Last month I wrote about UGO Wallet, an app that (barely) supports tap and pay here in Canada but, for some reason, doesn’t work with rooted phones. Since then two more notable tap and pay apps have appeared on the Play Store. One is from a Canadian bank that I hold a credit card with; the other is Android Pay.
And it seems that Canadian banks aren’t the only ones who don’t understand root!
Contrary to what the Google Support person has written here, all Android devices have bootloaders, obviously. What’s more, it’s being widely reported that Android Pay does not require a locked bootloader to work.
What exactly is the risk here? It’s possible that someone with physical access to your device could boot into your custom recovery and flash a keylogger or extract personal data. But there’s also an easy fix: install Android Device Manager or Cerberus for a remote wipe should your phone go missing.
As for rooted phones, the risk for data theft is not nearly as great as you might think. Most implementations of root—either through custom ROMs or Chainfire’s SuperSU—offer runtime permissions, like you see here:
Root access can easily be blocked on a per-app basis, or disabled altogether as the user sees fit. Sure, you might well be at risk if you’re downloading pirated .apks from Russian websites onto a rooted phone. But if that’s the case, you kind of deserve what you get.
Despite these safeguards, though, Android Pay officially won’t work on a device that has root—except that rooted users have already got it to work by temporarily disabling root access. As for my banking app, I’m still trying to set it up for tap and pay, but for the moment that has more to do with the app’s bad UI than anything else.