN realize Vietnam is a single party authoritarian state with a very active secret police (MPS/BCA)?
2. Vietnam has been in the process of rolling out national biometric identification for years now as part of the VNeID [0] project, and unifying that with banking and mobile phone identification is an important part of that such as with the recent FPT Telecom announcement [1]. The aim is to turn VNeID into a super-app by 2030 [2], and from what I've seen in rural areas of the Central Highlands, it's on track.
[0] - https://vneid.gov.vn/
[1] - https://tuoitre.vn/vneid-mo-rong-dich-vu-so-dang-ky-internet...
[2] - https://tuoitre.vn/thieu-tuong-nguyen-ngoc-cuong-nang-cap-vn...

by zb3

1 subcomments

Google is to blame, they're abusing device security by preloading their unremovable spyware with elevated privileges.. people then want to remove it but then find themselves unable to use banking apps because of this.
I'm not against having a separate secure phone to use with banking apps, but that phone must be designed for security, not for Google's ad driven business model..

by steamer-signed

0 subcomment

Cyber incidents cost firms up to $5m and can take weeks to recover from: report. If this article by Cybernews is correct then I wouldn't blame a country to ban ROTTED phones.

by steamer-signed

0 subcomment

HM? wondering if this article from Cybernews is true, I wouldn't blame Vietnam. Cyber incidents cost firms up to $5m and can take weeks to recover from: report....

by exabrial

0 subcomment

Nothing to do with security, everything to do with control.

by anthk

0 subcomment

Free software, free society.

by Ritewut

0 subcomment

Just let me pair my Yubikey to my bank and use my Yubikey if I need my banking app.

by PunchyHamster

0 subcomment

Polish ones do that too, incl our govt ID app

by peter_d_sherman

0 subcomment

Random Idea: A Completely Open-Source Banking App...
Consider an Open-Source Web Browser (Chromium, FireFox, ?, ???, or any open-source browser from: https://github.com/nerdyslacker/desktop-web-browsers).
OK.
We know the following:
A) That most Banks have web pages / websites which can be accessed via one or more of the above web browsers (AKA "Online Banking"), where the provided functionality is exactly the same, or very close to the functionality provided by stand-alone banking Apps
B) That the source code for any open-source web browser is available, and can be downloaded (A self-evident truth!)
From which the following understanding can be derived:
C) The security for the transactions (user authentication, authorization, etc., etc.) is NOT provided on the client side (the user's computer or smartphone) by an obfuscated "binary black box" piece of software where source code is not provided, but rather on the server side (the Bank's side!)
(Oh sure, Web Browsers provide encryption to prevent the middle segment of the communication path, the Internet, from listening in, but the encryption libraries of open-source web browsers are also typically themselves open-source, thus easily transferred to / imported into the source code bases / software component stack -- of other Apps!)
Well, if we know A), B), and C), then we also understand that a truly Open-Source Banking App, giving exactly the same security guarantees that an Open-Source Web Browser does today, is possible!
Such an app, if it were to exist, due to its open-source nature, would not be bound by artificial constraints, such as the absence or presence of an underlying rooted Smartphone, or not...
Also, in theory such an App, were it to exist, could be ran on very minimal, possibly more secure (than your average bloated Smartphone) alternative hardware...
Also, if you think about it... Bitcoin and other cryptocurrency apps -- are fundamentally that App (!) -- just that they use the Blockchain, and not a Bank, as the back-end! :-)
You know, you have a payment-provider App. It could have any number of back-ends to it... Bank, Blockchain, ?, ???
You tell me... :-)

by linuxhansl

1 subcomments

And so it begins... Or continues...
Apple is already a walled garden, granting you only access to your hardware and they see fit. Google desperately wants to follow suit by enforcing developer registration (which is just the first step). And now this. This is will happen in the EU and US as well.
And always in the name of security, safety, or "will nobody think of the children?!"
My hardware, my choice, period.

by OutOfHere

3 subcomments

Why can't rooted phones pretend to be non-rooted phones for the purpose of certain apps? What's the point of rooting if you can't even selectively pretend?

by tartoran

5 subcomments

One phone for banking and another one for browsing.

by gethly

0 subcomment

the cage used to be golden. now it's digital.

by 7bit

0 subcomment

Just Yesterday I read that Vietnam banned unstoppable ads and was like: wow, Vietnam is really pro-consumer and progressive and gives a damn about lobbyists.
Well. Gone is that notion ..

by 8bitsrule

0 subcomment

One more reason for phones to be modularized. Separate the comms from the (owner-controlled) computer module until needed. Use different CPU module when needed. Swap out battery module.

by dizhn

1 subcomments

Don't mess with Vietnam please. My phone's CSC is set to Vietnam to enable call recording. I love that feature but I don't want to lose my banking apps.

by emsign

0 subcomment

Simple solution: Get a second phone just for banking and all the other enshitifying apps and keep it at home where it doesn't bother you.

by almosthere

1 subcomments

buy two phones if ur that crazy

by lawlessone

1 subcomments

odd they legislate for it, banks usually do this anyway

by skirge

1 subcomments

Socialist Republic of Vietnam: our phone

by Aleklart

2 subcomments

Of course if you have root, you can make other programs work as you please.
They need to go further to outlaw hide root apps, and then install special app to track the status of the phone to make sure it is not rooted. Then allow police to randomly check the presence of this app on people phones. Every phone needs to be registered and pass hardware inspection every year. Even better, make so called offices where people can come and deposit or transfer money, it will be super safe.

by Pxtl

1 subcomments

Government banning insecure open standards and then not providing a secure open standard is atrocious. If I must have an official authorizing thing to prove I'm who I say I am, make it as small as possible.
If you mandated that they have to support Yubikey or whatever on open platforms I'd take that as a decent alternative. But just "no you must use a device controlled by somebody else" is not acceptable.

0 subcomment

by _ck_

0 subcomment

[dead]

by superkuh

3 subcomments

Smart phones are not personal computers. They're shopping/government/etc terminals. You don't and never have controlled them, even with root (re: tight integration of the baseband computer which only the telco has a license for, not you). Their best use re: computing is acting as wifi hotspot for their cell telco CNAT connection. The time to stop using them as computers is now, not when your local government passes these laws. Apple is already forcing it and Google has shown it's cards even if walked it back temporarily.