The Vietnamese government has mandated all banking apps to detect if either the phone has been rooted, the bootloader has been unlocked, or ADB is enabled and force quit if that's the case.
I really don't understand this. My line of thinking is that if someone is technical enough to root his phone he understands the risks. Why would they force banking apps to detect and not work on rooted phones? Why would the government care so much?
It's a reliable signal for fraud. The legitimate users are simply noise against this backdrop. The police only think in one direction and never consider the broader consequences of their enforcement perogatives.
> My line of thinking is that if someone is technical enough to root his phone he understands the risks.
That is a terrible assumption. I had a rooted phone when I was 12 to pirate games. Friends asked me to root theirs. Rooting isn’t hard and lots of people do it (absolute not relative terms)
And the idea that so-called “technical” people know what they’re doing and are hack-proof is hot garbage machismo BS. Modern attacks use social engineering and extremely technical people fall for it all the time. There were several stories on here just this week.
Like most people in this thread people who root their phones are clueless about how much of a security risk it is. So they are protecting people from making dangerous choices.
Smart phones are not personal computers. They're shopping/government/etc terminals. You don't and never have controlled them, even with root (re: tight integration of the baseband computer which only the telco has a license for, not you). Their best use re: computing is acting as wifi hotspot for their cell telco CNAT connection. The time to stop using them as computers is now, not when your local government passes these laws. Apple is already forcing it and Google has shown it's cards even if walked it back temporarily.
Serious question, what is gained from this move? Why would a government care? Are rooted phones really that much of a problem?
Surely most people running a rooted phone are tech enthusiasts. Cybercriminals will just use regular phones bought under false names and dispose of them afterwards.
Unfortunately the answer here is to not abide by the law. If there is a reasonable way to bypass this (as the cat-and-mouse game always seems to continue), and there is reasonable expectation to not be caught, then I see no moral quandary with ignoring such a consumer-hostile rule.
Of course if you have root, you can make other programs work as you please.
They need to go further to outlaw hide root apps, and then install special app to track the status of the phone to make sure it is not rooted. Then allow police to randomly check the presence of this app on people phones. Every phone needs to be registered and pass hardware inspection every year. Even better, make so called offices where people can come and deposit or transfer money, it will be super safe.
So, if you cannot cryptographically prove to a remote server that your device is running essentially unmodified, vendor-signed software, you are locked out of the economy?
The irrefutable part here is that the security model works. Locking down the bootloader and enforcing TEE signatures does stop malware. But it also kills user agency. We are moving to a model where the user is considered the adversary on their own hardware. The genius of the modders in that XDA thread is undeniable, but they are fighting a war against the fundamental architecture of modern trust and the architecture is winning.
Google is to blame, they're abusing device security by preloading their unremovable spyware with elevated privileges.. people then want to remove it but then find themselves unable to use banking apps because of this.
I'm not against having a separate secure phone to use with banking apps, but that phone must be designed for security, not for Google's ad driven business model..
Don't mess with Vietnam please. My phone's CSC is set to Vietnam to enable call recording. I love that feature but I don't want to lose my banking apps.
1. Don't people on HN realize Vietnam is a single party authoritarian state with a very active secret police (MPS/BCA)?
2. Vietnam has been in the process of rolling out national biometric identification for years now as part of the VNeID [0] project, and unifying that with banking and mobile phone identification is an important part of that such as with the recent FPT Telecom announcement [1]. The aim is to turn VNeID into a super-app by 2030 [2], and from what I've seen in rural areas of the Central Highlands, it's on track.
Why can't rooted phones pretend to be non-rooted phones for the purpose of certain apps? What's the point of rooting if you can't even selectively pretend?
When I used to work on the Vanguard authentication team, we blocked Vietnam from access because of too much fraud (not my choice). But it was funny because we had Vietnam based clients, so there were a couple HNW clients in the logs that you could see who would log in from Vietnam/Russia/Wherever, get blocked, open their vpn, then log in from England. This was a while back, but even then there was a push for things like yubikey, and hardware tokens, so its not surprising the wind is blowing in this direction of just hardware authenticated people. Financial companies are just constantly fighting fraud in a million ways.
This is likely part of the Vietnamese and Thai governments' rollout of biometric linking for bank accounts, similar to KYC regulations in the United States. The deadline for Vietnamese biometric linking was December 19th, 2025 [1].
The Vietnamese government has reported a rise in account takeovers and other banking thefts [2]. SIM-swapping has been a tactic used. Adding difficulty for fraudsters to trick unsophisticated banking customers is a valid security layer.
1. Incompetence. The same reason why many banks al around the world do this without regulations. Some snake oil salesman sold them a security theater SDK or library that blocks user installed or modified OSes.
2. Government control and surveillance. Vietnam is authoritarian. It only makes sense for them to participate in the global war against general purpose computing to gain complete control over their citizens' devices allowing them to restrict software, displayed content and communication to require government approval and enable total surveillance of all activity without any way to bypass this. Instead of outlawing user controlled general purpose computing directly they do it through the backdoor of pretending that it is for people's own safety.
63 comments
[ 6.2 ms ] story [ 60.5 ms ] threadThat is a terrible assumption. I had a rooted phone when I was 12 to pirate games. Friends asked me to root theirs. Rooting isn’t hard and lots of people do it (absolute not relative terms)
And the idea that so-called “technical” people know what they’re doing and are hack-proof is hot garbage machismo BS. Modern attacks use social engineering and extremely technical people fall for it all the time. There were several stories on here just this week.
Surely most people running a rooted phone are tech enthusiasts. Cybercriminals will just use regular phones bought under false names and dispose of them afterwards.
and that's enormous power for those who want to centralize power into their hands.
They need to go further to outlaw hide root apps, and then install special app to track the status of the phone to make sure it is not rooted. Then allow police to randomly check the presence of this app on people phones. Every phone needs to be registered and pass hardware inspection every year. Even better, make so called offices where people can come and deposit or transfer money, it will be super safe.
The irrefutable part here is that the security model works. Locking down the bootloader and enforcing TEE signatures does stop malware. But it also kills user agency. We are moving to a model where the user is considered the adversary on their own hardware. The genius of the modders in that XDA thread is undeniable, but they are fighting a war against the fundamental architecture of modern trust and the architecture is winning.
The Vietnam government has banned phones under their user's control from using any banking app.
I'm not against having a separate secure phone to use with banking apps, but that phone must be designed for security, not for Google's ad driven business model..
2. Vietnam has been in the process of rolling out national biometric identification for years now as part of the VNeID [0] project, and unifying that with banking and mobile phone identification is an important part of that such as with the recent FPT Telecom announcement [1]. The aim is to turn VNeID into a super-app by 2030 [2], and from what I've seen in rural areas of the Central Highlands, it's on track.
[0] - https://vneid.gov.vn/
[1] - https://tuoitre.vn/vneid-mo-rong-dich-vu-so-dang-ky-internet...
[2] - https://tuoitre.vn/thieu-tuong-nguyen-ngoc-cuong-nang-cap-vn...
The Vietnamese government has reported a rise in account takeovers and other banking thefts [2]. SIM-swapping has been a tactic used. Adding difficulty for fraudsters to trick unsophisticated banking customers is a valid security layer.
1. https://vietnamnet.vn/en/biometric-deadline-nears-millions-o...
2. https://evrimagaci.org/gpt/vietnam-faces-surge-in-sophistica... (expands upon https://vneconomy-vn/techconnect/mobile-banking-phat-trien-manh-tai-viet-nam.htm)
1. Incompetence. The same reason why many banks al around the world do this without regulations. Some snake oil salesman sold them a security theater SDK or library that blocks user installed or modified OSes.
2. Government control and surveillance. Vietnam is authoritarian. It only makes sense for them to participate in the global war against general purpose computing to gain complete control over their citizens' devices allowing them to restrict software, displayed content and communication to require government approval and enable total surveillance of all activity without any way to bypass this. Instead of outlawing user controlled general purpose computing directly they do it through the backdoor of pretending that it is for people's own safety.