by camdbug
Explorer

Why does the ee app not work on rooted devices?

 I'm on a sim only plan with an android device bought independently from ee. I've just come back from a 2 week eu holiday and hit my 80% data allowance while away. Tried checking while away via the app to be told it wouldn't work as my device is rooted. This didn't used to be the case (I use the app very rarely as I rarely hit the data limits but holiday and photo uploads...)

 

I genuinely don't understand why this restriction is in place. It's a non ee device. Yes it's rooted... I'm a power user that does development and uses rooted abilities to add extra security and abilities to my device.

 

I can see few (struggling to find any) benefits to such a ban if the app is coded properly and using the in built encryption features. Natwest, Nationwide, PayPal and HSBC apps (all on my phone) do not have these restrictions.

 

If there are certain features of the app such as purchasing add ons that ee feel should be restricted on such devices, then restrict just those features, not blanket ban my ability to check my data usage and other standard needs. However, worth pointing out that a rooted device can still buy from fast food joints, Amazon, eBay, Tesco, Sainsbury, Ocado, ... (insert endless list of other retailers here)

 

There are many valid reasons for having a rooted device, so why are users with such valid reasons being prevented from quickly checking basic account stats and info via the app. Or is it just because your developers are lazy and can't figure out how to use core android security features and good security practice? 

 

 

2 REPLIES 2
Highlighted
by Grand Master
Grand Master

Re: Why does the ee app not work on rooted devices?

@camdbug   The app has access to your account and because of this it’s been blocked from working on rooted devices.  It’s not lazy to figure out how to make it work as the developers have to make it not work on rooted devices.    EE are not obligated to allow you to have access to your account on a rooted device as it’s their app and I’m sure you can appreciate that.  

by camdbug
Explorer

Re: Why does the ee app not work on rooted devices?

Read more
Not sure I fully understand your response I'm afraid. The statement that "the developers have to make it not work on rooted devices" doesn't make sense to me, and is in fact the main reason for my question... Why? 

Also, "EE are not obligated to allow you to have access to your account on a rooted device"... No, technically they are not, but what is the benefit to anyone from preventing this access given that far more sensitive apps can be written to work correctly on rooted devices. 

To clarify what I mean;
* use of Android encrypted storage means that apps can still be secure even on rooted devices. 
* multi level authentication (recommended by most national security agencies nowadays  including the UK's National Cyber Security Centre) states that sites and applications should exercise best practice in that low sensitivity actions (checking remaining data allowance for example) should be allowed with standard authentication, but as sensitivity increases (updating personal details, changing passwords, making purchases) the additional authentication steps should be increased, either by default, or if there is perceived additional risk due to unusual device locations or due to factors such as rooted/potentially "at risk" services. 2fa/biometrics for example, or just plain refusal to provide access to those functions if the risk level is deemed to be to high. 

It's these that I refer to when I say there is lazy development. Given that mobile networks are inherently unsafe anyway, such as the SS7 vulnerabilities, it would be reassuring to believe that our mobile providers are focused on security rather than just taking a crude approach such as this which in turn indicates that they're not really investing the effort to understand and improve things. 

We also all know (well some of us) that behind the scenes our mobile companies are still just patching together multiple disparate IT systems from multiple companies and acquisitions instead of taking a true holistic view of how to build the best, most secure systems.

Worth also pointing out that in the few hours after my original post, I managed to bypass the "detection" in question and now have full access if I need it. It took me 15 minutes to do, and again highlights my point that this is a pointless and ineffective blunt instrument that fails to actually address the problem. 

I'm afraid that this negates your arguments and emphasises my claim of cut back development as if the app had been properly defensively coded, as outlined above, then this would not have worked. I'm not saying that the individuals writing the app are lazy btw, but that the ethos, budgets and priorities of the parent company are at fault. Banning use of the app on rooted devices is like building a wall between Mexico and the US and asking someone else to pay. It avoids addressing the actual evolving world we live in, and it will fail. 

None of us will ultimately benefit from that approach... 

Can't find what you're looking for?

One of these options may help you find the answers you need.

Let's get started

Join the EE Community to ask, answer, learn and share.