(Rant)

At somepoint, HSBC decided KDE Connect installed via F-Droid is less secure.

Photo of the HSBC UK app urging I install KDE Connect via GPlay or Galaxy Store

Then it decide non-whitelisted keyborads are a security risk. Only Gboard and Samsung Keyboard is confirmed within the whitelist.

Photo of the HSBC UK app telling me to switch input method citing security risk


I understand the point that risk can be introduce at various points, yet this is simply too much. Yeah there are people phone infected by malware but from Play Store. Not a single time I heard one ever happened on F-Droid distributed apps, at least not from the official repo. Also, I will put more trust on an open source keyboard than any proprietary keyboard.

Furthermore, I’m shocked that an app can read my app list, and current keyboard (introduced in Android 14). This just make building a profile much easier as I belive everyone almost have an unique set of apps they like. I don’t think any apps need such functionality. Why the f it needs to care what input devices I uses? This make me worry more about untold (aka burried deep in Privacy Policy) data collection.

  • Paradox@lemdro.idM
    link
    fedilink
    English
    arrow-up
    53
    ·
    1 month ago

    We seriously need a way to sandbox apps, where they cant see shit outside their sandbox

  • Moonrise2473@feddit.it
    link
    fedilink
    English
    arrow-up
    45
    ·
    1 month ago

    And then i complained that my bank blocked access if adb was enabled…

    If there’s no loan attached to that account, for me this message reads “sorry, we don’t want you as a customer. Please contact a bank teller to have a full refund, uninstall this app and don’t forget to leave a 1 star review”

    I’m not willing to compromise on this shit. My phone is my phone.

      • BlueFire@lemdro.id
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 month ago

        My medical app doesn’t let me take a screenshot of the bill statement when I wanted to contest an upcharge.

        luckily there was still an option to download a pdf, but still there was no option at all to disable that BS.

        • RubberElectrons@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 month ago

          That’s wack as hell.

          In my case, Medtronic does a lot to prevent inspection of how their apks work at all, encrypting and obfuscating the code to make open-source emulation extremely difficult.

          Luckily, hackers don’t quit.

  • shortwavesurfer@lemmy.zip
    link
    fedilink
    English
    arrow-up
    32
    arrow-down
    1
    ·
    1 month ago

    Sounds like it’s time to use the website and not the app. And if you can’t use the website instead of an app, you should probably switch banks.

    • Moonrise2473@feddit.it
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 month ago

      I don’t know a single bank that hasn’t reinvented the wheel and is using their app as a glorified authentication app for generating totp codes

      • shortwavesurfer@lemmy.zip
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 month ago

        Mine actually. I’m in the United States, but I actually switched banks. And the vast majority of the reason I did so was because my bank did not allow me to use the website to use their functionality. And so I said fuck you and left them.

  • ReversalHatchery@beehaw.org
    link
    fedilink
    English
    arrow-up
    18
    ·
    1 month ago

    how the fuck do they see that you have these apps?? Wasn’t it google’s justification for destroying /proc and all resource monitor apps with it that they have put querying of installed apps behind a permission?

    • Moonrise2473@feddit.it
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 month ago

      I saw a bank in my country requiring to have the permission for apps usage, the one that you have to go in settings and toggle it. Refuse and it closes the app

        • Moonrise2473@feddit.it
          link
          fedilink
          English
          arrow-up
          7
          ·
          edit-2
          1 month ago

          Google enforces rules only against small devs. Big companies are allowed to do what the fuck they want.

          Example with one of those “ad viewing apps disguised as games”, every single screenshot is misleading, showing a different game to what actually will be downloaded. It’s clearly a violation of Google Play terms that read:

          Screenshots must demonstrate the actual in-app or in-game experience, focusing on the core features and content so users can anticipate what the app or game experience will be like. Use captured footage of the app or game itself.

          In the example not a single screenshot demonstrate the actual game experience.

          Google sees the big cash influx from ad impressions and IAP from whales and is closing all the eyes

          Tencent and Alibaba instead are still allowed to illegally fingerprint and track the user by placing tracking data in /Pictures/.gs_fs0 which for some reason they can access even without storage/photo permission

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 month ago

      So /proc is virtual so it is only processes and not apps.

      The app probably requires a permission that grants it access to that information.

  • Railcar8095@lemm.ee
    link
    fedilink
    English
    arrow-up
    16
    ·
    1 month ago

    I thought this was for employees of the bank on the work phone.

    If my bank does this, they can kiss goodbye my $254.21.

  • Stomata@buddyverse.one
    link
    fedilink
    English
    arrow-up
    14
    ·
    1 month ago

    They are now blocking you because you are not using gboard and sam keyboard. Now it’s too much . I stopped using mobile banking became they need g play services.

  • doogstar@lemmy.100010101.xyz
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 month ago

    That’s annoying! I’m using Graphene and I just installed KDE Connect from F-Droid to test, which didn’t trigger, however it did bounce me for using Heliboard. Changing to default keyboard and reloading worked, ie it can only see my currently active one.

    Using Shelter to set up a second profile, or the new Private Space feature on 15 may help provide isolation.

    Halifax/ Bank of Scotland/ Lloyds does an integrity check that rejects Graphene or LineageOS phones completely.

  • LiveLM@lemmy.zip
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    1 month ago

    Check out Shelter by PeterCxy [FDroid - Source]
    It uses Android’s native work-profile feature to create a separate space for the apps you choose, so you could install the HSBC app there and it wouldn’t be able to see anything outside its little bubble.
    The downside is that AFAIK you cannot have multiple work profiles on the same phone, so if you have a MDM solution from work already installed like Intune you won’t be able to use this, and given how draconian this app is, it might refuse to run if it detects its inside one. Worth a shot though.

    This is the type of shit that has me losing faith in Android.
    They added a fuck ton of restrictions on Clipboard Access because ‘Privacy,’ yet this clear privacy violation (with 0 use cases!!!) is still here.

    You’d think that they’d create a permission you can toggle at will since they care about protecting you so much right?
    Nope. Google’s the one who decides who gets to use this capability and your wishes as a user can go to hell.

    • Virkkunen@fedia.io
      link
      fedilink
      arrow-up
      23
      ·
      1 month ago

      You do know screenshots exist

      App doesn’t allow screenshots or screen sharing as part of the security features

      Also, don’t do mobile banking

      Many times that’s simply impossible depending on the bank, and it’s wholly inconvenient for most people. Security wise, it also depends on way too many variables, so you can’t just tell people to not do it and don’t elaborate further.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        4
        ·
        1 month ago

        They there is little room to complain about the app. If you willing make yourself dependent on an app you might be out of luck.

    • Kayana@ttrpg.network
      link
      fedilink
      English
      arrow-up
      13
      ·
      1 month ago

      Actually, I wouldn’t be surprised if screenshots are disabled in that app considering the rest, to “stop leaking sensitive information”.

    • T156@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 month ago

      If the app is so paranoid that it refuses to work after detecting a different keyboard, I should be surprised if it allowed screenshots.

    • Robin@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      3
      ·
      1 month ago

      You want us to yell out our credit card details over the phone like the good old days?

        • Railcar8095@lemm.ee
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          1
          ·
          1 month ago

          I don’t think normal people use cash over the phone. I think you’re thinking Star trek teleporters?

          • oldfart@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            1 month ago

            Why are you ordering stuff over a phone call and what does a smartphone app have anything to do with it lol

            If you mean ordering from a phone shopping app, 1) you can just enter credit card details into the app, you don’t need your bank’s software, 2) you can just use a website on a computer

          • Possibly linux@lemmy.zip
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            2
            ·
            1 month ago

            Why would you pay over the phone? Maybe I’m missing something but you can enter your card info or you can go in person and pay.

            At least that’s what I do personally. I’ve always found mobile phone based payments problematic. However, if there is ever some sort of Foss payment system I’m ready to give it go. (Taler)

            Is it that common to pay over the phone? Do you give them some sort of code? How does that work?