The HSBC app refuses to work if "Bitwarden" is installed on user's Android phone(twitter.com)
38 pointsby fortran77a month ago5 comments
  • jqpabc123a month ago
    why does Google even allow HSBC to see the list of other installed apps?

    Maybe because Google and it's products have little respect for user privacy?

    Have you thought about using Aurora Store? You can usually see a list of the permissions the app requires before you install.

    • mindcrasha month ago
      Maybe because Google and it's products have little respect for user privacy?

      That's incorrect. Querying installed apps has been severely restricted (and thus mostly useless) and also requires a special nuclear-scale permission since Android 11.

      I am wondering what exploit HSBC is using because I really don't think they are using official APIs for this.

      • alex1115alexa month ago
        The QUERY_ALL_PACKAGES permission (what an Android app needs to see all the packages installed on your phone) is a little weird. The user doesn’t get prompted and explicitly grant permission for it like they would for something like MICROPHONE- having it in the app’s manifest alone is sufficient to query packages. However, Google Play Console does make you submit a video of how the permission is used in your app in order to publish on Google Play if they detect it in your manifest.

        The acceptance criteria made sense for our app (it displays your phone’s notifications on your smart glasses HUD, and users need a way of selecting which apps can/can’t display notifications). I don’t know how HSBC justifies it though.

        • jqpabc123a month ago
          The user doesn’t get prompted and explicitly grant permission for it like they would for something like MICROPHONE

          Why implement this in such an anti-privacy way that side steps the user?

          Answer - see the original post above.

      • wolvoleoa month ago
        Still, I have had issues with this too. My work uses an antimalware app when you use BYOD. Fine, but that app (lookout for work) installed in the work profile, and it complained that I had a tracking blocker (trackercontrol.org) installed in the MAIN profile :( This really pissed me off. Not only is an app in the work profile not supposed to even look at what I've got installed on the personal side, but it's actually a legit app. There's nothing wrong with tracker control. And it comes from a legit source, the Oxford university. The lookout guys are just being obstinate blocking it.
      • jqpabc123a month ago
        I am wondering what exploit HSBC is using

        Why was querying installed apps ever allowed? Why is an exploit or permission available now?

        Answer --- see the original post above.

        • SpicyLemonZesta month ago
          You don’t think your phone should let you run certain programs, even with elevated permissions?
          • mindslighta month ago
            Sure, but framed that way you also need to be able to run programs that think they have higher permissions even though API calls are returning mocked/sanitized data. And more generally, the ability to run programs with high permissions that can completely modify the behavior of other lower-permissions programs (eg HSBC).
          • jqpabc123a month ago
            Were elevated permissions granted by the user in this case? If so, then this entire discussion is baseless.
  • vrightera month ago
    mine doesn't work because of kde connect, and an open source keybooard i slightly modified and rebuilt myself
    • parlortricksa month ago
      What keyboard did you modify and why?
      • vrightera month ago
        I use a keyboard called PentiKeyboard. It's a chorded keyboard. It allows you to place 6 buttons (shown in outlines) overlaid on top of the whole screen.

        It had 2 features I wanted to remove. If you swipe in empty space, you can use it to adjust the screen brightness. I kept triggering this accidentally and each time it disabled auto-dimming on the system. And the other feature is that when the keyboard is open, the volume buttons are repurposed, I wanted them to remain working normally.

  • burnt-resistora month ago
    It only works when narco-trafficking money laundering apps are installed.

    That's why it doesn't work.

  • fortran77a month ago
    I think it may be because of a sideloaded app. That does seem like a more reasonable thing to warn about.
    • wryoaka month ago
      Warn? Yes. Refuse access? No.

      I would close my bank account over this. That’s not saying much though because they literally pay you to open new bank accounts these days…

      • tim333a month ago
        If the sideloaded app manages to hack HSBC and steal the customers money they are going to have a demand to refund the customer a bunch of money. I can understand their position.
        • protimewastera month ago
          I understand that, but the thing I've never understood is that banking apps only care about meaningless measurements like whether a device passes Play Integrity. I have a tablet that passes Play Integrity but is also over 6 years behind on security updates. That device should not be allowed to run banking apps.

          Why not refuse to run on devices that don't have current security updates? How useful is Play Integrity actually for avoiding these types of problems?

      • walthamstowa month ago
        If you cared even slightly about the app, you wouldn't have a HSBC account anyway, you'd have Starling or Monzo or maybe Revolut
        • wolvoleoa month ago
          Most banks now require their app for MFA for payments, sadly. They used to offer these "calculator" devices but most banks I know of in my country now require their app. Which sucks for me because I don't want to have my authenticator on a hackable internet-connected device.
          • vrightera month ago
            and as soon as you login to their app once, that other key gets invalidated.

            It took weeks to convince them to switch me back to that key because they couldn't understand the concept that their app refused to run on my phone

            • wolvoleoa month ago
              Yeah here they just sent an email "from <date> onwards all verificators are revoked, from now on you must use the app" :(
      • wolvoleoa month ago
        Yes the problem is when all banks start doing this BS though.
    • unixheroa month ago
      This is a freedom we have on Android