The Vietnam government has banned rooted phones from using any banking app

Original Article ↗ Hacker News Discussion ↗

Policy and Scope

  • Vietnam now requires banking apps to detect rooted devices, unlocked bootloaders, ADB/dev mode, etc., and refuse to run.
  • Commenters note many banks elsewhere already block rooted phones voluntarily; Vietnam making it law is seen as a step further.

Security Arguments For the Ban

  • Pro-ban commenters argue rooted or modified phones are a strong fraud signal: easier to run malware, intercept traffic, overlay fake UIs, or tamper with app logic.
  • Banks are often legally liable for fraud losses; excluding high‑risk client setups is described as risk management, not hostility.
  • Remote attestation / Play Integrity / TEE are said to let banks distinguish stock, unexploited devices from ones with local privilege escalation or OS tampering.
  • Regulators can later deem weaker practices “inadequate protection,” pushing banks toward stricter device checks.

Critiques: Security Theater and Control

  • Many doubt rooted phones materially contribute to losses; most scams involve stock devices and social engineering.
  • Root checks are called DRM and liability shields: preventing users from inspecting apps, recording screens, or backing up data, while shifting blame to customers.
  • Several argue this entrenches Google/Apple hegemony and makes non‑corporate ROMs (Lineage, Graphene, etc.) second‑class citizens.

Shift to App-Only, Attestation, and Lock-In

  • Multiple examples (Ireland, parts of Europe, some US and Asian banks) where:
    • Critical operations or any login require a mobile app and push‑based 2FA.
    • Websites are crippled or removed; some banks and fintechs are app‑only.
  • Hardware attestation is increasingly used; commenters expect web access and SMS 2FA to be phased out or constrained.

User Agency, Rooting, and General-Purpose Computing

  • Long threads connect this to the “war on general-purpose computing”: users treated as adversaries on their own hardware.
  • Loss of root and mandatory attestation are seen as part of a broader pattern (locked bootloaders, TPMs, anti‑modding, app‑store control).

Workarounds and Practical Responses

  • Many propose two-device strategies: a cheap, unmodified phone kept mostly offline for banking/ID, and a rooted or custom‑ROM phone for everyday use.
  • Others prefer web banking with hardware tokens or card readers where still available; some say they would switch banks or to credit unions if forced into app‑only.

Vietnam-Specific Context

  • Several tie the move to Vietnam’s VNeID biometric ID rollout and tighter linkage of SIMs, bank accounts, and state identity systems.
  • In that framing, the rule is read as enhancing state tracking and control, not just fraud prevention.