Your lack of control over the security of your phone is exactly what’s keeping the bad guys out. The extra control you have over your computer is what leads to people getting scammed out of their life savings. Perhaps you’re an expert in fraud detection or banking trojan analysis, but 99.9% of the population doesn’t have that knowledge, and that’s who the apps are built for.
Phones and tablets have either dedicated hardware or super low level software that runs alongside the other software to do secure computing. These features are used to detect if the device’s operating system has been altered in any way.
Without alterations, the bank can trust that its security code will execute as intended, and that nothing can spy on your connection or steal your money. If your phone has been rooted or jailbroken, that’s no longer the case. Some banks (like mine) don’t really care. Others will disable certain features or refuse to work. Many rooted phones are rooted without the owner’s knowledge by malware, so these concerns are legit.
On PC, there are very few ways to get the same level of trust. In theory, Windows with Secure Boot cranked up and a signed TPM can be trusted (using security mechanisms such as Windows Hello to authenticate using the TPM as dedicated security hardware). In practice, this is all very recent and because Windows allows arbitrary drivers to be loaded, the guarantees are much weaker.
Furthermore, phone apps are sandboxed. They can’t interact with each other beyond a few predefined APIs, they’re basically stuck in their own, separate sandbox, doing whatever they like, never crossing boundaries. PC software isn’t like that most of the time. Even if they are (i.e Windows UWP applications, Flatpak apps), other software may be running outside of the sandboxed environment making it impossible for a sandboxed app to protect itself.
Phones aren’t hacked as often as PCs, broadly speaking. That’s why iOS lacks antivirus protections and Android only has very weak ones. It’s also why many banking apps lack MFA on mobile devices.
As for your MacBook, your bank could probably make its authentication app work on your laptop, as Apple has very similar security APIs to the ones on iOS. Apple has a porting toolkit that will likely be able to run the iOS app directly on your MacBook, in fact! However, they would also need to ensure that you don’t break the MFA principle by logging in in a browser running alongside their app. And, let’s be honest, most people would do exactly that.
Your lack of control over the security of your phone is exactly what’s keeping the bad guys out. The extra control you have over your computer is what leads to people getting scammed out of their life savings. Perhaps you’re an expert in fraud detection or banking trojan analysis, but 99.9% of the population doesn’t have that knowledge, and that’s who the apps are built for.
Phones and tablets have either dedicated hardware or super low level software that runs alongside the other software to do secure computing. These features are used to detect if the device’s operating system has been altered in any way.
Without alterations, the bank can trust that its security code will execute as intended, and that nothing can spy on your connection or steal your money. If your phone has been rooted or jailbroken, that’s no longer the case. Some banks (like mine) don’t really care. Others will disable certain features or refuse to work. Many rooted phones are rooted without the owner’s knowledge by malware, so these concerns are legit.
On PC, there are very few ways to get the same level of trust. In theory, Windows with Secure Boot cranked up and a signed TPM can be trusted (using security mechanisms such as Windows Hello to authenticate using the TPM as dedicated security hardware). In practice, this is all very recent and because Windows allows arbitrary drivers to be loaded, the guarantees are much weaker.
Furthermore, phone apps are sandboxed. They can’t interact with each other beyond a few predefined APIs, they’re basically stuck in their own, separate sandbox, doing whatever they like, never crossing boundaries. PC software isn’t like that most of the time. Even if they are (i.e Windows UWP applications, Flatpak apps), other software may be running outside of the sandboxed environment making it impossible for a sandboxed app to protect itself.
Phones aren’t hacked as often as PCs, broadly speaking. That’s why iOS lacks antivirus protections and Android only has very weak ones. It’s also why many banking apps lack MFA on mobile devices.
As for your MacBook, your bank could probably make its authentication app work on your laptop, as Apple has very similar security APIs to the ones on iOS. Apple has a porting toolkit that will likely be able to run the iOS app directly on your MacBook, in fact! However, they would also need to ensure that you don’t break the MFA principle by logging in in a browser running alongside their app. And, let’s be honest, most people would do exactly that.