@neil HSBC requires the app for me to login on their website, although it's possible that I opted in into that and there is no way back.
Discussion
Loading...
@neil So they think your app would be more secure if you used something like P@assword1 as your password instead of something like hs\3jz{7{}h./5yT/9x#H6d]9Hh?-
Er, OK then.
We are seeing and more of this, and we need to pressure our EU representatives to make it illegal. OR:
Make it legal in the EU to hack around this google stupidity.
@neil what is the “legal” background for the HSBC app to check which other apps one has on their phone? Isn’t there some privacy breach? What if one has some more “sensitive” apps?
@neil Yup, when something has the "Query all packages" permission, it's always a huge red flag for me!
@neil I deleted two bank apps I will use through website.
@neil Air Bank has recently blocked my entire account because I had NFCgate (which, to be fair, is at least an attack vector.)
I solved it by switching banks.
That sounds almost legit. It doesn't like that Bitwarden was side-loaded rather than loaded from an 'approved' source.
However, I'd be ripped if it objected to an app I have from F-Droid that does not touch passwords.
My bank won't let me use a VPN because then they don't know where I'm logging in from. They require 2fa and passwords but VPNs throw them.
To be honest, this is just a timely reminder than I planned to move away from banking apps anyway, in favour of websites.
I'd started doing this kind of thing with other apps - e.g. parking apps - when I started using postmarketOS, but I had not got round to banking apps.
@neil I don't use banking apps except on the rare occasions that the bank requires me to (eg to take a photo as extra authentication for a transaction above the normal limits).
I have tried to use parking apps but have never succeeded in making one work. So if I can't pay for parking using card or cash I don't pay, and if anyone complains I'll post them a cheque for the amount I was unable to pay.
@neil banking apps are a unique form of bad. My favourite example being the Santander one as below. Over half a gig for a glorified web interface!
@neil Yeah, banking apps are … scary. Not just because of the level of control they demand but also how badly their security tends to be for how devastating a breach is there and the general software deployment approach of “well bugs are acts of higher power so no we won't give you your money back *shrug*”.
I have used 1½ banking apps in total (one for paying with my phone which last I reviewed it is actually pretty secure) and a TAN app because that bank was weird about physical TAN generators
@neil good luck with that. our banks require their app to use the site
@mensrea So far, none of the ones I use do...
Perhaps that will change, and if it does / becomes a sufficient problem, I will probably end up with a dedicated "banking apps only" device.
@neil @mensrea FWIW, I have a phone that's only for banking apps.
As you might expect, it's a bit of a pain in the arse: I have to keep it securely (because, unlike the phone I carry, I wouldn't notice it missing until I next needed it).
There was also some apps that I couldn't move onto it because the provider has decided to use the app for payment authentication, so I'd need to be by the phone to spend.
Overall though, it still feels worth it
@neil @mensrea There certainly seems to be a move towards 3DS transaction approval via Banking App push rather than SMS code.
For the general population that's probably a good thing for security. But there are groups affected by this. I think most have a fallback to SMS available, but that enables SIM Swap fraud...
@neil @mensrea yeah, banking-app-only-device is where I am heading... I have/use four of the damn things, they live on my "secure" (lol) Android "phone" which has a minimum of other junk on it (but isn't entirely clean as its my backup/second phone for essentials & main actual "calling" & sms number — rarely used mind, mainly gets those text message codes.)
Hoping to migrate my everyday use Android phone to something like PostmarketOS or Graphene in 2026 (probably need a whole different handset than this current Samsung S23 mind.)
@neil HSBC requires the app for me to login on their website, although it's possible that I opted in into that and there is no way back.
They were happy to send me a new security key today, and that entailed deactivating the mobile app provisioning, so hopefully the combination of the two will let me log in using the key they will send me :)
@neil so far none of the banks i use have started complaining about f-droid or lineageos but bank phone/android vm is likely
@neil @GrapheneOS some question.
Is it possible to restrict the app access to the list of installed app on the device ? if yes how ?
@neil what is your OS ?
i guess it's a stock android ?
If graphene i don't understand how they access this info without you giving it directly (as even some third party app store need "special permission" to list those app (but they may have found a way)), so if graphene maybe report it to them so in a next version they can lock thoses access to app.
@neil answered by including graphene so if they answer and tell a trick you can maybe try it ^^.
But if you are in EU, you can try revolut, in my case it work wonder and they don't seem to do this.
But maybe they are afraid of EU regulation if they do this 😐 but it work
@neil Do they still support a post-it note with my HSBC password and National Insurance number fastened to the back of my spectacles case?
I tried, but I couldn't find your spectacles case :(
@neil Imagine getting blocked for using a safety app. HAHA what a shitshow.
@neil
I'd be furious. Probably switch bank.
@neil Why not simply install Bitwarden from the Play Store?
And regarding F-Droid, I recommend reading
@neil Where did you get the HSBC app then?
![zeitverschreib [friendica]](https://freundica.de/photo/profile/zeitverschreib.jpeg?ts=1749302844 "zeitverschreib [friendica]")
So via the Playstore.
When I share Bitwarden from Aurora, I get this:
play.google.com/store/apps/det…
Same for HSBC:
@neil Security by Obscurity
@neil "You have an Adidas hat? I'm sorry but this taxi will not go anywhere until you take it of"
Just as stupid
This really grips my shit! I bet they won't allow their app to run on flashed devices then, or even devices that are OEM but NOT stock Android!?
@neil God. Mine would be too! That's an appalling reach of power
I don't have very many apps on my phone at all.
If companies need to interact with me it's through the website.
Apparently I'm a weirdo. 🤪
@neil I'm surprised that's got past Graphene's devs. I don't have Bitwarden on F-Droid so I assume you have it as a repo?
@neil if apps become the only way to online bank, with web interfaces replaced, I ask for people to quickly join me in a boycott of those banks by transferring funds to the best bank that offers a web interface, thank you
@neil we gave HSBC Australia (used by my partner) the flick for similar idiocy.
Plus their crappy app can't even do an street address change without erroring out badly.
@neil Jeez... I started moving away from HSBC a little while ago 'coz other silly shenanigans but this will make me finish jumping ship if / when it hits me. (No warnings about Bitwarden here, for now...)
@neil for a different perspective:
There is a scam going around, targeting Android phones, that involves convincing the custom to install a side-loaded app, and grant it all of the accessibility privileges that would allow it to operate your phone in the background while showing you something completely different.
This has resulted in significant financial losses for victims and/or their banks. Net result is that the banks are trying to detect sideloaded apps and warn/refuse to operate if any are present.
Seems like there is collateral damage due to this particular implementation. Providing feedback to your bank may be a productive thing to do in this case.
@neil the Hollow Sword Blade Company. They did not play a sympathetic role in Irish history: https://en.wikipedia.org/wiki/Hollow_Sword_Blade_Company
@neil Yeah, an idiotic decision from HSBC. Creating and using a separate Android profile just for the HSBC app is the way forward. Since it's pretty easy to switch profile, it's a minor inconvenience...
This is disturbing
@neil Sooo "random app can scan my device and learn what is installed on it, and how it was installed", heh?
How about no?
Also, fuck HSBC.
@neil total insanity, but unfortunately the trend with commercial entities, to have overzealous IT security staff who don't understand security or the impact of the policies they implement 🤮
@neil Also, I'd be interested to hear their justification (chances are they have none). Because, yes, people disabling Android protections and installing malware because they got phished into "upgrading their security" is a thing.
But then either: the malware bypasses the HSBC security somehow. Then the screen is not doing anything.
Or: it doesn't, and the screen could show something like "you may continue, but make sure you know what you're doing; we certainly didn't ask for it" and be fine.
@neil It also gets hissy at certain Android keyboards even if installed using Play Store.
It's even stranger because the HSBC App does this, but the First Direct app is sensible - they are very similar in many other respects.
@neil the fact alone that they can go round seeing what else you're doing with your device is quite bad, isn't it?
@neil As a matter of interest what's your solution for sharing links/text between devices?
@neil 👍 can I make a further recommendation to change to another bank entirely? We _finally_ dumped HSBC earlier this year and switched to Nationwide. The switch genuinely is really very easy.
The only things that don’t transfer automatically are merchants that hold your card details and take payments from them - they also need updating if you are issued a new card though.
Very pleased with Nationwide so far. Very old school bank, but the app is far better than HSBC’s. Eg, more than a month of search history has sold it for me! They also *gasp* pay interest! And actually seem to value their customers.
@benjohn I remember joining Nationwide as a teen. Disappointed to see they got rid of this beautiful logo for more "modern" one:
@neil They will continue with this nonsense until there is sufficient push-back against it.
Are you going to write them a formal letter informing them or your choice and their idiocy?
@neil what the f...??? Security apps compromise security now?? I'd change banks just over the garbage statement this makes.
Like others I'm also wondering how an app is allowed to see the list of other apps unless specifically allowed to do so. In any android really. It *is* true that for some use cases like using macro droid or similar apps it helps to list the other apps's "intents". But this should be a specific permission, not required by a banking app?
@neil D-: the notion of 'unofficial' app stores is downright strange. Who officiated Google Play?
@neil No one has critiqued me on this, but I knew when writing it that 'officiated' is not the right word in this context. I thought it would be funny, but the need to express that I know it's incorrect was too much 😅
@neil don't you need the app to login to their website?
@neil isn’t the wording of that “we don’t like app stores” rather than it being because of Bitwarden though? Or are you saying you have other things installed via F-Droid that aren’t flagged?
> Or are you saying you have other things installed via F-Droid that aren’t flagged?
Yep, loads of things via F-Droid.
Is it looking more for the ability to sideload apps rather than the presence of FDroid?
I've just transferred from a Pixel 8 to a 9a and that particular banking app transferred fairly painlessly.
I did wonder if a non Android OS gives issues if I should bother with moving to a different one on the Pixel 8 😥
Triodos Bank excellent and they are trying to build a degoogled app.
@neil you might be able to work around it using profiles. I haven't investigated much but it seems like some isolation between sets of installed apps
@neil the logical assumption then is that HSBC themselves don't use password managers internally.... YIKES
/s