zlacker

>>wicket+(OP)
My Android phone prevents me from taking screenshots if an app author doesn't want me to.

My Android phone prevents me from recording phone calls at the request of my carrier, even though it's totally legal for me to do so in my jurisdiction.

I'm not loving where this is all going.

>>jeffpa+D5
> prevents me from taking screenshots if an app author doesn't want me to

The most frustrating part about this "feature" is that you don't know it's enabled until the screenshot is taken and you're left with a picture of nothing.

That and some app authors thinking they're protecting you with this (referring to banking apps in particular)

>>hypeat+d8
In some sense they are. But being protected either from a consequence of my own stupidity or a consequence of their lack of security. I think the worst part of all is that these "bandaids" are being used in place of actual security. I don't need to be protected from my own stupidity nor do I need security theater.

>>godels+Uu
I think the threat model here is that a different, malicious app (compromised, installed accidentally or by the means of social engineering) might take screenshots of your screen and forward them to take advantage of you. You can file this under one's "own stupidity" as well, sure, but in the end they're not protecting you, they're protecting themselves, because banks might be liable for these kind of things, and by imposing these restrictions, they're reducing the amount of fraud and thus improve their bottom line.

>>mr_mit+4I
I see this argument everywhere and I've never heard of a case where a bank was liable because a customer was phished. I've even asked for examples and nobody ever provided them.

It's one thing to argue in court that they should be liable because they didn't provide you with the necessary security tools (like MFA), but they all provide at least SMS 2FA these days and their apps run on iOS and Android, both of which have plenty of security features.

>>franga+rU
In reality what happened is that some security auditor put it into a checklist for the mobile app "Security ISO certificate++" and now everyone implements it for compliance.

Fighting against that is insane paperwork and professional exposure for software engineers that do it (since if people get phished, the C-suite will point a finger at a tech lead which went against the "professional security audit").

Most of other posts here are just post-rationalization and victim blaming.

>>izacus+a11
So let's have more of these conversations so the idiots making those standards make fewer dumb rules and we can grease the wheels for anyone passionate enough to try to get it changed

>>godels+hE2
Unfortunately the idiots are often the nation's security agency, or a large consulting company.

You will not have them change their policies if they do not have a good person inside, who will slowly move the boat.

I fought for audit findings because they were pissing me off at a personal level and it wirked. But the auditor did not change their procedure, just reverted the finding. Until the next year.

>>Brando+H73
I think you're making the naïve assumption that large organizations are heterogeneous.

The people at the top are idiots because the idiots were able to secure advisory positions. They were able to secure positions because those promoting them were either tricked or idiots themselves. This pattern repeated all the way down.

So I really do mean grease the wheels. And I really mean we won't kill the beast overnight. But we won't make any progress towards fixing things if we won't look at how the problems are created in the first place. We'll only perpetuate the problems if we oversimplify things, as that's exactly what got us into this mess in the first place.