Hacker News

The HSBC app refuses to work if "Bitwarden" is installed on user's Android phone

36 points by fortran77 ago | 23 comments

jqpabc123 |next [-]

why does Google even allow HSBC to see the list of other installed apps?

Maybe because Google and it's products have little respect for user privacy?

Have you thought about using Aurora Store? You can usually see a list of the permissions the app requires before you install.

mindcrash |root |parent [-]

Maybe because Google and it's products have little respect for user privacy?

That's incorrect. Querying installed apps has been severely restricted (and thus mostly useless) and also requires a special nuclear-scale permission since Android 11.

I am wondering what exploit HSBC is using because I really don't think they are using official APIs for this.

alex1115alex |root |parent |next [-]

The QUERY_ALL_PACKAGES permission (what an Android app needs to see all the packages installed on your phone) is a little weird. The user doesn’t get prompted and explicitly grant permission for it like they would for something like MICROPHONE- having it in the app’s manifest alone is sufficient to query packages. However, Google Play Console does make you submit a video of how the permission is used in your app in order to publish on Google Play if they detect it in your manifest.

The acceptance criteria made sense for our app (it displays your phone’s notifications on your smart glasses HUD, and users need a way of selecting which apps can/can’t display notifications). I don’t know how HSBC justifies it though.

jqpabc123 |root |parent [-]

The user doesn’t get prompted and explicitly grant permission for it like they would for something like MICROPHONE

Why implement this in such an anti-privacy way that side steps the user?

Answer - see the original post above.

wolvoleo |root |parent |next |previous [-]

Still, I have had issues with this too. My work uses an antimalware app when you use BYOD. Fine, but that app (lookout for work) installed in the work profile, and it complained that I had a tracking blocker (trackercontrol.org) installed in the MAIN profile :( This really pissed me off. Not only is an app in the work profile not supposed to even look at what I've got installed on the personal side, but it's actually a legit app. There's nothing wrong with tracker control. And it comes from a legit source, the Oxford university. The lookout guys are just being obstinate blocking it.

jqpabc123 |root |parent |previous [-]

I am wondering what exploit HSBC is using

Why was querying installed apps ever allowed? Why is an exploit or permission available now?

Answer --- see the original post above.

SpicyLemonZest |root |parent [-]

You don’t think your phone should let you run certain programs, even with elevated permissions?

mindslight |root |parent |next [-]

Sure, but framed that way you also need to be able to run programs that think they have higher permissions even though API calls are returning mocked/sanitized data. And more generally, the ability to run programs with high permissions that can completely modify the behavior of other lower-permissions programs (eg HSBC).

jqpabc123 |root |parent |previous [-]

Were elevated permissions granted by the user in this case? If so, then this entire discussion is baseless.

vrighter |next |previous [-]

mine doesn't work because of kde connect, and an open source keybooard i slightly modified and rebuilt myself

parlortricks |root |parent [-]

What keyboard did you modify and why?

JumpCrisscross |next |previous [-]

Previous discussion: https://news.ycombinator.com/item?id=46431453

burnt-resistor |next |previous [-]

It only works when narco-trafficking money laundering apps are installed.

That's why it doesn't work.

fortran77 |previous [-]

I think it may be because of a sideloaded app. That does seem like a more reasonable thing to warn about.

wryoak |root |parent |next [-]

Warn? Yes. Refuse access? No.

I would close my bank account over this. That’s not saying much though because they literally pay you to open new bank accounts these days…

tim333 |root |parent |next [-]

If the sideloaded app manages to hack HSBC and steal the customers money they are going to have a demand to refund the customer a bunch of money. I can understand their position.

protimewaster |root |parent [-]

I understand that, but the thing I've never understood is that banking apps only care about meaningless measurements like whether a device passes Play Integrity. I have a tablet that passes Play Integrity but is also over 6 years behind on security updates. That device should not be allowed to run banking apps.

Why not refuse to run on devices that don't have current security updates? How useful is Play Integrity actually for avoiding these types of problems?

walthamstow |root |parent |next |previous [-]

If you cared even slightly about the app, you wouldn't have a HSBC account anyway, you'd have Starling or Monzo or maybe Revolut

wolvoleo |root |parent [-]

Most banks now require their app for MFA for payments, sadly. They used to offer these "calculator" devices but most banks I know of in my country now require their app. Which sucks for me because I don't want to have my authenticator on a hackable internet-connected device.

vrighter |root |parent [-]

and as soon as you login to their app once, that other key gets invalidated.

It took weeks to convince them to switch me back to that key because they couldn't understand the concept that their app refused to run on my phone

wolvoleo |root |parent [-]

Yeah here they just sent an email "from <date> onwards all verificators are revoked, from now on you must use the app" :(

wolvoleo |root |parent |previous [-]

Yes the problem is when all banks start doing this BS though.

unixhero |root |parent |previous [-]

This is a freedom we have on Android