(Rant)
At somepoint, HSBC decided KDE Connect installed via F-Droid is less secure.
Then it decide non-whitelisted keyborads are a security risk. Only Gboard and Samsung Keyboard is confirmed within the whitelist.
I understand the point that risk can be introduce at various points, yet this is simply too much. Yeah there are people phone infected by malware but from Play Store. Not a single time I heard one ever happened on F-Droid distributed apps, at least not from the official repo. Also, I will put more trust on an open source keyboard than any proprietary keyboard.
Furthermore, I’m shocked that an app can read my app list, and current keyboard (introduced in Android 14). This just make building a profile much easier as I belive everyone almost have an unique set of apps they like. I don’t think any apps need such functionality. Why the f it needs to care what input devices I uses? This make me worry more about untold (aka burried deep in Privacy Policy) data collection.
You need to formally complain to your bank, OP.
That’s annoying! I’m using Graphene and I just installed KDE Connect from F-Droid to test, which didn’t trigger, however it did bounce me for using Heliboard. Changing to default keyboard and reloading worked, ie it can only see my currently active one.
Using Shelter to set up a second profile, or the new Private Space feature on 15 may help provide isolation.
Halifax/ Bank of Scotland/ Lloyds does an integrity check that rejects Graphene or LineageOS phones completely.
With recent releases CorePatch can spoof app source, but it won’t help with keyboard whitelist.
We seriously need a way to sandbox apps, where they cant see shit outside their sandbox
If only we had that
Also a way to spoof the input.
And then i complained that my bank blocked access if adb was enabled…
If there’s no loan attached to that account, for me this message reads “sorry, we don’t want you as a customer. Please contact a bank teller to have a full refund, uninstall this app and don’t forget to leave a 1 star review”
I’m not willing to compromise on this shit. My phone is my phone.
Imagine one of my medical apps refusing to run because of adb…
Sounds like it’s time to use the website and not the app. And if you can’t use the website instead of an app, you should probably switch banks.
I don’t know a single bank that hasn’t reinvented the wheel and is using their app as a glorified authentication app for generating totp codes
Time to change banks
money laundering is alright but how dare they impose gboard to their clients
how the fuck do they see that you have these apps?? Wasn’t it google’s justification for destroying /proc and all resource monitor apps with it that they have put querying of installed apps behind a permission?
I saw a bank in my country requiring to have the permission for apps usage, the one that you have to go in settings and toggle it. Refuse and it closes the app
So /proc is virtual so it is only processes and not apps.
The app probably requires a permission that grants it access to that information.
Graphene and starling, works great
You do know screenshots exist
Also don’t do mobile banking
You do know screenshots exist
App doesn’t allow screenshots or screen sharing as part of the security features
Also, don’t do mobile banking
Many times that’s simply impossible depending on the bank, and it’s wholly inconvenient for most people. Security wise, it also depends on way too many variables, so you can’t just tell people to not do it and don’t elaborate further.
Actually, I wouldn’t be surprised if screenshots are disabled in that app considering the rest, to “stop leaking sensitive information”.
When it allow screenshotting
You want us to yell out our credit card details over the phone like the good old days?
You could use card or cash like a normal person
If the app is so paranoid that it refuses to work after detecting a different keyboard, I should be surprised if it allowed screenshots.
Also don’t do mobile banking
As opposed to what?
Anything else