A number of users are reporting that the latest update to the official banking app from the Royal Bank of Scotland prevents the app from functioning on any devices that are rooted or are using a custom ROM. Nobody has given the APK a teardown to see what kind of protection is being used to detect root, but scattered reports from Reddit users who installed the update are confirming that trying to bypass it with Magisk does not work, which likely means that the app is using Google’s recently updated SafetyNet protection. There have thus far been no reports of unrooted devices on stock ROMs failing the test because of an unlocked bootloader or having certain potentially insecure settings like Unknown Sources or USB Debugging enabled, but if SafetyNet is indeed what’s being used here, then it will block users under those circumstances as well. The measure also blocks those who use MultiROM capabilities to simultaneously run their device’s stock firmware and a custom ROM.
While this means that root users can no longer access the mobile app, using the desktop site is still possible by declaring a desktop user agent in a browser app, and is arguably safer than using the app on a rooted device. The way it’s done differs from browser to browser, but it can be done in Chrome simply by opening a new tab, tapping the menu button in the top-right corner of the screen, selecting the “Request desktop site,” then navigating to where you need to go. While there are ways for sites to see through this that would require other browsers, this method will work for most sites. Upon testing, this method with the current stable Chrome app did work for the Royal Bank of Scotland’s website.
While those who simply want to theme their stock device, escape their device manufacturer’s heavy skin, or keep an older device up to date may be irked by the ongoing security war against rooted devices, there’s a logical reason for it. A rooted device can easily decompile and edit an app on the fly, allowing for easily compromised security in some cases. A device that a user didn’t root may have been rooted by malware, and a device that a user did root themselves is more vulnerable to malware and hacking because of it, even with added precautions. With a banking app, it’s quite easy to imagine potential consequences of such a security flaw. The developer of Magisk is reportedly working to get the Magisk Hide function to be able to pass SafetyNet checks again but due to the reasons mentioned above, it may be wise to simply use the web interface for banking rather than the app.