Comment by graemep
1 day ago
This sort of things happens a lot. A few years ago a British bus company put certificates in the app to sign tickets.
The HSBC UK app will not run if you have any apps installed from outside play store. I cannot log into the website without the app. Luckily all I have with them is a lightly used credit card with a low limit so I have just stopped using it and rely on paper statement.
I find it disturbing that any app can examine your device in this much detail.
> I find it disturbing that any app can examine your device in this much detail.
When I did a tiny bit of Android development a few years ago, I was astonished how free the app I made was to just examine the file system. I assumed it would be like the web, where each website can have its own little SQLite database and cookie store equivalent, but that's it. I don't know if it's changed, or if it was just because I was in a "dev mode" somehow, but that was very surprising.
It has certainly been locked down a bit. This makes easily backing up all your data using some techniques harder/impossible.
I can't include podcasts in the backup I do via rsync via termux anymore, unless I switch to an app that uses a shared storage area instead, as termux can not longer read app directories only its own and shared storage. You have to rely on each app that used app-local storage to have its own backup method. Not that I really care from the podcast PoV, hence I've done nothing about it, but it is a sign of apps being better sandboxed at the filesystem level than they used to be.
That's doesn't make sense either - not an android iser or dev but shouldn't there be a system level backup interface. Even if its storing the app-local storage as an opaque blob with a label?
2 replies →
Is it not the same for computers most of the apps data is accessible by all the apps. Mobile OS came from the paradigm of the past and as the way we use our phones change so do the way how mobile os work. For a long time Android devs have wanted to obfuscate the disk from the user like iOS does but have faced push back from users and developers so in the end they created a permission where an app needs to ask permission to access the disk. Keeping the file system a black box or allowing user/apps to mess with it is a development question of the times dumb it down or not. Then people here complain children don't know anything about computers these days well yeah because we have dumbed it down so much in the name of security and usablity.
Definitely the same for computers. LOTS of software rely on saving data on "secret" locations for shareware-style trials.
macOS for one has been asking to allow access to specific folders. Other OSs are possibly starting to do the same, but it used to be a free-for-all.
2 replies →
By default you can `ls` almost anything on an entire drive.
That is how it works. Apps on android and iOS can’t access data outside of their contsiner.
Afaik all apps on android have the ability to list directories across most of the "sdcard" file system even without storage permissions.
3 replies →
You could try getting them to give you a physical security key, they used to supply them and I think still will if you can't use the app (just say it doesn't work on your phone). I have one and the website still works with it.
Thanks, I was thinking of phoning and asking, but good to know there is some point in waiting in the queue to talk to someone!
If you're near a branch you can also just pop in and ask for one; might be faster. I did that when the battery ran out on my last one. There's no process upfront, you then have to pair it with your account. Well,you will probably have to convince them to switch your account to use a physical key - maybe that means you have to call anyway, I don't know.
This is terrifying to me, and part of the reason I've kept the little authentication calculator instead of moving to the app. Also the app won't work on root and has a fairly narrow range of Android versions it's compatible with.
I travel a lot and I would benefit from opening a "global money" account. However this requires the app, so I've never done it.
If they ever drop support for the physical authentication calculator, I will move to a different bank that doesn't require an app. Which is increasingly difficult these days.
It used to let you use it with a full-on rooted phone, it just popped up a message saying 'it's not our problem if you get robbed'
i wonder what caused the change
as others have said, you can ring them up and get a physical security key, it works for the website
> i wonder what caused the change
In many countries, if the consumer gets defrauded, the bank foots the bill.
I don't think the problem here is consumers getting defrauded by having an insecure rooted device. It's fraudsters using the mobile app APIs for nefarious purposes, and the best way to prevent that is to use SafetyNet and other similar mechanisms.
> and the best way to prevent that is to use SafetyNet and other similar mechanisms.
It's not the best way to prevent it. It's the easiest way for the bank to avoid liability.
The ugly truth of cybersecurity is that, in the real world, most of it is an exercise in shifting liability around and diffusing it. Making systems actually secure is not necessary.
The app works perfectly well on my device, parent comment is just mistaken.
I personally experienced the issue myself
The HSBC app runs fine on my rooted phone with a few magisk plugins and 5 marketplaces installed and a ton of sideloaded apps.
It used to work on my old phone. Stopped with nee one. May depend on Android version or when you installed.
Do you happen to remember which bus company this was? Is there any article you can link me too as I’m quite interested in reading some more on it.
I think it was Arriva. Defineitely one that operated in Manchester st the time. Cannot find a link.
Yes it is Arriva. Independently I also extracted all the ticket codes when I was a kid.
The app works for me just fine despite having lots of non-google play apps installed, is this an Android 15 thing?
It works fine for me on Android 15 with non-Google Play apps installed too.
Kind of ironic since you can't easily export data as an end user without some friction
The HSBC UK app runs perfectly well on my Android phone, including full biometrics, 2FA for the website and for major functionality like transferring money.
I have at least a dozen apps installed on my phone that are not from the Play Store - a mixture of other stores (Samsung/Epic) and apps that are not from any store but I've compiled myself, or downloaded APKs directly from the developer website.
This isn't true.