Tor torpedoed! Tesco Bank app won't run with privacy tool installed UK supermarket giant Tesco's mobile banking app refuses to run on handsets where the Tor app is also installed, it emerged this weekend. Mainframe database admin Marcus Davage revealed the Tesco banking app tells users they must remove the Tor Project's anonymizing Android software to access the supermarket's money services. …
How the hell rooting my phone is a security risk? It's the first step towards enhancing the security. Without root you can't remove most of the bloatware, can't install a decent firewall and an adblocker.
And no, I don't want to block apps, I want to remove them.
Oh, wait, I see it. It's a security risk for the advertisers and tracking companies.
How can the bank tell that a phone has been rooted in order to remove factory apps, install ad blockers, etc, versus a phone that was suripiciously rooted in order to have a key logger installed? And the bank is the one that will take the financial hit if they spot a rooted phone logging in and assume the first but which turns out to be the second...
Routing a phone simply re-enables the root/admin function that was removed by the manufacturer/carrier. It is a bit like Dell/HP/Lenovo deciding to disable run-as-administrator on your Windows pc.
A rooted phone user can then use that run-as (called sudo or su) functionality to better manage and secure their phone. Everyday apps don't run as root anymore than word our excel do on your pc.
It sounds like you are confusing privilege escalation as is common in Linux distros with always running as root. The first case is only done for administrative/limited reasons such as installing/removing apps. The second, what is common with Winbloat, allows malware to be installed without user permission because you are at root.
Rooting is absolutely a security risk. Things can occur in the background unknown to you. Ask yourself for a moment, what random tools did you download from the internet to root your phone, did you personally compile them yourself after auditing and u derstsbding what they did.... I think not....
Didn't run any random apps from the internet to root my phone.
Yes, rooting is a security risk. So is running garbage apps included with stock ROMs. So is running outdated firmware. Stock on my phone is 5.0.1... Not even the latest Lollipop!
The only way to be secure is... not to have a phone or computer at all. Do everything in person, in cash, and don't use banks. And even then there are risks.
A bit ridiculous, but my point is there are no guarantees. Ever.
Pick your battles, choose a balance between needs and dangers, and don't snark at me because I chose differently.
Rooting my phone gives me control far beyond the dangers it poses. My choice where the balance is for me. I'm not being reckless.
Making an uninformed choice is what's reckless.
They are likely following Google's lead on this, as Android pay won't work on rooted phones either. I don't know about Tor though, that seems a bit much, considering their apps ARE offered in Playstore. I could maybe understand not running the bank app while Tor was in use, but it sounds more like ignorant admin. to me.
Don't use a banking app on Android in the first place.
Every sane OS is patched at least monthly, if not more often as bugs and security holes are found. Most phones one per year if you are lucky for core OS parts, occasionally more often for app and that often asks for more permissions.
"Tin foil hats at the ready. Not sure where you're getting your information, but I receive an Android security update every 4ish weeks."
Wow, very patronizing.
Lucky you. Must be a fairly new phone, possibly a Nexus, or both. Most of us don't get that kind of service, especially on older phones. Current stock ROM for this Galaxy S4 is 5.0.1.
I mention Nexus because Google is good about updating their phones, which makes sense, but other manufacturers tend to be less assiduous. Possibly you're lucky enough to be hooked up with one of the exceptions.
Android forum posts suggest it's pretty rare.
Don't use a banking app on Android in the first place.Every sane OS is patched at least monthly, if not more often as bugs and security holes are found. Most phones one per year if you are lucky for core OS parts, occasionally more often for app and that often asks for more permissions.
I don't know where you're getting your info from. I've got a Motorola which received an update to Lollipop and then later Marshmallow. I still regularly receive updates to Marshmallow. The OS also gives me granular control over app permissions; I don't have to allow everything to install an update.
I'd say modern Android is a pretty secure OS. Of course you're much more likely to get pwned if you're browsing porn sites with it or installing apps from warez.cn but that's true of any OS. Even if someone does gain control of your phone I don't understand your fear of banking apps. The most any attacker would be able to do is view your balance or transfer money to a pre-approved list of recipients. You need to use a separate card reader to authorize anything else.
To be honest your post is another example of the self-congratulatory Luddite circle-jerk that seems to happen far too often on these forums.
"Kids using banking apps? Pah! When I was their age we had to walk FIFTEEN miles, uphill, both ways, just to find the bank was closed!"
"I don't know where you're getting your info from"
Experience. My first "smartphone" was an HTC Wildfire and it received a single OS update in 3-4 years for some wifi bug but remained remained buggy (would reboot in poor signal strength areas after a while). Also that update wiped phone so was really a factory reset as well. Now have a ~3 year old Motorola G which has had 2 OS updates so far and currently is telling me that its Android 5.1 patch 2016-03-01 is as up to date as there is.
So while *you* might be lucky with your phone, the majority of phone owners get SAF in the way of timely updates.
Whereas my Moto is getting no more updates - no Marshmallow etc as it is not ludicrously expensive, and more than 2 years old.
If you are not on the new shiny upgrade mode of phone renewal, then upgrades soon peter out.
Even true of Google Nexus, many models left to rot quite quickly.
One should limit all the apps to the bare minimum and remove the banking, commercial apps. This has nothing to do with OS security but the fact it is rather easy to lose a phone or have it stolen. I limit the types of apps on my phone so that if it is ever missing I do not need to worry about my bank or credit card details being stolen; they are not on the phone.
I would rather not use/buy anything from Tesco anyway, because they are effectively a low end supermarket now. As for firewalls, I use NoRoot Firewall on Android, which implements a firewall inside a VPN facade, so I can selectively block lots of apps which should never ever have WiFi/Cell internet access anyway!
A basic internet app like one use for banking should not even be allowed to know that Tor is installed because it should never be allowed those kinds of system access privileges, because it is a security risk; only explicitly, user approved, proper security/system apps should ever be allowed those kinds of system access privileges. If I see any non security/system apps request excessive privileges I flame the author, then delete it, or if it can't be uninstalled because of manufacturer or google arrogance, I disabled it! e.g. most of the * Play apps are disabled on my Android devices...
My android devices are patched monthly....
Android has less security issues than iOS, despite a massive marketshare(85%) iOS is what I would be very concerned about....
http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/
http://www.theregister.co.uk/2015/12/18/ios_banking_app_audit/ - the first result that was reasonably up to date. And remember, that's with iOS where the OS forces you to make an effort with SSL security. Android is worse.
I would think that most banking apps are just a wrapper for the mobile website, and then would/should offer some kind of secondary authentication. The problem with the app vs browser, is not knowing how good the developers are, and whether or not they did an independent security audit of the app. I trust the major browsers more because of the developer community that surrounds them. But coming full circle, how secure really is the banks websites in the first place. There's a whole lot of moving parts to consider, but banking on any smart phone should at least be on one of the newest OS versions for sure.
@"Just use a browser anyway, its SSL handling is 100 times more secure than a banking app."
Not any more. With Bluecoat getting a cert that lets it write fake SSL certs under the guise of "virus checking", your Browsers SSL will likely be less safe than a banking app because it supports Symantec root. The banking apps will start checking for their correct root authority after the BlueCoat backdoor.
Once again a stupid Twatter demonstrates his abysmal misunderstanding of the world he lives in.
Free Speech is not guaranteed by Tesco. It is your Constitutionally-guaranteed right to be allowed to have your own political beliefs and not be harassed for having them. Tesco is a supermarket, not a political platform. Their app is for shopping, you do not use it to express your political preferences.
As for Tor, it was a good idea, but it is being used by some of the worst people on the planet to conduct their despicable business. By being part of that, you are just allowing them to continue reaping illegal money or worse.
Rooted phones are much more at risk of being hacked. Tesco has identified the weakness and decided to minimize risk by not letting the app run on a rooted phone.
I agree with that decision completely.
WTF? The app is complaining about the Tor app installed on a non-rooted phone.
So what if Tor is used by "some of the worst people on the planet to conduct their despicable business" as you could easily say "mobiles phones are used by..." or the Internet, or cars, etc, etc. So long as he is not using Tor for kiddy-fiddling etc then it is none of your damn business.
It is indeed none of my business and I don't care what he does with it. It is nonetheless a vector for hackers and scum to access your phone because those kinds of people use Tor as well.
Taking Tor out of the picture therefor increases security.
Actually, taking the mobile phone out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils.
Really, as far as I can see from the Play store is it not a tor node and just a tor access point or proxy. And if for access then I can't believe it is much worse than some unpatched browser on the phone as you go to legitimate web sites already hacked and serving up malware.
It is indeed none of my business and I don't care what he does with it. It is nonetheless a vector for hackers and scum to access your phone because those kinds of people use Tor computers cameras printing presses paint pencils mud as well.
Taking Tor computers cameras printing presses paint pencils mud out of the picture therefore increases security.
Those bloody idolaters! Fashioning heresy from lumps of clay. It's filth. Filth you say.
We should probably fire you off into space, away from all the scum and their filthy temptations, to protect your refined moral fortitude "security".
Could say as much about SSL or encryption or writing your terrorist instructions in 1's and 0's. All these techniques are used by terrorists and banking consumers.
If you want to communicate with the rest of us, please send a notarized letter on erasure-prevention paper within an envelope with the King's signet embossed.
"Actually, taking the mobile phone out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."
Well, if we're going down that road...
"Actually, taking the mobile phone car out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."
"Actually, taking the mobile phone pencil and paper out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."
"Actually, taking the mobile phone printed map out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."
"Actually, taking the mobile phone trainers out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."
"Actually, taking the mobile phone internet access out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."
"Actually, taking the mobile phone paper money out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."
"Actually, taking the mobile phone screwdriver out of the picture would be a great increase in security, but that isn't really possible these days, so it's a case of choosing the lesser of two evils."
Can you see what I did there?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
