Depends on the bank, every single financial app I use has always worked. My credit union app, Schwab mobile, TD Ameritrade, Think or Swim, Paypal (I have a CC from them), Robin hood, Coinbase, Venmo, CashApp, and Ally Bank all worked. I haven't used some of them in a couple of months but they all definitely worked as Nov 2022. Using the website instead is also an option. But I have read of issues related to it online, but I am not sure how they rooted and the method makes a difference.
I haven't had any issues using this device for 2 factor either, Google "sign in using device" is fine with it and so is Duo.
Would like to know this as well, I rooted my oneplus recently, and the moment the secure boot chain of trust broke, no security sensitive apps worked.
I've signed my own secure boot loader on Linux, but I don't know if you can do it on Android at all, since you don't have keys or can modify the secure storage easily.
Do you know if OnePlus uses the same A/B style OTA updates as Pixel devices and whether it supports setting a custom bootloader key?
If so, you might be able to use my avbroot project [1]. It roots the boot image, signs it with your own key, and replaces the OTA verification certificate with your own, so you can install future updates signed by your key while the bootloader is locked.
EDIT: I read a bit about OnePlus devices. Looks like they do indeed support locking the bootloader with a custom signing key installed. So I went ahead and added support for OnePlus' OTAs in avbroot: https://github.com/chenxiaolong/avbroot/pull/32. There are only minor differences compared to Pixel's OTA images.
> I've signed my own secure boot loader on Linux, but I don't know if you can do it on Android at all, since you don't have keys or can modify the secure storage easily.
Even if you could, Google's hardware attestation API is based on checking their keys against their cloud services, and that's what banking and DRM video apps will generally be testing for going forward.
true, it gets tricky when there's an online component to it, since they can just keep their key secret, if the service I'm using is also online. Would there be no way to spoof it? Like,
Client (validate)-> server, requires a valid signature which I cannot sign unless I have access to their private key
Client <-(SpoofedAuthSuccess) SpoofServer, is also impossible if the client requires data from a server to work properly going forward. The only thing you could attain, is to unlock the client locally if you reverse engineered it, but any data not stored locally, is impossible to get. So wrt. games, since you mentioned DRM, it might be possible to unlock the content if it is local, given a clever reverse engineering solution? Even if they encrypted the data on disk, at some point, they have to decrypt it in-memory locally.
But for server, where all validation and data is gated behind an 'authoritative' server, I guess it's just game over for unlocking anything yourself with a certificate. Even if you manage to magically solve it, they will just issue a new certificate, and quickly invalidate the old one I guess.
I am not sure what you mean by security sensitive app. Something like Samsung Knox will not work after you unlock the bootloader but that's because of the assumptions it needs to make in order to promise user data integrity. It's similar to apps requiring TPM for data/disk encryption. Self signing wouldn't restore that chain of trust. Those apps breaking is working as intended, none of the financial apps I use were affected. There's option for systemless root.
Also, I know companies have used the root status as a form of DRM. That's not about user security, it's about protecting DRM security, like Widevine L1 or L3 and the android Netflix app. Financial apps haven't been an issue for me, I am running bootloader unlocked and rooted using Magisk.
Just reread what you meant, yeah, I see that self-signing wouldn't neccesarilly solve the issue. As you say, it might also be that some apps use root status. After they updated our digital signing platform, a colleague who had a phone from china which wasn't even that old, stopped working, and I've had friends which had the same thing happen. They weren't rooted. So I don't know if there is some hardware component to it, like TPM that you mentioned?
It's worth saying, you cannot use banking apps here, without a valid digital signature, which proofs your identity. It's not just the financial app itself, it's the legal requirements we have here, which make the financial apps use this digital identity verification.
So if self signing cannot guarantee those assumptions that are being made, there's no way around it.
