That's Google's SafeNet. HSBC picked a level that causes this. Google manages the blacklist of apps.
We are rapidly losing our freedoms to the will of these companies. If they decide they don't want to they can even if the law doesn't forbid it.
People in Switzerland and the EU are being de-banked by local banks because of US pressure allowing them to force any bank that wants to use USD. The US has started to sanction people for free speech resulting in de-banking.
Swiss law requires one bank (Postfinance) to offer banking irregardless but if you are sanctioned you can't use the wire system, no other currencies, no credit cards and you cant use Twint either so it's in effect useless. You can't pay for your health insurance or rent.
The real issue is that most "legacy" banks have to comply with stupid regulations that force them to come up with these stupid solutions.
Banks are lazy and find the quickest way to comply with said regulations - simply by enabling Google Play Integrity.
About the whole US thingie - yes, that's true, and it's what happens if you get sanctioned. I'm pretty sure russians (and other people from sanctioned countries) have similar limitations elsewhere.
In Switzerland US nationals have huge problems in opening accounts because of the whole bank secrecy law that allowed many americans to hide money from the IRS in Switzerland.
I use GrapheneOS in Switzerland and am yet to find a bank or financial app that doesn't work. ZKB, UBS, Cembra, BEKB, SGKB, WIR, N26, Revolut, debiX+, SaxoTrader, Swisscard, various TWINT apps, YAPEAL and Yuh are all installed on my phone right now and all work. Most of them don't use the Play Integrity API at all and the few that do are satisfied with the minimal level that's satisfied by GrapheneOS.
The catch is that you need Google Play Services installed and for many, you need to disable GrapheneOS' "Secure App Spawning" feature, which often trips root detection heuristics.
I know many Russians living here and when sanctions came in, their accounts became unable to receive deposits until they provided evidence of a valid residence permit. Some have problems during permit renewals as well but overall, it's nothing like as bad as it is for Americans.
This goes beyond simply using Play Integrity, which normally just does remote attestation of the operating system. The next level is allowing an app to check its own package for modifications or installation from an unapproved source, but this goes beyond even that and gives the app the ability to check where a third-party app came from.
>"legacy" banks have to comply with stupid regulations
In the UK "banks are required to refund unauthorized payments". Is that a stupid regulation? I quite like it but you can understand why it would make the banks worry about being hacked.
If they get enough complaints "the app doesn't work, please fix it or close my account" they'll fix it because they don't want to close more than a few accounts.
> and the EU are being de-banked by local banks because of US pressure allowing them to force any bank that wants to use USD
What is this about? I'm a EU citizen, never heard about any EU citizen getting removed from any EU bank because of USD. Nor have I heard anyone being sanctioned by the US in the EU unless they're Russia-related somehow. Is there any link to a story about this?
People investigation Israel for war crimes tend to get sanctioned by the Americans. Because European banks don't have the necessary guardrails to block an individual account from participating in their American-facing banking operations, they have to choose between being sanctioned themselves or kicking out their America-sanctioned customers.
The real solution is for them to fix their shitty systems but I don't a handful of judges, lawyers, and human rights activists are important enough for them to make that investment.
Yeah absolutely - I have an account with mBank in Poland and I got a letter from them saying that I need to declare if I'm a "tax person" in the US and if yes then unfortunately they will be forced to close my account as they would have to report all of my banking to some US insistution and that's not worth the hassle of having me as a client.
Scan the German press, there are several cases.
Esp in the last weeks:
Interesting is - it started with right-wing people getting de-banked, now left-wing people are following for what ever reason.
> We are rapidly losing our freedoms to the will of these companies
which companies? google? I'm the first to blame them for almost anything, but how about Postfinance, twint, health insurers, landlords, all those companies you mention? shouldn't they offer ways to do business with them that does not involve some third party? - for example, OP mentions that hsbc website still works for them on android, this is more than what can be said of other banks that basically removed certain "sensitive" features from their homepages. Or practically all the neobanks who 100% rely on apps.
Even those governments you mention: how hard/easy do they make for citizens to engage in commercial activity without relying on third parties or adversarial systems?
I know the argument used by all of them - companies, governments: we are just "following the rules enforced on us (as interpreted by our lawyers)".
Everyone goes to the "simplest" target - Google in this case - to blame for the status quo, but Google is in this position because everybody else - consumers, companies, governements, etc - buys into the "convenience" and neglect everything else.
> Everyone goes to the "simplest" target - Google in this case - to blame for the status quo, but Google is in this position because everybody else
Eh, I think we ought to dole out our ire in accordance with the damage. All are responsible to varying degrees, but Google is the most powerful, and has the greatest ability to curb bad behavior if they wanted to, so they get and deserve the most blame second only to the governments that let them become that powerful.
1) An iPhone Se 2022 that I use for TOTP, banking and auth. It is always in airplane mode, unless I need to login to banks (etc). The OS will receive security updates till 2032.
2) A Pixel phone with GrapheneOS for daily use: Internet browsing, routing, phone, message etc.
I can't find anything about this in the API docs for neither the old SafetyNet nor its replacement (Play Integrity), can you show a source for this being related to SafetyNet? I'd like to see Kore details on this API and the apps it blocks.
Do you think US pressure is behind the push for online censorship across the West? It seems to be a coordinated effort in many countries, whatever it is.
The US doesn't need to pressure other nations to apply online censorship, because Facebook, Reddit, Instagram, Twitter, Youtube, Twitch, Google and Apple app stores, Steam and suchlike are all American, and censored in line with American norms.
Concerning an apparent coordinated effort it might be more complicated than that. The EU and Australia have always been on the verge of sweeping censorship. Look up "Zensursula" [1][2] and the censorship list that was about to be introduced in 2008 and that, for legal reasons, was illegal to even be looked at by journalists. Back then there was significant public backlash and also indirect cristicism by the US government [3].
Today there is no such criticism from the US because censorship is something that is also of an interest to the christian backers of the current government.
When the cat is out of the house, the mice dance on your dinner table.
Of course it is. Trump is actively trying to censor LGBTQ events and DEI at European companies, they will get blacklisted from selling anything to the US federal government.
They flag "sideloading" - or anything installed by anything outside of their store.
They don't always flag it. Only when SafeNet is set to paranoid levels. However, sideloading is considered a risk for some reason. Even if sideloading is a synonym for "installing".
When it comes to this kind of thing, an injury to one is an injury to all and we need to not tolerate it. At minimum, we need regulations guaranteeing that Visa and MasterCard, as well as participating banks, aren't allowed to debank anyone without judicial oversight. Make the same true of apps: call it a Banking Access Tribunal.
> People in Switzerland and the EU are being de-banked by local banks because of US pressure allowing them to force any bank that wants to use USD
That's not quit accurate.
American citizens will indeed have a very hard time to open a bank account in Switzerland. But the reason is not so much free speech than FATCA (Foreign Account Tax Compliance Act) [0] [1]
The requirements to host bank accounts for Americans are so onerous that banks rather forgo business with such clients than having to deal with the legal mess it incurs.
Another reason for a bank not wanting to deal with customers are if they are on a sanctions list. People winding up on such lists usually don't do so, because they said something nasty about Mr. Trump.
This, alas, may change if you look who got sanctioned in recent times just for raising the ire of the president (such as EC commissioners or ICC judges).
Any sovereign country can come up with whatever sanctions they want. The only reason the US ones have such broad reach particular in Europe is due to Europes hopeless reliance on US financial system, infrastructure and capital. Stop using eurodollar and us debt markets and sanctions would be much less impactful
>Swiss law requires one bank (Postfinance) to offer banking irregardless but if you are sanctioned you can't use the wire system, no other currencies, no credit cards and you cant use Twint either so it's in effect useless. You can't pay for your health insurance or rent.
What's funny is that this particular jurispudence was actually enforced due to a Russian oligarch (Vekselberg) on a C permit.
I am not sure regarding the rent and the health insurance, the health insurance especially as it is a legal requirement.
>The US has started to sanction people for free speech resulting in de-banking.
The sanctioned people were "hate-speech" fighters. Which is the most Orwellian branch of Brussels machinery. While it irks me on pure power level, you could hardly imagine people more deserving to be taken couple of pegs down.
I can confirm that the Postfinance app doesn't work on graphene. I left some feedback and they said they're working on it so maybe there is hope. But as such I need to keep an old iphone around for banking apps.
Also being an American in Switzerland trying to do banking is eye opening. Local banks mostly tell you to pound sand when they find out you're American. Regardless of this or that administration, the US is really totalitarian when it comes to finance and taxes.
To play devil's advocate for a moment, could this not be a risk?
Is Google implementing a rule which blockes any 3rd party app which wants access to things like the keystore (which could be reasonable), or are they deliberately blocking Bitwarden?
Yes you might, because Bitcoin doesn't solve anything correctly (notably, its value is so volatile it can't be relied upon), while consuming an absurd amount of energy.
By design, it made its first users stupidly rich, which is not a good characteristic.
More importantly, it's a technical solution for a societal issue (aka, it's not at all a solution).
Plenty of UK banks that don't require this, and whose apps will also work on a rooted device. Monzo will display a warning that sets out the fact there's an increased risk, and then lets you be an adult and choose to continue to use the app if that's what you want to do.
The best part is that the Current Account Switching Service makes it very easy to make the jump from a legacy bank like HSBC.
This was not my lived experience. I wanted to use the most common banks and most would not let me use it.
Chip contacted me at one point via their live assistant randomly without my doing and told me to stop using the app because they would soon be enforcing that rooted devices would no longer work. I continued to use the app rooted and nothing came of it.
Barclaycard, Nationwide and others don't let you use the app or require some circumvention of their detection to allow access.
Sure there are plenty of other apps, but those apps and banks have a worse product I found.
They've all started cracking down, in the past year the Barclays and Lloyds app have broken on my phone.
TSB still works for now, but even for a bank they're technologically incompetent so I'm going to just assume they're behind the curve rather than willingly not using SafetyNet.
The only one I would bank on still working in the future is Monzo, since, like you say, they detect it and just give you scary warning and let you continue.
Barclays have always played silly games with this stuff, they used to fund a whole team whose job it was to waste time on security theatre (this was nearly ten years ago).
If you've ever built a website for mobile but never heard of PWAs (Progressive Web Apps), I recommend checking them out. In essence, adding 2 files can make the site installable from a mobile browser and define caching behavior for offline functionality.
1. manifest.json: a JSON file that defines the app's name, icons, theme colors, and how it should launch when installed.
2. Service worker: a JS file that controls things like resource caching for offline usage
Unfortunately PWAs don't receive first class support compared to native apps. Still, I still hope to see wider adoption. I think for many not-too-complex apps, they can significantly lower the cost of development, and the development experience could be as simple as
- Building with HTML + JS + CSS. No clunky SDKs, reduced need to test on painfully slow emulators or expensive physical devices
- Installable from a browser. No need to maintain a listing in the Playstore/App Store, avoiding policy headaches, rent, etc.
PWAs have been around for several years, and have never caught on despite all the discussion about the evils of app stores, drama with side loading, etc. They're a fine solution, but not a good fit if you're expecting "normal" users to use the app.
Also, iOS really appears to go out of their way to make them work worse. For example, not loading new versions predictably, and the address bar not minimizing like it does on normal websites. I am sure there are many more.
My wife has tried to use a flip phone just for nostalgia's sake and she has a newer phone that supports android 14 (technically android go 14) and thus should work with most basic apps. However, one of her banking apps refuses to work claiming an app is screensharing (the POSB bank app thankfully identifies it as the "android system" app.) likely what is occuring I think is the second screen is drawn using some sort of thing that is reported as screen sharing, that POSB thinks could be malware.
Of course, asking POSB for help has lead to nothing being done. By and large the biggest threat to people finance wise in singapore isn't malware but are scams (what is called "pig butchering" in America is rampant here) whilst malware is always a threat sometimes I feel like just refusing to function is problem due to overzealous viligiance to a low probability threat.
Ditch apps on your phone and pick banking that gives good, robust online banking. I was cut off by Starling for something similar and had to choose between a factory reset of my phone and my bank. I explained that my phone had free software on it, some of which I'd written, and it made no difference.
Apps are a tool of control and surveillance and it is time we stopped tying ourselves to them. Dumb phones or degoogled operating systems (like e/OS/) are probably the answer here.
I had rooted the phone and it gave me 90 days to reset with no extension at the end. I moved to the co-op bank, which is sufficiently old school that proper web based online banking is very important to them. Their products are a bit less advanced but I don't miss starling.
They did indeed. I had to call customer services to get the account closed. The app being the only way to interact with the account, I was left without funds for days.
HSBC still operate a perfectly functional website for banking.
The more people who continue to use this, the better. It sends a clear signal that customers prefer the open web over restrictive and inconvenient mobile apps.
I’m also hanging on to my bank’s physical RSA fob as my 2FA, instead of using their app based version.
At least in UK, you'll need a physical token to do that. And you can't have both app and token. So if you had an app that is now not working, it'll take some time to get a token and restore your bank access.
There is actually mobile banking for these cases. Which at least for HSBC requires your account details, a (Up to? I don't know the minimum) 10 digit (numeric) pin and you have to say "My Voice is My Password" which sounds like complete theatre.
It's still possible, you just need to declare which other apps you query for. Even then, there are loopholes that still let you query for all apps installed on the device.
> Apps that have a verifiable core purpose facilitating financial-transactions involving financially regulated instruments (for example, dedicated banking, dedicated digital wallets) may obtain broad visibility into installed apps solely for security-based purposes.
> Real-money gambling apps where the core purpose of the app is real money gambling and where the app requires broad package visibility in order to comply with technical standards mandated by applicable geofencing regulations.
I presume that's to allow the gambling apps to make sure you don't have a location spoofing app installed?
> I assume HSBC are using the "antivirus" use case.
There's an exception for banking apps
> Apps that have a verifiable core purpose facilitating financial-transactions involving financially regulated instruments (for example, dedicated banking, dedicated digital wallets) may obtain broad visibility into installed apps solely for security-based purposes.
Tangentially related, but some banking apps also implement their own in-app keyboard in their password fields, making password manager unusable and basically forcing me to use a easy to remember (to guess) password.
Yup, mine does this, even on the web. Oh god French banks do love their scrambled-digit-keyboards. And boy do they love 6 to 8 digits passwords. That you have to click on using your mouse. No password manager required!
Their app also likes to prompt me periodically for the password instead of the phone's biometrics, which would be good, except it always happens in a public place like the subway, which is the last place I'd want to enter a 6 digit code to my bank account on a scrambled visual keyboard which slows down typing to a point it's trivial to write down (instead of letting muscle memory do its job). Also, it seems like those apps did not get the ATM memo of giving visual/audio feedback on a random delay to user input, to y'know, not letting glancers know what you actually type.
AFAIK this trend of visual scrambled keyboard on the desktop started when keyloggers were rampant. They quickly adapted to screenshot the 20px around the mouse on click when on a bank website. The banks never adapted.
One of them has that “scrambled visual keyboard” for an 8-digit password, and at the same time proposes a passkey as an alternative on desktop. Go figure.
This is only going to get worse as nepotistic brogrammers continue to take over the industry and gish gallop their bullshit over the experienced developers.
On the same tangent. My former bank forced me to use a 6 - 8 digit password with only numbers allowed. Not sure if in the few years since I am not a customer anymore, they changed this policy, though.
My country launched an identification app (https://mygov.be/) that does the same thing. I have no idea what they're trying to achieve. Security through obscurity? Trying to piss off power users?
I'm a developer and use adb and some dev settings daily. Annoying af to have to disable developer mode constantly.
It's fundamentally client-side security: the phone tells the server "no, I haven't been rooted" and the server believes it.
Any security system that relies on any form of client-side security is going to have other problems as well, since its designers haven't grasped this basic principle.
Isn't it funny how most banking apps do all this borderline malware crap, yet most banks also have online banking that you use through a web browser that they have no technical means of "trusting"?
Keep in mind this is also often caused by arbitrary "security" consultants that crap out a list of stuff you need to implement. Like jailbreak detection and the like.
One I repeatedly got back in the day was hilarious: "After uninstalling the app credentials stay present in the keychain". Yes thanks genius, I don't get to run code on uninstall.
I recently came across Open Web Advocacy (OWA) who summarize my mobile-platform concerns well. They "advocate for the future of the open web by providing regulators, legislators and policy makers the intricate technical details that they need to understand the major anti-competitive issues in our industry and how to solve them."
Their top 3 priorities:
1. Apple's ban of third party browsers on iOS is deeply anti-competitive
2. Web Apps need to become just Apps. Apps built with the free and open web need equal treatment and integration. Closed and heavily taxed proprietary ecosystems should not receive any preference.
3. All artificial barriers placed by gatekeepers must be removed. Web Apps if allowed can offer equivalent functionality with greater privacy and security for demanding use-cases.
We can't let banking apps invade our property.. things like banking apps need so much control in order to be secure that they need to exist on dedicated devices.
Bank security has and never had anything to do with real security. It's all stupid audit checkboxes and missing forest for the trees. I've dealt with PCI and similar auditors and I wouldn't trust them with my gym locker combination.
My only solution is to have multiple accounts, spread the risk, and rely on legal protections and bailouts when they inevitably screw up.
In Spain (I think the whole Hispano-America by proxy) the BBVA's banking app just allow a 6 char long password. This is bullshit. Also, if you try to root the smartphone the app might disable itself.
I'm tired of this. Can't wait to a good cyber attack from Russia+China so the whole security theater crumbles down (and in China too because of the social credit) until the civil rights get restored back.
That's not really necessary, though I understand why banks are doing this when they're held responsible for their customers' inability to spot fraud before hitting the "transfer my life savings into a Bitcoin wallet" button.
Having a dedicated "banking device" is a good solution for power users, though I'd probably just switch banks if my bank tries to pull that bullshit on me.
Bitwarden is installed via F-Droid from the official Bitwarden repository and is a build provided directly from Bitwarden. F-Droid does not provide a build of Bitwarden.
Whatever. They're just going to tie it to age verification, so it's only more control, only of the EU flavour. Might be an alternative for some people though.
I've worked with digital and smart tachographs and seen their security implementation. Its not pretty, mirrors EU bureaucracy. If Franz Kafka wrote specs, those would be it.
Problem is that you need to buy a new one of them once they do not get updated anymore, and the apps start requiring newer versions of android.
But yes, this seems like the best possible option - also it enables the extra security through clean separation, as long as the phone is dedicated for that use case only.
Most of them switched to stupid apps described above. 6 to 8 char passwords, 6 char PIN codes etc. I don't know how they pass security audits, unless the audits are merely a protection tax.
Most banks do this, they won't let the app run if you have developer mode turned on as well, even if you're not using it for root (or anything else in the developer menu)
It originally contained a screenshot of a full-screen notice displaying:
We've introduced additional checks to protect your
account. The following apps have been downloaded
from unofficial app stores.
Your access to the HSBC UK Mobile Banking app
has been suspended on this device until you've taken
action to restore it.
Identified apps:
- Bitwarden
How do I restore access?
- Uninstall the identified apps from your device
and download again from the default device
app store, eg Google Play or Galaxy Store.
For further assistance, please visit
https://www.hsbc.co.uk/contact/
Banks in the UK take partial liability for their customers succumbing to scams, and refund lost funds unless customers go out of their way to ignore warnings.
Loss of control of devices is undeniably part of the scam lifecycle. Faking and intercepting messages from banks is a large part of that. An antivirus needs global permissions.
All of that being true, you don't have to be a contortionist to understand why they might want to lock down client devices as far as they can. Google happens to offer them an easy method.
Why should a bank be ever able to dictate what the user does with their device legitimately? They can't do so on the web through browsers, that is fine, why are we excusing this on phones?
Next up banks will start requiring out MDM enrollment? Is that equally understandable? Where do you draw the line?
It's unnecessary and intrusive to apply these methods unconditionally and on everyone.
> Why should a bank be ever able to dictate what the user does..
I'll deliberately answer early: because they're on the hook for your mistakes.
Your bank dictates security terms. This isn't new. They can demand you appear in person with multiple forms of identification. They can (and have) demand you use 2f hardware they provide. They can withdraw service if they think you're a risk to their business.
If I suddenly found myself with billions in potential liabilities, I'd do absolutely everything to ban footguns. Apps with system access installed from insecure sources. Yeah, no thanks.
But the user needs to be able to override this faulty check, albeit my solution is to never let any app decide what I can have on my device by not installing the app.
EDIT: there's also Android Protected Confirmation that works in the TrustZone so apps can't display over that. It was made exactly for apps like banking apps, so they should use it.
This is "protect the users from themselves" as-a-feature to prevent scammers from using malware to obscure their scams. Letting the user override the warning would make the entire feature useless.
Using overlay permissions, it's relatively simple to trick someone into transferring money by overlaying a different UI that the malicious app makes the user type or paste into. I believe blocking access to the app while such an overlay is present makes a lot of sense. Trusting apps from Google Play to do this while blocking other install sources would be an obvious mistake, though.
I'd argue this feature shouldn't exist (because of things like the API you mention) but having a user override doesn't make sense here.
If Google can allow apps to block screenshot capability then it should also allow specific set of apps like financial apps having an option to block overlays too. It doesn't have to be all or nothing.
I'm getting a 404 on the original post, but on GrapheneOS you'll fail SafetyNet attestation, so you've got a totally different (worse?) problem if your goal is compatibility with abusive proprietary apps.
Probably not, because whatever Google is calling its remote attestation scheme this week (SafetyNet? Play Integrity?) has a way to check where the app was sourced and whether it has been altered.
Google is an asshole for making this. When Microsoft first proposed a scheme like that for PCs under the name Palladium, everyone knew it was a corporate power grab. Somehow, it got normalized.
That's Google's SafeNet. HSBC picked a level that causes this. Google manages the blacklist of apps.
We are rapidly losing our freedoms to the will of these companies. If they decide they don't want to they can even if the law doesn't forbid it.
People in Switzerland and the EU are being de-banked by local banks because of US pressure allowing them to force any bank that wants to use USD. The US has started to sanction people for free speech resulting in de-banking.
Swiss law requires one bank (Postfinance) to offer banking irregardless but if you are sanctioned you can't use the wire system, no other currencies, no credit cards and you cant use Twint either so it's in effect useless. You can't pay for your health insurance or rent.
At least in Switzerland banks can choose to not use Play Integrity, but they generally don't want to.
Yuh, which once was owned by both Postfinance and Swissquote, works without Play Integrity. Support for GrapheneOS is confirmed - see https://github.com/PrivSec-dev/banking-apps-compat-report/is...
The real issue is that most "legacy" banks have to comply with stupid regulations that force them to come up with these stupid solutions.
Banks are lazy and find the quickest way to comply with said regulations - simply by enabling Google Play Integrity.
About the whole US thingie - yes, that's true, and it's what happens if you get sanctioned. I'm pretty sure russians (and other people from sanctioned countries) have similar limitations elsewhere. In Switzerland US nationals have huge problems in opening accounts because of the whole bank secrecy law that allowed many americans to hide money from the IRS in Switzerland.
I use GrapheneOS in Switzerland and am yet to find a bank or financial app that doesn't work. ZKB, UBS, Cembra, BEKB, SGKB, WIR, N26, Revolut, debiX+, SaxoTrader, Swisscard, various TWINT apps, YAPEAL and Yuh are all installed on my phone right now and all work. Most of them don't use the Play Integrity API at all and the few that do are satisfied with the minimal level that's satisfied by GrapheneOS.
The catch is that you need Google Play Services installed and for many, you need to disable GrapheneOS' "Secure App Spawning" feature, which often trips root detection heuristics.
I know many Russians living here and when sanctions came in, their accounts became unable to receive deposits until they provided evidence of a valid residence permit. Some have problems during permit renewals as well but overall, it's nothing like as bad as it is for Americans.
3 replies →
This goes beyond simply using Play Integrity, which normally just does remote attestation of the operating system. The next level is allowing an app to check its own package for modifications or installation from an unapproved source, but this goes beyond even that and gives the app the ability to check where a third-party app came from.
Google are assholes for building this.
1 reply →
>"legacy" banks have to comply with stupid regulations
In the UK "banks are required to refund unauthorized payments". Is that a stupid regulation? I quite like it but you can understand why it would make the banks worry about being hacked.
If they get enough complaints "the app doesn't work, please fix it or close my account" they'll fix it because they don't want to close more than a few accounts.
1 reply →
SafeNet != SafetyNet nor Play Integrity?
1 reply →
> and the EU are being de-banked by local banks because of US pressure allowing them to force any bank that wants to use USD
What is this about? I'm a EU citizen, never heard about any EU citizen getting removed from any EU bank because of USD. Nor have I heard anyone being sanctioned by the US in the EU unless they're Russia-related somehow. Is there any link to a story about this?
People investigation Israel for war crimes tend to get sanctioned by the Americans. Because European banks don't have the necessary guardrails to block an individual account from participating in their American-facing banking operations, they have to choose between being sanctioned themselves or kicking out their America-sanctioned customers.
The real solution is for them to fix their shitty systems but I don't a handful of judges, lawyers, and human rights activists are important enough for them to make that investment.
27 replies →
Judges and the Prosecutor at the International Criminal Court, for instance.
https://archive.is/DFHM6
Yeah absolutely - I have an account with mBank in Poland and I got a letter from them saying that I need to declare if I'm a "tax person" in the US and if yes then unfortunately they will be forced to close my account as they would have to report all of my banking to some US insistution and that's not worth the hassle of having me as a client.
7 replies →
"I'm a EU citizen, never heard about any EU citizen getting removed from any EU bank because of USD ..."
US and USD need not be involved - EU does this on it's own without any pressure:
https://www.swissinfo.ch/eng/foreign-affairs/former-swiss-in...
"As a result Baud will not be allowed to travel within EU countries and his assets in the Euro zone will be frozen."
His assertions are not particularly extreme and, without question, fall into the realm of protected, free speech.
This is orthogonal to whether you or I agree with what he is saying. Finding his views "dangerous" is an admission of profound weakness.
https://www.lemonde.fr/en/international/article/2025/11/19/n...
There were some other sanctions involving visas, but as far as I understand that did not affect the individuals' ability to to bank: https://www.cnbc.com/2025/12/24/us-bans-visas-for-ex-eu-comm...
4 replies →
Here’s one also currently on HN front page: https://news.ycombinator.com/item?id=46432057
https://www.lemonde.fr/en/international/article/2025/11/19/n...
https://english.elpais.com/international/2025-12-28/the-comp...
8 replies →
It's on HN front page right now https://www.lemonde.fr/en/international/article/2025/11/19/n...
Unpaywalled link https://archive.is/20251203115217/https://www.lemonde.fr/en/...
> unless they're Russia-related somehow
this is doing a lot of work. at what point person stops being Russia related in your view?
10 replies →
Scan the German press, there are several cases. Esp in the last weeks: Interesting is - it started with right-wing people getting de-banked, now left-wing people are following for what ever reason.
Here's a German NGO that got debanked because of US pressure because they dare to be openly antifascist: https://rote-hilfe.de/meldungen/kontokuendigung-wegen-antifa...
Col Jacques Baud, (ret), is a Swiss citizen living in Brussels.
Former intelligence agent, worked also with NATO.
[0] https://www.defenddemocracy.press/eu-sanctions-swiss-intelli...
[1] https://youtu.be/VwNH3FLeZLA
> We are rapidly losing our freedoms to the will of these companies
which companies? google? I'm the first to blame them for almost anything, but how about Postfinance, twint, health insurers, landlords, all those companies you mention? shouldn't they offer ways to do business with them that does not involve some third party? - for example, OP mentions that hsbc website still works for them on android, this is more than what can be said of other banks that basically removed certain "sensitive" features from their homepages. Or practically all the neobanks who 100% rely on apps.
Even those governments you mention: how hard/easy do they make for citizens to engage in commercial activity without relying on third parties or adversarial systems?
I know the argument used by all of them - companies, governments: we are just "following the rules enforced on us (as interpreted by our lawyers)".
Everyone goes to the "simplest" target - Google in this case - to blame for the status quo, but Google is in this position because everybody else - consumers, companies, governements, etc - buys into the "convenience" and neglect everything else.
> Everyone goes to the "simplest" target - Google in this case - to blame for the status quo, but Google is in this position because everybody else
Eh, I think we ought to dole out our ire in accordance with the damage. All are responsible to varying degrees, but Google is the most powerful, and has the greatest ability to curb bad behavior if they wanted to, so they get and deserve the most blame second only to the governments that let them become that powerful.
2 replies →
Since this year, I have two phones:
1) An iPhone Se 2022 that I use for TOTP, banking and auth. It is always in airplane mode, unless I need to login to banks (etc). The OS will receive security updates till 2032.
2) A Pixel phone with GrapheneOS for daily use: Internet browsing, routing, phone, message etc.
I found this is the only usable way in 2025.
I can't find anything about this in the API docs for neither the old SafetyNet nor its replacement (Play Integrity), can you show a source for this being related to SafetyNet? I'd like to see Kore details on this API and the apps it blocks.
It's more insidious than that. The US is actively working on dismantling the Swiss off-shore banking system. It started with US clients and expanded from there (see: https://www.privatebankerinternational.com/news/hsbc-swiss-p...)
Guess where all these un-banked HNWI are going and who is offering them a gold card to run their businesses from?
No idea, where will they go?
Dismantling off-shore banking is generally a good thing since I'd like the ultra rich to pay tax as that funds services that I use.
1 reply →
Do you think US pressure is behind the push for online censorship across the West? It seems to be a coordinated effort in many countries, whatever it is.
The US doesn't need to pressure other nations to apply online censorship, because Facebook, Reddit, Instagram, Twitter, Youtube, Twitch, Google and Apple app stores, Steam and suchlike are all American, and censored in line with American norms.
Concerning an apparent coordinated effort it might be more complicated than that. The EU and Australia have always been on the verge of sweeping censorship. Look up "Zensursula" [1][2] and the censorship list that was about to be introduced in 2008 and that, for legal reasons, was illegal to even be looked at by journalists. Back then there was significant public backlash and also indirect cristicism by the US government [3].
Today there is no such criticism from the US because censorship is something that is also of an interest to the christian backers of the current government.
When the cat is out of the house, the mice dance on your dinner table.
1: https://en.wikipedia.org/wiki/Zugangserschwerungsgesetz
2: https://en.wikipedia.org/wiki/Internet_censorship_in_Austral...
3: https://web.archive.org/web/20100123181634/http://www.abc.ne...
Of course it is. Trump is actively trying to censor LGBTQ events and DEI at European companies, they will get blacklisted from selling anything to the US federal government.
1 reply →
> HSBC picked a level that causes this. Google manages the blacklist of apps
What is Google's rationale for flagging Bitwarden?
They flag "sideloading" - or anything installed by anything outside of their store.
They don't always flag it. Only when SafeNet is set to paranoid levels. However, sideloading is considered a risk for some reason. Even if sideloading is a synonym for "installing".
2 replies →
An Italian citizen who was debanked essentially because Trump didn't like her:
https://english.elpais.com/international/2025-12-28/the-comp...
When it comes to this kind of thing, an injury to one is an injury to all and we need to not tolerate it. At minimum, we need regulations guaranteeing that Visa and MasterCard, as well as participating banks, aren't allowed to debank anyone without judicial oversight. Make the same true of apps: call it a Banking Access Tribunal.
[flagged]
2 replies →
[flagged]
10 replies →
[flagged]
10 replies →
> People in Switzerland and the EU are being de-banked by local banks because of US pressure allowing them to force any bank that wants to use USD
That's not quit accurate.
American citizens will indeed have a very hard time to open a bank account in Switzerland. But the reason is not so much free speech than FATCA (Foreign Account Tax Compliance Act) [0] [1]
The requirements to host bank accounts for Americans are so onerous that banks rather forgo business with such clients than having to deal with the legal mess it incurs.
Another reason for a bank not wanting to deal with customers are if they are on a sanctions list. People winding up on such lists usually don't do so, because they said something nasty about Mr. Trump.
This, alas, may change if you look who got sanctioned in recent times just for raising the ire of the president (such as EC commissioners or ICC judges).
[0] https://home.treasury.gov/policy-issues/tax-policy/foreign-a... [1] https://en.wikipedia.org/wiki/Foreign_Account_Tax_Compliance...
> because they said something nasty about Mr. Trump
Well that's outrageous, I'm sure you've got a list of such people ready to tell us about it.
1 reply →
Any sovereign country can come up with whatever sanctions they want. The only reason the US ones have such broad reach particular in Europe is due to Europes hopeless reliance on US financial system, infrastructure and capital. Stop using eurodollar and us debt markets and sanctions would be much less impactful
>Swiss law requires one bank (Postfinance) to offer banking irregardless but if you are sanctioned you can't use the wire system, no other currencies, no credit cards and you cant use Twint either so it's in effect useless. You can't pay for your health insurance or rent.
What's funny is that this particular jurispudence was actually enforced due to a Russian oligarch (Vekselberg) on a C permit.
I am not sure regarding the rent and the health insurance, the health insurance especially as it is a legal requirement.
I'm 100% sure you can pay within Switzerland from your Postfinance account. I'd like to see some source for this...
>The US has started to sanction people for free speech resulting in de-banking.
The sanctioned people were "hate-speech" fighters. Which is the most Orwellian branch of Brussels machinery. While it irks me on pure power level, you could hardly imagine people more deserving to be taken couple of pegs down.
I can confirm that the Postfinance app doesn't work on graphene. I left some feedback and they said they're working on it so maybe there is hope. But as such I need to keep an old iphone around for banking apps.
Also being an American in Switzerland trying to do banking is eye opening. Local banks mostly tell you to pound sand when they find out you're American. Regardless of this or that administration, the US is really totalitarian when it comes to finance and taxes.
To play devil's advocate for a moment, could this not be a risk?
Is Google implementing a rule which blockes any 3rd party app which wants access to things like the keystore (which could be reasonable), or are they deliberately blocking Bitwarden?
Yes it does. But my device, my choice. If I put my cash the under my mattress instead of a safe that is my dumb decision.
5 replies →
Here on HN I will be downvoted to oblivion but well... let's be it:
There is no other way for us mortals than to go back to cash... Or start using Bitcoin. Be your own bank. Vote with your money.
Yes you might, because Bitcoin doesn't solve anything correctly (notably, its value is so volatile it can't be relied upon), while consuming an absurd amount of energy.
By design, it made its first users stupidly rich, which is not a good characteristic.
More importantly, it's a technical solution for a societal issue (aka, it's not at all a solution).
"sanction people for free speech"
Not sure how this is the top post on this thread, no links nothing but misinformation and FUD.
What happens in Switzerland to non US citizens is not a free speech issue no matter how you want to twist it.
Plenty of UK banks that don't require this, and whose apps will also work on a rooted device. Monzo will display a warning that sets out the fact there's an increased risk, and then lets you be an adult and choose to continue to use the app if that's what you want to do.
The best part is that the Current Account Switching Service makes it very easy to make the jump from a legacy bank like HSBC.
This was not my lived experience. I wanted to use the most common banks and most would not let me use it.
Chip contacted me at one point via their live assistant randomly without my doing and told me to stop using the app because they would soon be enforcing that rooted devices would no longer work. I continued to use the app rooted and nothing came of it.
Barclaycard, Nationwide and others don't let you use the app or require some circumvention of their detection to allow access.
Sure there are plenty of other apps, but those apps and banks have a worse product I found.
They've all started cracking down, in the past year the Barclays and Lloyds app have broken on my phone.
TSB still works for now, but even for a bank they're technologically incompetent so I'm going to just assume they're behind the curve rather than willingly not using SafetyNet.
The only one I would bank on still working in the future is Monzo, since, like you say, they detect it and just give you scary warning and let you continue.
Barclays have always played silly games with this stuff, they used to fund a whole team whose job it was to waste time on security theatre (this was nearly ten years ago).
If you've ever built a website for mobile but never heard of PWAs (Progressive Web Apps), I recommend checking them out. In essence, adding 2 files can make the site installable from a mobile browser and define caching behavior for offline functionality.
1. manifest.json: a JSON file that defines the app's name, icons, theme colors, and how it should launch when installed.
2. Service worker: a JS file that controls things like resource caching for offline usage
Unfortunately PWAs don't receive first class support compared to native apps. Still, I still hope to see wider adoption. I think for many not-too-complex apps, they can significantly lower the cost of development, and the development experience could be as simple as
- Building with HTML + JS + CSS. No clunky SDKs, reduced need to test on painfully slow emulators or expensive physical devices
- Installable from a browser. No need to maintain a listing in the Playstore/App Store, avoiding policy headaches, rent, etc.
https://developer.mozilla.org/en-US/docs/Web/Progressive_web...
PWAs have been around for several years, and have never caught on despite all the discussion about the evils of app stores, drama with side loading, etc. They're a fine solution, but not a good fit if you're expecting "normal" users to use the app.
Also, iOS really appears to go out of their way to make them work worse. For example, not loading new versions predictably, and the address bar not minimizing like it does on normal websites. I am sure there are many more.
Considering Mozilla’s flagship browser (Firefox desktop) doesn’t even support the feature, I don’t exactly take that as a good sign.
What? Firefox has supported the PWA standards for well over a decade at this point.
One of my old sites installed itself as a persistent PWA that made zero external network requests when relaunched.
My wife has tried to use a flip phone just for nostalgia's sake and she has a newer phone that supports android 14 (technically android go 14) and thus should work with most basic apps. However, one of her banking apps refuses to work claiming an app is screensharing (the POSB bank app thankfully identifies it as the "android system" app.) likely what is occuring I think is the second screen is drawn using some sort of thing that is reported as screen sharing, that POSB thinks could be malware.
Of course, asking POSB for help has lead to nothing being done. By and large the biggest threat to people finance wise in singapore isn't malware but are scams (what is called "pig butchering" in America is rampant here) whilst malware is always a threat sometimes I feel like just refusing to function is problem due to overzealous viligiance to a low probability threat.
Ditch apps on your phone and pick banking that gives good, robust online banking. I was cut off by Starling for something similar and had to choose between a factory reset of my phone and my bank. I explained that my phone had free software on it, some of which I'd written, and it made no difference.
Apps are a tool of control and surveillance and it is time we stopped tying ourselves to them. Dumb phones or degoogled operating systems (like e/OS/) are probably the answer here.
Can you say more about what specific things you tripped over with Starling, and which bank you moved to? Worried I'll find myself in the same boat.
It does seem like Starling has gone out of their way twice to exempt GrapheneOS from their checks, but only after users complained: https://github.com/PrivSec-dev/banking-apps-compat-report/is...
I had rooted the phone and it gave me 90 days to reset with no extension at the end. I moved to the co-op bank, which is sufficiently old school that proper web based online banking is very important to them. Their products are a bit less advanced but I don't miss starling.
Would they not just let you keep the account but not use their app in that case?
Some banks only provide access via apps (at least in the UK) so loosing access to the app also means you loose access to the bank account.
1 reply →
Starling is an app-only bank.
They did indeed. I had to call customer services to get the account closed. The app being the only way to interact with the account, I was left without funds for days.
HSBC still operate a perfectly functional website for banking.
The more people who continue to use this, the better. It sends a clear signal that customers prefer the open web over restrictive and inconvenient mobile apps.
I’m also hanging on to my bank’s physical RSA fob as my 2FA, instead of using their app based version.
At least in UK, you'll need a physical token to do that. And you can't have both app and token. So if you had an app that is now not working, it'll take some time to get a token and restore your bank access.
I have both the app (“digital key”) and a physical RSA token with my bank in the UK.
1 reply →
There is actually mobile banking for these cases. Which at least for HSBC requires your account details, a (Up to? I don't know the minimum) 10 digit (numeric) pin and you have to say "My Voice is My Password" which sounds like complete theatre.
I thought Google removed the API that let you see other apps on the device. Maybe there's another API I'm not aware of though
It's still possible, you just need to declare which other apps you query for. Even then, there are loopholes that still let you query for all apps installed on the device.
But HSBC app declares "<uses-permission android:name="android.permission.QUERY_ALL_PACKAGES"/>" permission, which requires an explicit approval (https://support.google.com/googleplay/android-developer/answ...) but
> Apps that have a verifiable core purpose facilitating financial-transactions involving financially regulated instruments (for example, dedicated banking, dedicated digital wallets) may obtain broad visibility into installed apps solely for security-based purposes.
You can still request permission to use it for apps distributed via Google Play for a limited set of use cases:
https://support.google.com/googleplay/android-developer/answ...
which is then subject to Google reviewing and approving it.
I assume HSBC are using the "antivirus" use case.
Interesting, that also permits:
> Real-money gambling apps where the core purpose of the app is real money gambling and where the app requires broad package visibility in order to comply with technical standards mandated by applicable geofencing regulations.
I presume that's to allow the gambling apps to make sure you don't have a location spoofing app installed?
1 reply →
> I assume HSBC are using the "antivirus" use case.
There's an exception for banking apps
> Apps that have a verifiable core purpose facilitating financial-transactions involving financially regulated instruments (for example, dedicated banking, dedicated digital wallets) may obtain broad visibility into installed apps solely for security-based purposes.
Everyone knows all the apps on your phone
https://news.ycombinator.com/item?id=43518866
Tangentially related, but some banking apps also implement their own in-app keyboard in their password fields, making password manager unusable and basically forcing me to use a easy to remember (to guess) password.
Yup, mine does this, even on the web. Oh god French banks do love their scrambled-digit-keyboards. And boy do they love 6 to 8 digits passwords. That you have to click on using your mouse. No password manager required!
Their app also likes to prompt me periodically for the password instead of the phone's biometrics, which would be good, except it always happens in a public place like the subway, which is the last place I'd want to enter a 6 digit code to my bank account on a scrambled visual keyboard which slows down typing to a point it's trivial to write down (instead of letting muscle memory do its job). Also, it seems like those apps did not get the ATM memo of giving visual/audio feedback on a random delay to user input, to y'know, not letting glancers know what you actually type.
AFAIK this trend of visual scrambled keyboard on the desktop started when keyloggers were rampant. They quickly adapted to screenshot the 20px around the mouse on click when on a bank website. The banks never adapted.
One of them has that “scrambled visual keyboard” for an 8-digit password, and at the same time proposes a passkey as an alternative on desktop. Go figure.
That's incredibly primitive. It's about time some countries implemented proper digital IDs that would deprecate garbage approaches like these.
This is only going to get worse as nepotistic brogrammers continue to take over the industry and gish gallop their bullshit over the experienced developers.
On the same tangent. My former bank forced me to use a 6 - 8 digit password with only numbers allowed. Not sure if in the few years since I am not a customer anymore, they changed this policy, though.
Just begging for someones date of birth, lol.
It will not work either if you have developer mode enabled.
These things HSBC app does, I think it's overreaching
My country launched an identification app (https://mygov.be/) that does the same thing. I have no idea what they're trying to achieve. Security through obscurity? Trying to piss off power users?
I'm a developer and use adb and some dev settings daily. Annoying af to have to disable developer mode constantly.
It's fundamentally client-side security: the phone tells the server "no, I haven't been rooted" and the server believes it.
Any security system that relies on any form of client-side security is going to have other problems as well, since its designers haven't grasped this basic principle.
1 reply →
I had to turn on developer mode just to reduce blur in Android 16. It's incredible that's locked behind a developer mode setting.
> It will not work either if you have developer mode enabled.
Many other banking apps in Singapore have this ridiculous restriction too, including Citibank.
The third-party "security framework" most of them use to pass audits is ridiculous.
Isn't it funny how most banking apps do all this borderline malware crap, yet most banks also have online banking that you use through a web browser that they have no technical means of "trusting"?
Keep in mind this is also often caused by arbitrary "security" consultants that crap out a list of stuff you need to implement. Like jailbreak detection and the like.
One I repeatedly got back in the day was hilarious: "After uninstalling the app credentials stay present in the keychain". Yes thanks genius, I don't get to run code on uninstall.
I recently came across Open Web Advocacy (OWA) who summarize my mobile-platform concerns well. They "advocate for the future of the open web by providing regulators, legislators and policy makers the intricate technical details that they need to understand the major anti-competitive issues in our industry and how to solve them."
Their top 3 priorities:
1. Apple's ban of third party browsers on iOS is deeply anti-competitive
2. Web Apps need to become just Apps. Apps built with the free and open web need equal treatment and integration. Closed and heavily taxed proprietary ecosystems should not receive any preference.
3. All artificial barriers placed by gatekeepers must be removed. Web Apps if allowed can offer equivalent functionality with greater privacy and security for demanding use-cases.
Website: https://open-web-advocacy.org/en/
We can't let banking apps invade our property.. things like banking apps need so much control in order to be secure that they need to exist on dedicated devices.
> things like banking apps need so much control in order to be secure
They don’t. It’s a security theatre.
Bank security has and never had anything to do with real security. It's all stupid audit checkboxes and missing forest for the trees. I've dealt with PCI and similar auditors and I wouldn't trust them with my gym locker combination.
My only solution is to have multiple accounts, spread the risk, and rely on legal protections and bailouts when they inevitably screw up.
In Spain (I think the whole Hispano-America by proxy) the BBVA's banking app just allow a 6 char long password. This is bullshit. Also, if you try to root the smartphone the app might disable itself. I'm tired of this. Can't wait to a good cyber attack from Russia+China so the whole security theater crumbles down (and in China too because of the social credit) until the civil rights get restored back.
"At <insert bank>, my voice is my password."
That's not really necessary, though I understand why banks are doing this when they're held responsible for their customers' inability to spot fraud before hitting the "transfer my life savings into a Bitcoin wallet" button.
Having a dedicated "banking device" is a good solution for power users, though I'd probably just switch banks if my bank tries to pull that bullshit on me.
Two phones: personal and gov id/banking/2fa phone
second phone never leaves home
Bitwarden is installed via F-Droid from the official Bitwarden repository and is a build provided directly from Bitwarden. F-Droid does not provide a build of Bitwarden.
can't wait for digital euro
https://www.consilium.europa.eu/en/press/press-releases/2025...
https://www.ecb.europa.eu/press/key/date/2025/html/ecb.sp251...
i hope it will be part of the digital wallet initiative: https://github.com/eu-digital-identity-wallet
there is an active discussion there on NOT integrating play integrity API or any other US-dependent remote attestation: https://github.com/eu-digital-identity-wallet/av-doc-technic...
Whatever. They're just going to tie it to age verification, so it's only more control, only of the EU flavour. Might be an alternative for some people though.
I've worked with digital and smart tachographs and seen their security implementation. Its not pretty, mirrors EU bureaucracy. If Franz Kafka wrote specs, those would be it.
Getting a (cheap) dedicated device for banking purposes (perhaps without a sim card, wifi only) is a good way to «work around» this.
Problem is that you need to buy a new one of them once they do not get updated anymore, and the apps start requiring newer versions of android.
But yes, this seems like the best possible option - also it enables the extra security through clean separation, as long as the phone is dedicated for that use case only.
HSBC is on my list of the worst bank anyway. Just connecting to their online banking portal you feel like throwing up!
Isn't that the same bank accused of Mexican and Columbian drug cartel money laundering?
I use a separate phone for non-F-droid apps.
Never use a banking app on a phone especially since internet banking websites exist.
Most of them switched to stupid apps described above. 6 to 8 char passwords, 6 char PIN codes etc. I don't know how they pass security audits, unless the audits are merely a protection tax.
don't have the issue here in central europe, yet
I switched away due to HSBCs final straw for me being blocked due to not using the phone built in keyboard.
Apparently using an open source keyboard runs the risk of my keypresses being shared with a 3rd party. Unlike Googles keyboard?
Same reason here. It didn't like Florisboard.
Most banks do this, they won't let the app run if you have developer mode turned on as well, even if you're not using it for root (or anything else in the developer menu)
Source post deleted
It originally contained a screenshot of a full-screen notice displaying:
Banks in the UK take partial liability for their customers succumbing to scams, and refund lost funds unless customers go out of their way to ignore warnings.
Loss of control of devices is undeniably part of the scam lifecycle. Faking and intercepting messages from banks is a large part of that. An antivirus needs global permissions.
All of that being true, you don't have to be a contortionist to understand why they might want to lock down client devices as far as they can. Google happens to offer them an easy method.
Why should a bank be ever able to dictate what the user does with their device legitimately? They can't do so on the web through browsers, that is fine, why are we excusing this on phones?
Next up banks will start requiring out MDM enrollment? Is that equally understandable? Where do you draw the line?
It's unnecessary and intrusive to apply these methods unconditionally and on everyone.
> Why should a bank be ever able to dictate what the user does..
I'll deliberately answer early: because they're on the hook for your mistakes.
Your bank dictates security terms. This isn't new. They can demand you appear in person with multiple forms of identification. They can (and have) demand you use 2f hardware they provide. They can withdraw service if they think you're a risk to their business.
If I suddenly found myself with billions in potential liabilities, I'd do absolutely everything to ban footguns. Apps with system access installed from insecure sources. Yeah, no thanks.
probably because bitwarden has a permission to overlay other apps and HSBC thinks it's malware stealing your access to your bank
The HSBC app will not work with apps with overlay permission OR with apps installed from outside the Play Store.
I have stopped using the HSBC app and asked for a security device (which they will send you if asked) instead and use the web site instead.
But the user needs to be able to override this faulty check, albeit my solution is to never let any app decide what I can have on my device by not installing the app.
EDIT: there's also Android Protected Confirmation that works in the TrustZone so apps can't display over that. It was made exactly for apps like banking apps, so they should use it.
This is "protect the users from themselves" as-a-feature to prevent scammers from using malware to obscure their scams. Letting the user override the warning would make the entire feature useless.
Using overlay permissions, it's relatively simple to trick someone into transferring money by overlaying a different UI that the malicious app makes the user type or paste into. I believe blocking access to the app while such an overlay is present makes a lot of sense. Trusting apps from Google Play to do this while blocking other install sources would be an obvious mistake, though.
I'd argue this feature shouldn't exist (because of things like the API you mention) but having a user override doesn't make sense here.
If Google can allow apps to block screenshot capability then it should also allow specific set of apps like financial apps having an option to block overlays too. It doesn't have to be all or nothing.
I think from HSBC's risk management perspective, it's fairly reasonable
A bank refusing you access because of your accessibility settings (app overlay is one) is not reasonable.
5 replies →
It's worth trying to work around this by creating a work profile to isolate the apps.
404 error
GrapheneOS fixes this
I'm getting a 404 on the original post, but on GrapheneOS you'll fail SafetyNet attestation, so you've got a totally different (worse?) problem if your goal is compatibility with abusive proprietary apps.
HSBC is also one of few apps that dont let you use it with iPhone Mirroring.
At least now it should be pretty easy for any tech person to patch apk removing this check
Probably not, because whatever Google is calling its remote attestation scheme this week (SafetyNet? Play Integrity?) has a way to check where the app was sourced and whether it has been altered.
Google is an asshole for making this. When Microsoft first proposed a scheme like that for PCs under the name Palladium, everyone knew it was a corporate power grab. Somehow, it got normalized.
[flagged]
[flagged]