Whenever you accept the TOS, your device is somehow registered/authenticated against their servers. Such a session establishment of course should be secured through TLS, just like all web traffic in general.
The MAC address and assigned IP address are both visible outside that TLS tunnel. What information are you protecting from what threat?
Btw, the complaint of you not being able to do banking through your browser anymore while it does not support TLS 1.3 really made me laugh, thank you!
You’re confusing different situations. The TLS 1.3 issue has nothing to do with the bank. Desktop computers are not trapped on old software. Androids are. The bank requires customers to:
buy a new recent smartphone, repeatedly (because the bank’s app detects when it is running on an Android emulator and denies service)
subscribe to mobile phone service (which also costs money and also requires supplying national ID to the mobile carrier to copy for their records which you then must trust them to secure)
share their mobile phone number with a power abusing surveillance capitalist who promotes the oil industry (Google / Totaal)
create a Google account and agree to their terms (which includes not sharing software that was fetched from the Playstore jail)
share their IMEI# with Google
share all their app versions with Google, thus keeping Google informed of known vulns for which they are vulnerable
share with Google where they bank
install proprietary non-free software and trust the security of non-reviewable code
share the mobile phone number with the bank
I am ethically opposed to every single one of those preconditions independently, not only because of sloppy infosec and reckless disclosure but being forced to support a surveillance advertiser and also the power imbalance implied by non-free software. But just from an infosec PoV, why would a reader of cybersecurity on infosec.pub agree to all that?
I don’t think you realize just how big the risk is that you are putting yourself in with such old software.
You don’t seem to realize Android phones are designed for obsolescence and desktop PCs are not. The elimination of web access ensures users will be accessing their bank accounts with older software. Why would you endorse that? Not sure you realize that using an Android emulator ensures the ability to constantly run bleeding edge updated software. But the bank won’t have it. You also overestimate the security of code you cannot see to satisfy your threat model. How do you know the bank itself does not have spyware in their app that’s contrary to your security posture? Of course they do. They want to KYC.