The Vietnam Government Has Banned Rooted Phones From Using Any Banking App
Key topics
Vietnam's government has sparked a heated debate by banning rooted phones from using banking apps, prompting a cat-and-mouse game between security measures and tech-savvy workarounds. While some commenters, like therealmarv, pointed out that root access can actually be used to bypass the restrictions, others suggested using a separate, non-rooted phone for banking, with Aleklart noting that having a SIM-less secondary phone can be even more secure. The discussion also touched on the practicalities of maintaining multiple devices and the growing trend of repurposing old phones, with bsimpson and zozbot234 sharing their experiences with reviving vintage Android devices. As phones become increasingly ubiquitous and "effectively free," as roughly observed, the tension between security and accessibility is becoming a pressing issue.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
N/A
Peak period
132
0-3h
Avg / period
17.8
Based on 160 loaded comments
Key moments
- 01Story posted
Jan 9, 2026 at 12:00 PM EST
2d ago
Step 01 - 02First comment
Jan 9, 2026 at 12:00 PM EST
0s after posting
Step 02 - 03Peak activity
132 comments in 0-3h
Hottest window of the conversation
Step 03 - 04Latest activity
Jan 11, 2026 at 3:18 AM EST
19h ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
The other more compelling reason why people would have a rooted phone is to run ROMs that may still be providing OS support where the stock OS has been abandoned or EOL'd by the developer.
Having an unlocked bootloader at the minimum would be required in those scenarios. It actually saves hardware that still works from ending up in landfills.
edit: spelling
Incidentally, if anyone wants some collector's edition Google/Android devices...
Please get in touch with the postmarketOS folks, since any phone old enough to be running CyanogenMod proper is most likely not supported there yet. (It would be super nice to even have a proper list of all devices where old CyanogenMod was officially supported at some point, with device specs for each. We're lacking even that at present because the transition from the CyanogenMod name to LineageOS was so messy.)
(The first time I walked past a homeless person using a VR headset, on the other hand, was a fucking trip.)
I utterly detest the idea of having to use a phone for anything that I'd like to be secure. I browse Reddig on that thing. I watch porn on that thing, I don't want my porn anywhere near my bank account.
That sounds like a utopia we've passed by on our way here. Maybe it's possible to make such a dedicated hardware device when the digital wallet becomes available for a (mobile) linux distribution or a degoogled android. Let's see when the phone manufacturers think that's a good idea to lobby for
I'm cynical about the whole digital wallet idea because of this. Not that it's not useful, but it's tying your mobile surveillance unit and browser history to an identity on hardware that you are not meant to control
All other business, including personal communications, is conducted on my GrapheneOS device.
In the future, everything will need an 'app'.
It’s not like the UK sent out a mandate to private banks or any other private industry on this issue. It’s also only one small country of hundreds.
I’d like to know what private businesses are copying the kind of workflows and customer experience you get at the USPS or DMV.
I have had a lot of banks and credit cards, mobile payment apps like Venmo/PayPal in the US and they almost all work on mobile web and desktops.
But I recognize that wealthy western countries didn’t really skip the personal computer like many mobile-first regions have done.
No no no shut up, don’t speak up. No one thinks like you.
They'll find a solution to their problem, which is you: apologize for losing you as a customer, and express a hope that you'll consider them again after you've bought a phone.
https://www.digitaltrends.com/phones/venmo-shutters-web-plat...
1. Your employer pays your salary by bank transfer, which requires you to have a conventional bank account.
2. You then want to spend that money, how do you do that?
Debit card? You need the phone app to retrieve the PIN when the bank first sends you the card.
Cash withdrawals in the branch? For amounts less than €10,000, the staff will direct you to the ATMs in the branch. These require an activated debit card to withdraw money, and activating that card requires the phone app.
Manual money transfers in the branch? Once again, for amounts less than €10,000, the staff won't do it - they'll instead direct you to the PCs in the branch. These are just loading the same website you can access on yours, which will ask you to the confirm with a 2FA push notification to log in.
Most banks charge a fee for sending a wire. Sending an ACH is free, but most restrict that to your own account. Revolut is the only one I've seen that lets you just spam ACH to anyone. In both cases, it isn't instant.
Zelle largely fixes those issues, but has its own issues, like a lot of banks not supporting it and/or arbitrarily low send limits.
I've heard 3rd hand of some banks already doing this in i.e. Armenia where a foreigner can come in and open account easily but they block any online access to lock the control of funds in country to make it harder for the FATF psychopaths to find fodder to clamp down on them.
Users are losing billions worldwide due to fraudulent apps. If a user has root and runs a malicious app, it can intercept what a legitimate banking app does. A scam app with root can draw over the screen and tell users to transfer money, or it can run a series of actions when the banking app is running, or do any of a hundred things to steal money.
Sure. But the people who are actually rooting their phones are advanced users and aren't going to install a malicious custom OS. Are naive users getting tricked into rooting their own phones? I'm dubious what the security benefit is of this decision.
There are two ways to root a phone:
1. Unlock the bootloader, install a well designed and highly secure aftermarket OS, relock the bootloader. The device is still just as secure against malware as it was before. Remote attestation shows the vendor that you're running Graphene or Lineage or whatever.
2. Exploit a local vulnerability to drop a sudo binary somewhere. RA shows you're running an exploitable version of Pixel Android, etc.
(2) is absolutely exploitable by fraudsters. They convince the user to run an app or visit a website that exploits their browser or whatever, and the vulns are used to escalate to root and keep it. Now when the user logs into their banking app the HTTP requests are rewritten to command the bank to send money to the adversary. This is why devices that allow escalation to root are excluded via remote attestation.
(1) isn't but it requires more coordination than the industry has proven capable of so far. Binary images of a custom OS could in theory be whitelisted by banks if it was known to be as secure as other operating systems. But there's no forum in which that information can be exchanged. Like, RandOS turns up and the maintainer "xyzkid", identity: anime avatar, claims his OS is super secure. How does random overworked bank developer John Smith know if this is true or not? RandOS doesn't come with any audits, it doesn't have a well paid security team. The brand is a big question mark. And if John makes the wrong call, maybe the bank is now on the hook for millions in losses because some idiot installed RandOS to get the shiny icon theme or whatever, and then got hacked.
So it's a hard problem. It's not actually a technical problem. Remote attestation is very general. The hard part isn't the tech. It's a social problem. How do you create and rapidly communicate trust in a new binary OS image if you don't have the security resources of an Apple or a Google or a Samsung?
There's an alternative of course: go full libertarian. Means, just use a "bank" that doesn't care if its users get hacked. This is what the Bitcoin community enabled. It's there if you want it.
Well it’s more the Dunning Krugerites who see the word “rooting” written by someone in a cyber context, lack that context entirely, and proceed to enter the discussion anyway based on their experience rooting their Android phone 3 years ago after clicking through a few UI buttons.
On android, I believe this can be done rootless via accessibility permissions that can display on top of apps
From they you can keylog. Highjack input listeners, basically do anything you want.
There's not even that many people using rooted phones, and many are tech savvy people that are generally a bit more careful, so even if a rooted phone gets infected by some malware chances are the malware won't even be written in such a way to try to obtain root permissions through the standard procedure and exploit it.
Of course they slathered the app with tracking, 'security', and analytics SDKs, so rooted devices are rejected. I had no way to log into this bank account after they made that change, which is simply wonderful.
Anyways, they're not yet at the point where they've learned to do the checks server-side. For now it's a one line patch to skip the root screen. But the Play Integrity API is designed correctly, if they learn to use it, there will be no workaround without someone finding a hardware vulnerability somewhere.
This is why LineageOS is actually dead in the water, even though they're "in talks with hardware vendors". It doesn't matter when people can't use the apps and services they need.
https://en.wikipedia.org/wiki/Web_compatibility_issues_in_So...
> Many tech jobs in the US will move to Vietnam in the coming few years.
It would seem to me that India has that on lock.
So is the personal, private content of my texts, why not go for that while you're at it?
Some of that liability is fair but most of it is the government telling the banks to account for the loss when someone is scammed. They are obviously going to mitigate that as much as they can.
Go back fifteen years and malware is absolutely submitting bank transactions after the user does a 2FA.
https://krebsonsecurity.com/2010/03/crooks-crank-up-volume-o...
They're upping the surveillance, not the security, quite demonstrably.
This is meant to protect /them/ from liability and not /you/ from loss.
I chose my current bank because it was one of the few that had proper token based access for 3rd party integration. An overwhelming majority of banks were relying on a 3rd party holding your actual username/password and saying "trust me bro". I wasn't comfortable with that.
We're dragged into this kicking and screaming and yet normies think we're the crazy ones.
Offering a monetary reward for installing apps seems fairly common. Chevron had someone at my gas station offering something like $5 of free gas, plus $1 a gallon off of the next three purchases. If it was something the customers wanted, they wouldn't need to pay people to do it.
on the other hand phone does not require you to verify with your pc, so there's no second factor unless there is some unacessible secure island within the phone itself.
funny enough, you can probably use that website directly on the phone that you use as 2F, which probably circumvents the 2F idea (at least as long as you use SMS 2F instead of app that checks for root)
I believe that previously internet banking, even before mobile banking, will limit the number of transfer recipients you can add per day/month. With the rise of QR payment I could see this limit being regularly hit if you scrape the web-based banking.
Since the Bank of Thailand claims that they technically don't block many things (mobile banking technical requirements seems to also require blocking root, but they never banned internet banking), I wish there's a new bank that try to disrupt the existing players. But the latest "branchless" banking license were only acquired by existing banking groups, so API-first personal banking remain impossible.
While they (mostly) have websites, a computer with root access is not sufficient by itself to access them. You also need to perform 2FA via push notification to a proprietary app on an Apple or Google approved device.
My guess is:
1. Person with rooted phone uses a bank app, is hacked, has their money stolen.
2. Guess where the person turns to for help? The government.
I'm not saying its impossible but it is hard to do at present in a way where if I came and picked up my phone again, I'd not know something happened to it.
You already have to trust the repair shop with your data. Installing persistent malware on phones is already illegal. What's the point of this extra software protection in this case? To prevent a 0.00001% chance hack? The type of hack that would put the repair men in jail?
Not to even mention that modern phones are basically unfixable.
Whereas previously the app displays a 'whitelisted' set of UI options to the user, the rooted user could use employee only methods. Somewhere or other every bank has methods that set balances on accounts.
To be honest a law like this makes security by the extremely modest obscurity of not having an "increase your balance" button on the app UI much more tempting.
Exposing these types of APIs in any way outside the bank ever would be gross negligence.
That is a terrible assumption. I had a rooted phone when I was 12 to pirate games. Friends asked me to root theirs. Rooting isn’t hard and lots of people do it (absolute not relative terms)
And the idea that so-called “technical” people know what they’re doing and are hack-proof is hot garbage machismo BS. Modern attacks use social engineering and extremely technical people fall for it all the time. There were several stories on here just this week.
> if someone is technical enough to root his phone he understands the risks
You're looking at this from the user's perspective. Indeed, the narrative is "for your safety, you cannot export your security tokens from your device's storage" or "software that runs as root can bypass all permissions!", as though users can't make that choice themselves on purchased-to-own hardware. Dropping privileges (https://en.wikipedia.org/wiki/Privilege_separation) has been a thing since as long as I'm alive. Don't be fooled that this "protection" is for you :(
I wonder if this has become a feasible avenue for scammers to interfere via other apps they could convince someone to install on rooted phones. Or if they are worried about skilled people being able to debug/MITM and find vulnerabilities on the banks.
Though from that statement alone, sounds more of a measure to protect banks than customers.
banking is very risk averse area. and it is good precaution.
Kinda like the Wall Street concepts of "Accredited" and "Sophisticated" investors - who could never possibly fall for a Ponzi scammer like https://en.wikipedia.org/wiki/Bernie_Madoff ?
Not to say I'm a fan of Vietnam, or familiar with their ban - but when people are having their money stolen at scale, there's a very strong tendency to blame the gov't and/or financial system. And it's extremely rare for stolen-at-scale funds to not be "reinvested" in further criminal activities - which again, the gov't is expected to deal with.
But you do understand. If someone is technical enough to root their phone, then he is the risk.
[cough]Monero[cough]
The National Credit Union Federation of Korea (NACUFOK) represents over 800 member-owned unions (https://www.cu.co.kr/english/main.do), and then there is the even larger Saemaul Geumgo (MG) network which operates as community credit cooperatives with millions of members. These people ostensibly own their "bank" accounts.
Surely most people running a rooted phone are tech enthusiasts. Cybercriminals will just use regular phones bought under false names and dispose of them afterwards.
Users that try to use mobile apps as if they were web apps, disabling location, and security features are just flagged by numerous security mechanisms.
In other words, the correlation is that older people are more likely to have a rooted phone and are more susceptible to fraud.
Dunno how widespread this is, just something to keep in mind.
Dug it up. Alfred Whitehead:
It is a profoundly erroneous truism, repeated by all copy books and by eminent people when they are making speeches, that we should cultivate the habit of thinking of what we are doing. The precise opposite is the case. Civilization advances by extending the number of important operations which we can perform without thinking about them.
Viet Nam is in the process of rolling out mandatory biometric identification and verification as part of the VNeID project [0], and mobile operators are in the process of rolling out identity stamping if mobile devices using VNeID [1]
Viet Nam is also an authoritarian state who's current leader (To Lam) spent his entire career in Viet Nam's KGB (MPS). Unlike Westerners, Vietnamese know the red lines - this is why I and my SO never travel back to VN with my personal accounts or devices, and why we keep some friends of friends on speed dial.
[0] - https://vneid.gov.vn/
[1] - https://vtv.vn/nha-mang-ho-tro-kich-hoat-sim-truc-tuyen-bang...
Vietnamese government will not arrest a tourist foreigner for talking bad about the party or about Ho Chi Minh, it would decimate their tourist bottom line. If you don't deal with drugs or actively don't organise against the party, you will be fine.
There is a growing surveillance (which you cited well) but mostly for locals.
edit: oh I misread, you are Viet Kieu, not a western tourist. OK yeah that makes some sense.
and that's enormous power for those who want to centralize power into their hands.
If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.
There is no way to store customer's secrets in a PC browser securely, so all the "dangerous" transactions were outright prohibited in the web app or made available only via temporary QR login.
All this is just is a negative side effect of customer protection laws.
450 more comments available on Hacker News