How secure is Android 6 and up?

[incendio]

Hi guys,

There's a bank in my country made a financial application, but the security is only really on password and pin only.

OS requirement are android 6 and up.

Do you think, password and pin is secure enough?

Let's say, there's Spyware installed in the phone that used that app, can this Spyware log keystrokes from users?

 

[EnriqueGonzalez]

OS requirement are android 6 and up.

every new version, it gets better, some manufacturers make monthly updates.

there's Spyware installed in the phone that used that app, can this Spyware log keystrokes from users?

yes it can, but for such behavior you need a rooted device. some apps restrict their usage when they detect that are installed on rooted devices.

 

[peacemaker]

when they detect that are installed on rooted devices

It seems that this check result is also variable - may be cheated...

 

[EnriqueGonzalez]

It seems that this check result is also variable - may be cheated...i

i am sure you can detect it, its part of the android SDK. just imagine an app bank disallowing its usage based on RNG.

 

[Sandman]

Do you think, password and pin is secure enough?

For a bank app where you can access your accounts? Not even close.

 

[incendio]

For a bank app where you can access your accounts? Not even close.

This is what I thought too, tried to told them, but they said it's was enough, because if someone tried to brute force the password, they only have 3 times attempts, after that, the app will be blocked.

 

[aeric]

Nowadays, hackers use phishing to trick users to login to another app with same login page design.

 

[EnriqueGonzalez]

i believe that beyond 2FA and rate limiting anything else is snake oil.

Most of personal banking apps allow me to access and authorize movements with my fingerprint. only when migrating to another phone they send me OTPs to my phone and mail.

Security should have no cost to the comfort of the user, if it is costly then the user will try to circumvent your measures and then be counter productive.

The best security measure a bank must have is to have an insurance for when something bad happens. if you bank doesnt have that, then is worth changing.

 

[Sandman]

This is what I thought too, tried to told them, but they said it's was enough, because if someone tried to brute force the password, they only have 3 times attempts, after that, the app will be blocked.

In fairness, they might even believe they are right. To me it sounds like a naive solution from the nineties. Then again, I don't know what country you're in, perhaps the national identity solutions are so exceptionally far behind other countries, this is the best they can do.