Should my bank be able to block me from using their Android app, just because my phone is rooted?
I'm reluctantly coming to the conclusion that... yeah, it's fair that they get to decide their own risk tolerance.
Sage of the Internet, and general Sooth Sayer, Cory Doctorow once gave an impassioned speech on "The Coming War on General Computation". I'll let you read the whole thing but, I think, the salient point is that some people want to restrict the maths we're allowed to do on our computers.
I can tell my computer to run any program and - to the best of its ability - it will1. This is the joy and promise of Universal Turing Machines.
But some wicked folks want to stop that. Usually it is Hollywood movie studios. Your computer is perfectly capable of playing back 4K streams from Netflix - but it is artificially restricted from doing so unless the computer can prove that it is "secure". Where secure means "artificially prevented from engaging in copyright infringement."
Similarly, you can't grab an Xbox disk and shove it in your PC to play a game. Your computer may be more powerful than an Xbox, but the software has been artificially restricted so that it won't work on a "General Purpose" computer - it will only play on an intentionally scuppered computer. The Xbox isn't a General Purpose computer - you cannot run your own code on it.
Which brings me on to Android Banking Apps. I have a six year old Android phone. In order to keep it secure, I've flashed it with LineageOS 20. But, in improving my day-to-day security, I've critically weakened some of the OS security.
I now have root control of my device. The bootloader is unlocked so I can load any software I want and have complete control of it.
This terrifies banks. And, I think, that's justified.
A modern phone is reasonably secure. It is unlikely2 to be infected with a virus and, if it is, there are multiple layers of protection to stop miscreants monkeying with your money.
A rooted phone breaches all those protections. It is possible3 that a user could install a tool (intentionally or otherwise) which could open the banking app and send all the money to a criminal. Or redirect the login flow to steal your passwords and authentication tokens. Or take screenshots of your balance and send them to blackmailers. Or... you get the idea.
Banks aren't willing to take that risk. Regulators tend to side with consumers in these matters and banks don't want to lose money or get bad press.
So they've taken the entirely sensible decision that their software will only run on machines which can pass a set of security attestations.
It distresses and upsets me that there's a cryptographic chip in my phone which I can't control. I bought and paid for this device. It should obey only my commands. It shouldn't rat me out to third party vendors.
But... I think it is a rational reaction from the banks. I am free to run whatever software I want on my general purpose computer - but they are free to refuse service to anyone who increases their liability.