Not saying it's the right decision, but probably because they don't want the liability if a rooted device allows some 3rd party app to hack theirs. Airlines can be somewhat like a small bank in this respect, as being logged in gives you access to things like accumulated loyalty points, not-flown-tickets that can be exchanged/refunded, past flight credit from earlier refunds that were eligible for credit but not a cash refund, etc.
Also, they typically store more personal info than, say, an e-commerce application because some of it is needed for travel. Things like date of birth, known traveler numbers, names/dob/etc of family members, passport numbers, etc.
At that rate why not also ip ban any general purpose compute device from accessing their servers? I can't believe a major airline has programmers who think blocking jailbroken cellphones would do anything at all to thwart a hack. It makes me think twice about flying United certainly if these are the incompetent hands I'm placing my trust in.
Not that I agree with it, but the usual line of reasoning is that they have laxer rules on a native app. Like no captchas, much longer session timeouts, etc. So they aren't comfortable with the looser rules on a rooted phone.
Once again, things that are trivially bypassed by people who are active in this space, and their programmers should know better than using this line of reasoning that must just be ancient procedure at this point, especially considering the cargo they are tasked to ensure is safe.
Also, they typically store more personal info than, say, an e-commerce application because some of it is needed for travel. Things like date of birth, known traveler numbers, names/dob/etc of family members, passport numbers, etc.