I just had an encounter of the turd kind with a banking app that I want to share.
I’m in the process of migrating to a new degoogled phone (GrapheneOS) and upon installing the app in question via Aurora Store, it gave me an error message, saying it had not been installed from a “trustworthy” source. It would, therefore, refuse to start and tell me to install it from the Play Store. (For anyone curious: it’s the Consorsbank app, and the issue is well-known at this point.)
In spite of being on GOS, I was faced with the prospect of
- installing Play Services Framework (sandboxed or not, I don’t want that shit)
- installing the Play Store (sandboxed or not, I don’t want that shit)
- logging in to the Play Store (I definitely don’t want that shit!)
only to run a damn app.
I eventually used USB-debugging and ADB to trick the app into thinking it had been installed from the Play Store.
So even though everything is running fine now, this doesn’t feel like a victory. For the first time in a long while, I feel I have come head to head with a piece of tech that was not just maladapted for my janky way of running things and just needed some tinkering. This was outright malicious, refusing operation and trying to force me to use services I want nothing to do with. It only gave me the option to either give in or walk away and stop using their services. Now, I don’t mind doing that for non-essential things. I don’t have big tech-owned messengers, I don’t have social media (save Lemmy) and all the other stuff people these days feel they cannot live without.
Banking, however, is a different kind of beast. Banking is essential. Second factor authentication is usually done via apps these days. And if this kind of thing becomes normal for banking apps, and Google keeps locking down Android so hacks like the above won’t be accessible any more, things are looking grim.
Tonight has left me with more questions than answers. Is Android still the ‘right’ ecosystem? What are the alternatives if this thing becomes more wide-spread? How do we combat this? Put pressure on banks to keep technologies open? Revert to physical second factor generators, until those become phased out by banks as well?
I’ve also had a app refuse to start if another app is installed (not running, just installed). My gos workaround was putting that opinionated app in its own profile.
Not taking any sides here but Revolut just works if you download it from the Play store. I tried APKPure and it refused to start.
At this point I refused to use a bank app and I actually switched banks because my bank wouldn’t allow me to use a web browser.
My bank doesn’t allow you to change your address on the app. It provides a link to the website in the app. But since you can’t use a web browser to do online banking, it opens the app. Etc ad nauseum.
Was it a big one we should all avoid?
I’ve been having similar turd-kind encounters with bank apps even within Android. I use the egregious Heliboard from F-droid, and my bank app refused to start because I use an “untrusted keyboard” – funny as it’s way more trustworthy that Gboard or Microslop board apps. Turns out the apps of all banks in my country are like that. So now I simply access the bank via the browser instead. Fuck their apps.
But I understand that the browser solution may not work for everyone :(
Partly this problem comes from incompetence of the app’s developers, partly for shifting responsibility: it seems to me that they let Play Store do the checks, so if any hacking happens they can blame Play Store. And there’s also the modern motto: “if you want to make an app secure, make it unusable”. Even better I’d then say “don’t make it at all”! – there, security-problem fully solved.
Put pressure on banks would be best. Possibly one could also play a “disability” card: I must use such-and-such app or OS owing to visual impairment, say. Or collect signatures for a petition… but I imagine we’re a very small minority.
As a protest in my case I changed bank a couple of times.
But thank you for the USB-ADB tip! I’ll use it when I switch to GrapheneOS.
Wow. Here I was thinking I had come across a particularly nasty piece of fuckery. But then you came along with that keyboard story.
That said, I can imagine how “checking for the ‘wrong’ keyboard’” (or the wrong install method, in my case) came into being: somebody installed a keyboard (or a malware-injected APK) which turned out to be a keylogger, lost their funds, and, instead of owning up to their own mistakes, blamed the company for it. Now everyone gets to “enjoy” the fallout because the company feels it needs to “protect” the rest of us dumb-dumbs from impaling ourselves with our own software choices - trading freedom for a false sense of security.
Fuck their apps. But I understand that the browser solution may not work for everyone :(
I’d have gone that route if I could. The trouble is: every single bank here uses a proprietary app for 2FA, meaning: I cannot log in via the browser without an app.
it seems to me that they let Play Store do the checks, so if any hacking happens they can blame Play Store.
Precisely! This is not about users’ security. This is about corporate liability, and hence deserves pushback.
Not so sure about the keylogger argument because every banking app rely on their own pad for entering the pin/password, so there is nothing to log.
“I use the egregious Heliboard from F-droid, and my bank app refused to start because I use an “untrusted keyboard””
…I’m sorry, but what the hell?! What banking app has enough access to a user’s system that they’re not only able to detect the keyboard being used, but label in as “untrustworthy”?! Genuinely terrifying shit! Imagine if banks had the power to determine your access to your funds based on OTHER APPS you have on your phone? They already do that with purchases, and that’s disturbing enough.
That’s unfortunately true. Banking apps can also see what accessibility apps are running. My banking app for example will not start if KDE Connect is configured with maximum accessibility access so that it can remote input and share screen.
Never thought to consider that an app can know what keyboard is in use! I can imagine that not going well if someone is using a niche input method for accessibility.
I’d agree, the day my bank stops offering basic functions through the browser is the day I switch banks.
Indeed I wonder if that kind of keyboard check is even legal - personally I feel it as a breach of my privacy, none of their fucking business what kind of input method I use. (If anyone here is knowledgeable about such matters, please let me know!)
I agree with you that banking is essential, but could you illustrate how the banking app is also essential? I believe you that it is, I would just like to illustrate that with details.
My bank works via a website, and does 2fa in many ways, including TOTP and (yuck) SMS, which you cannot opt out of. I have Aegis for TOTP.
So personally I dont need a banking app. I still use it because it makes depositing checks easier.
I need the app for 2FA. I have yet to encounter a bank that will accept TOTP for 2FA. Where I am, all banks use either pushTAN (through proprietary mechanisms, yuck) or SMSTAN (double-yuck). If I could use TOTP/Aegis for 2FA with my bank, I’d have spared you my OP. 😎
Thank you so much for the details! So many of us keep hearing that people need bank apps to work and I have always been curious for the technical details.
Really living up to your full name between this post and comment. I’d be hopping mad if I needed a Google-sanctioned device to access my bank too! It doesn’t even work from a desktop?!
Nope. While asking for a second factor is the sane thing to do for something as sensitive as banking, banks around here do not offer TOTP. (I’d LOVE to have that in my Keepass the way you seem to have; care to share where/which banks do that?)
Some banks here do offer a physical device as a fall-back for old people without a smartphone. These are basically just token generators or primitive code scanners. I’ve considered going full “old man yelling at clouds” and getting one of these. But then it’ll live in my drawer and I just know there will be situations where I urgently need it and not have it on hand.
Personally I think you should go “old man yells at clouds” at them, but maybe those devices have a keychain ring on them? Make it slightly less painful if you do?
Heck, maybe you can have both at once
I’ve made it work for now. If they terminally break it, I’ll probably switch banks, and let them know exactly what broke the camel’s back for me. But if all of them start doing it, I’ll have to do it like gampa. ;)
The kinds of thoughts that keep me up as well. Glad you found a way to make the app happy for now.
It’s no doubt good to campaign and put pressure on banks, corporations, institutions, etc. but at the end of the day, my mind looks for the ultimate fail-safe. And it keeps coming back to having to use a separate device for such apps. At least I’m used to wearing cargo pants for the day I will need to carry 3 phones.
And it keeps coming back to having to use a separate device for such apps.
Frankly, I don’t see how that improves security or privacy over putting your banking apps (and all the yucky Google software) in a different user profile, separate from all of your more sensitive stuff.
Also, shelling out another $ 500 for yet another device you’ll be lugging around just to have compartmentalisation - isn’t that still giving up and accepting their demands to use their services on their terms? Personally, I don’t want my bank to be able to soft-pressure me into using Google services. I don’t want companies and countries to just assume and accept Google’s monopoly. I don’t want essential functionality like banking to get even more dependent on American big tech, at a time where it has become painfully obvious that this dependence exposes us to the most vile forms of extortion. I want to get away from that. And I want us all to away from that.
It is bad. We should fight against the corporations and agencies that want to strip us of our privacy, and avoid using services that insist on invasive measures whenever possible. But the way things are going, especially living in the US, does not exactly inspire my optimism and my mind wants some certainty against all the what-if scenarios. Perhaps I should frame the separate device solution as my stopgap if we reach “rock bottom”?
I won’t pretend to be an expert on how much isolation a separate device provides over a user profile, but it does give me peace of mind in the case of my work phone, which I only have powered up at the workplace and never connect to the same network as my other devices. Not everyone has the privilege, but I repurposed my old phone which otherwise would have sat idle for this purpose.
Thanks a ton for your writeup and sharing your experience.
I have the exact same setup and I’m struggling more and more with apps with require Google Play to launch. I’ll use your workaround hoping that it’ll open a path for a while although I’m also dubious about the future.
I’m very happy if this helps! Here’s a quick translation so people won’t get tripped up by the German comments:
# Push APK file to /data/local/tmp/ adb push app.apk /data/local/tmp/app.apk # Install APK via package manager (pm). # Set installer as "com.google.vending", i.e. Google Play Store. adb shell pm install -i "com.android.vending" -r /data/local/tmp/app.apkI’ll use your workaround hoping that it’ll open a path for a while although I’m also dubious about the future.
My thoughts exactly, and part of why I did the write-up! With Google’s recent moves to lock down Android (and companies like my bank eagerly supporting their push), I’m wondering what’s spending my energy on: pushing back and trying to stave off their efforts to take away software freedoms, like the folks at keep Android open are doing? Or accept the fact that “degoogling on Google’s platform” has always been a paradox living on borrowed time, and now it’s time to flip them the bird and look for greener pastures elsewhere?
Your experience is the tip of the iceberg.
If you look at the permissions required by essential, or at least widely used applications, you’ll discover a dizzying array of data exfiltration that is hidden in plain sight, made obscure by Google’s continuing efforts to hide the extent of this deep rooted ecosystem.
To the contrary: I’m painfully aware of those. That’s why I run Exodus scans of every single app I install, and stick to FDroid for 95% of my apps. With banking applications, however, that is not an option.
That’s a wonderful tool that I was unaware of, thank you for pointing it out!
