← Back to context

Comment by itsthecourier

5 hours ago

probably because bitwarden has a permission to overlay other apps and HSBC thinks it's malware stealing your access to your bank

9 comments

itsthecourier

Reply
graemep  5 hours ago

The HSBC app will not work with apps with overlay permission OR with apps installed from outside the Play Store.

I have stopped using the HSBC app and asked for a security device (which they will send you if asked) instead and use the web site instead.

devsda  4 hours ago

If Google can allow apps to block screenshot capability then it should also allow specific set of apps like financial apps having an option to block overlays too. It doesn't have to be all or nothing.

zb3  5 hours ago

But the user needs to be able to override this faulty check, albeit my solution is to never let any app decide what I can have on my device by not installing the app.

EDIT: there's also Android Protected Confirmation that works in the TrustZone so apps can't display over that. It was made exactly for apps like banking apps, so they should use it.

  • jeroenhd  4 hours ago

    This is "protect the users from themselves" as-a-feature to prevent scammers from using malware to obscure their scams. Letting the user override the warning would make the entire feature useless.

    Using overlay permissions, it's relatively simple to trick someone into transferring money by overlaying a different UI that the malicious app makes the user type or paste into. I believe blocking access to the app while such an overlay is present makes a lot of sense. Trusting apps from Google Play to do this while blocking other install sources would be an obvious mistake, though.

    I'd argue this feature shouldn't exist (because of things like the API you mention) but having a user override doesn't make sense here.

arccy  5 hours ago

I think from HSBC's risk management perspective, it's fairly reasonable

  • makeitdouble  5 hours ago

    A bank refusing you access because of your accessibility settings (app overlay is one) is not reasonable.

    • rwmj  5 hours ago

      The problem (for the bank) is they are now liable in the UK[1] if you are defrauded because someone installs malware on the phone. There's basically zero upside for the bank to allow customers to use F-Droid, since probably 0.0001% of their customers would do this, compared to a vastly greater number of customers being tricked into installing random malware on their phones.

      Accessibility settings are a tricky one since that's a separate law. I wonder if they whitelist screen reader apps from the official app store. Anyway that's not the case in the original article.

      [1] https://www.bbc.co.uk/news/articles/cy94vz4zd7zo

    • arccy  5 hours ago

      risk management is all about what the bank is willing to trust. in this case it decided it was risky because have any information on the provenance of your overlay, but you could source an overlay from somewhere they trust, like the default app store.