The device OEM should ensure any RCS client is not modified since it was released, e.g. using integrity checks. The service provider and MNO could potentially rely on such assurance from the OEM. For example, the RCS client should not be running on a device that has ‘root access’ or is ‘jailbroken’.
We really need to move away from the idea that a user having control over his/her device is insecure.
I can use online banking and paypal with windows logged in as administrator or GNU/Linux logged in as root[0], why shouldn't I be able to use google walletpay wallet with root?
[0] yes I know you shouldn't log in as root, but that doesn't change that you can do it.
The problem with root access is that malware uses root access to take funds out of Google Wallets and banking apps. They're not protecting you, they're protecting themselves from having to pay their users their money back for losing all of their savings to TotallyLegitWhatsAppUpdatev0.1alpha.apk.zip.
I must be missing something. How would Google be at all liable for restoring funds stolen by software that they themselves didn't furnish, on a device that's out of their control?
A judge may not see it that way. They may perceive it as Google failing to provide adequate protections to their users.
If user installed the app created by Google and did not share any login credentials. It's easy to claim Google is liable.
The equivalent would be a bank leaving the back door to their vault open. An intruder going in and removing your funds. Despite following all the banks instructions, the bank has not replaced the funds.
The banks is responsible for people gaining unauthorised access to your account. Especially when you don't share your login credentials with anyone (even unknowingly). If they can't protect against root access attacks then, they shouldn't permit use of their app on those devices.
Apps have convenience features, especially related to easy sign in. Their website logins don't have these features. They require the user to enter passwords, challenge codes, card reader etc. If someone gets access to a password manager, the user is at fault. The bank likely stated you shouldn't write down or record your password.
support.google.com
Hot