"The app can't function in a low security environment, but complainant is free to use the web client in such event." case dismissed
(obviously an oversimplification, but the point stands)
Where I live the app is 100% needed because it’s the „second factor“ in the login process.
Fallback should never be the weakest link in a security chain. Especially not in something as high stakes as your banking login.
I can’t remember how I got my first bank token in my phone. Probably by physically showing up in the bank office with my id.
Well, some offer a hardware device for like 25€ that can do the same thing, but then if you have an account with multiple banks, you need multiple of these devices.
What happens when you primary bank has been one of these app-only banks for the last 5 years, and you decide to make a technology change to your phone, and can now no longer get into your banking app?
Even if someone hijacks my computers web browser, the worst they can do is see my statements, any attempt to transfer out will pop up a prompt in the phone.
Though you get those newer "app only" banks. I've never used any since I see that as a major downside, not a selling point, so idk whether they tolerate root. Even with traditional banks, I've come across a few features which can only be accessed via the phone app - in this case likely due to the belief that "web? Everyone just uses apps!" rather than security
Meanwhile my main phone is always on the mobile network, using a proprietary modem that's running ridiculously complex firmware that does edge, lte, 5g, VoIP, has its own tcp/ip stack and a dozen other super complex protocols, is closed source, gets no security reviews and is exposed to at least my mobile provider at all times. And that's just the modem. Don't let me get started with all the value-add software the phone vendor loaded the device up with. Some of which is running with elevated privileges. You seriously think this is more secure?
