this post was submitted on 05 Nov 2024
129 points (99.2% liked)

Android

17641 readers
185 users here now

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

πŸ”—Universal Link: !android@lemdro.id


πŸ’‘Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.


Support, technical, or app related questions belong in: !askandroid@lemdro.id

For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id

πŸ’¬Matrix Chat

πŸ’¬Telegram channels / chats

πŸ“°Our communities below


Rules

  1. Stay on topic: All posts should be related to the Android OS or ecosystem.

  2. No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.

  3. Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.

  4. No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.

  5. No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.

  6. No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.

  7. No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.

  8. No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.

  9. No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!

  10. No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities

Lemmy App List

Chat and More


founded 1 year ago
MODERATORS
 

(Rant)

At somepoint, HSBC decided KDE Connect installed via F-Droid is less secure.

Photo of the HSBC UK app urging I install KDE Connect via GPlay or Galaxy Store

Then it decide non-whitelisted keyborads are a security risk. Only Gboard and Samsung Keyboard is confirmed within the whitelist.

Photo of the HSBC UK app telling me to switch input method citing security risk


I understand the point that risk can be introduce at various points, yet this is simply too much. Yeah there are people phone infected by malware but from Play Store. Not a single time I heard one ever happened on F-Droid distributed apps, at least not from the official repo. Also, I will put more trust on an open source keyboard than any proprietary keyboard.

Furthermore, I'm shocked that an app can read my app list, and current keyboard (introduced in Android 14). This just make building a profile much easier as I belive everyone almost have an unique set of apps they like. I don't think any apps need such functionality. Why the f it needs to care what input devices I uses? This make me worry more about untold (aka burried deep in Privacy Policy) data collection.

top 40 comments
sorted by: hot top controversial new old
[–] LiveLM@lemmy.zip 7 points 1 day ago* (last edited 1 day ago) (1 children)

Check out Shelter by PeterCxy [FDroid - Source]
It uses Android's native work-profile feature to create a separate space for the apps you choose, so you could install the HSBC app there and it wouldn't be able to see anything outside its little bubble.
The downside is that AFAIK you cannot have multiple work profiles on the same phone, so if you have a MDM solution from work already installed like Intune you won't be able to use this, and given how draconian this app is, it might refuse to run if it detects its inside one. Worth a shot though.

This is the type of shit that has me losing faith in Android.
They added a fuck ton of restrictions on Clipboard Access because 'Privacy,' yet this clear privacy violation (with 0 use cases!!!) is still here.

You'd think that they'd create a permission you can toggle at will since they care about protecting you so much right?
Nope. Google's the one who decides who gets to use this capability and your wishes as a user can go to hell.

[–] umami_wasbi@lemmy.ml 2 points 1 day ago

Unfortunately, the work profile is already used up.

[–] Railcar8095@lemm.ee 12 points 1 day ago

I thought this was for employees of the bank on the work phone.

If my bank does this, they can kiss goodbye my $254.21.

[–] Paradox@lemdro.id 52 points 2 days ago (5 children)

We seriously need a way to sandbox apps, where they cant see shit outside their sandbox

[–] morbidcactus@lemmy.ca 7 points 1 day ago

Afaik that's how the corporate apps stuff works, I byod (I really should have a second phone) and the work stuff is totally on its own, uses a different keyboard, opens a different browser uses a different authenticator etc.

[–] smeg@feddit.uk 2 points 1 day ago

Isn't that the purpose of the work profile?

[–] possiblylinux127@lemmy.zip 2 points 2 days ago

If only we had that

[–] T156@lemmy.world 1 points 2 days ago

Also a way to spoof the input.

[–] Tregetour@lemdro.id 16 points 2 days ago

You need to formally complain to your bank, OP.

[–] Stomata@buddyverse.one 12 points 1 day ago

They are now blocking you because you are not using gboard and sam keyboard. Now it's too much . I stopped using mobile banking became they need g play services.

[–] Moonrise2473@feddit.it 42 points 2 days ago (1 children)

And then i complained that my bank blocked access if adb was enabled...

If there's no loan attached to that account, for me this message reads "sorry, we don't want you as a customer. Please contact a bank teller to have a full refund, uninstall this app and don't forget to leave a 1 star review"

I'm not willing to compromise on this shit. My phone is my phone.

[–] RubberElectrons@lemmy.world 15 points 2 days ago

Imagine one of my medical apps refusing to run because of adb..

[–] not_woody_shaw@lemmy.world 42 points 2 days ago (1 children)
[–] merde@sh.itjust.works 22 points 2 days ago

money laundering is alright but how dare they impose gboard to their clients

[–] shortwavesurfer@lemmy.zip 29 points 2 days ago (1 children)

Sounds like it's time to use the website and not the app. And if you can't use the website instead of an app, you should probably switch banks.

[–] Moonrise2473@feddit.it 9 points 2 days ago (1 children)

I don't know a single bank that hasn't reinvented the wheel and is using their app as a glorified authentication app for generating totp codes

[–] shortwavesurfer@lemmy.zip 3 points 1 day ago

Mine actually. I'm in the United States, but I actually switched banks. And the vast majority of the reason I did so was because my bank did not allow me to use the website to use their functionality. And so I said fuck you and left them.

That's annoying! I'm using Graphene and I just installed KDE Connect from F-Droid to test, which didn't trigger, however it did bounce me for using Heliboard. Changing to default keyboard and reloading worked, ie it can only see my currently active one.

Using Shelter to set up a second profile, or the new Private Space feature on 15 may help provide isolation.

Halifax/ Bank of Scotland/ Lloyds does an integrity check that rejects Graphene or LineageOS phones completely.

[–] ReversalHatchery@beehaw.org 18 points 2 days ago (2 children)

how the fuck do they see that you have these apps?? Wasn't it google's justification for destroying /proc and all resource monitor apps with it that they have put querying of installed apps behind a permission?

[–] Moonrise2473@feddit.it 6 points 2 days ago (1 children)

I saw a bank in my country requiring to have the permission for apps usage, the one that you have to go in settings and toggle it. Refuse and it closes the app

[–] madis@lemm.ee 4 points 1 day ago (1 children)

Perhaps you could report it to Google Play for that?

[–] Moonrise2473@feddit.it 5 points 1 day ago* (last edited 1 day ago)

Google enforces rules only against small devs. Big companies are allowed to do what the fuck they want.

Example with one of those "ad viewing apps disguised as games", every single screenshot is misleading, showing a different game to what actually will be downloaded. It's clearly a violation of Google Play terms that read:

Screenshots must demonstrate the actual in-app or in-game experience, focusing on the core features and content so users can anticipate what the app or game experience will be like. Use captured footage of the app or game itself.

In the example not a single screenshot demonstrate the actual game experience.

Google sees the big cash influx from ad impressions and IAP from whales and is closing all the eyes

Tencent and Alibaba instead are still allowed to illegally fingerprint and track the user by placing tracking data in /Pictures/.gs0 which for some reason they can access even without storage/photo permission

[–] possiblylinux127@lemmy.zip 3 points 2 days ago (1 children)

So /proc is virtual so it is only processes and not apps.

The app probably requires a permission that grants it access to that information.

all apps have their own processes, and the names of the processes were often the package name

[–] pacjo@lemmy.dbzer0.com 4 points 2 days ago

With recent releases CorePatch can spoof app source, but it won't help with keyboard whitelist.

[–] Im_old@lemmy.world 5 points 2 days ago

Graphene and starling, works great