In a recent update to the HSBC app they’ve added a screen to prevent you from using the app unless you use the default (google) keyboard.

They do a similar thing if you have an accessibility service running that can access the screens content. A fair enough security warning if you’ve happened to install a dodgy keyboard app, but highly frustrating when using an open source alternative that enhances the security and privacy over the default option (HeliBoard in my case).

I haven’t found a way to circumvent the page yet. It would be useful if Android allowed you to block the permission to query all packages, but alas.

  • Pasta Dental
    link
    fedilink
    English
    7525 days ago

    banks will do everything in their power to restrict who can use their services in the name of security but are absolutely fine with 6-char password size limits and SMS 2FA

    • asudox
      link
      fedilink
      English
      9
      edit-2
      24 days ago

      They are in an illusion where their backend is absolutely perfect, but third party apps like open source keyboards implement spyware that spies on users predictable bank passwords. (FlorisBoard is the biggest predator)

      • @steel_nomad
        link
        English
        -924 days ago

        Source? That’s FUD if I ever heard it

  • Admiral Patrick
    link
    fedilink
    English
    6325 days ago

    If my bank’s app ever forces me to choose between my keyboard of preference and their app, it’s their app that’s getting uninstalled.

    • @[email protected]
      link
      fedilink
      English
      1425 days ago

      I think it’s a great option to warn people about. Or even force switching of the keyboard for that one app. But it shouldn’t require you to set a system sitting.

      • @Hellinabucket
        link
        English
        225 days ago

        My back pops up with a warning but than just let’s be carry on my way

      • Admiral Patrick
        link
        fedilink
        English
        1825 days ago

        Be that as it may, apps must work for me and never the other way around.

        • @[email protected]
          link
          fedilink
          English
          425 days ago

          Bingo. I will happily go out of my way to modify things, and if the methods provided to hide root/bootloader ststu from any particular app don’t work, then that app gets uninstalled.

    • @ccunning
      link
      English
      425 days ago

      Have the security risks associated with third party keyboards been mitigated somehow? I made the decision not to use them years ago and have never revisited it.

      • @HereIAmOP
        link
        English
        524 days ago

        Of course there will always be some risk. But HeliBoard and some other keyboard apps are open source and can be audited. I’d trust (I know, you should do your own homework) the more popular ones have a lot of eyes in them.

        • Dizzy Devil Ducky
          link
          fedilink
          English
          224 days ago

          As someone who doesn’t have the time, skill, or knowledge to audit open source projects, I agree on the trusting more popular open source keyboards (and by extension popular open source projects in general).

      • @[email protected]
        link
        fedilink
        English
        124 days ago

        Fist party keyboards have the exact same permissions. The code is hidden though and noone can audit it.

  • @[email protected]
    link
    fedilink
    English
    47
    edit-2
    25 days ago

    I’m not sure about this app especially, but I hate that my bank personally has so many restrictions on the app usage but I can also just use a web browser on God knows what with who knows what extensions installed and they’re all like sure, come on in!

    • @[email protected]
      link
      fedilink
      English
      1925 days ago

      They likely won’t allow that forever. If Google has its way with the web, trusted browser environments will be a thing, and banks will only accept those.

    • JoYo
      link
      fedilink
      English
      -12
      edit-2
      25 days ago

      were you also against cache attestation and manifest v3?

  • @Zacpod
    link
    English
    2824 days ago

    Move to a credit union. HSBC is terrible.

    • @HereIAmOP
      link
      English
      924 days ago

      Yeah, I don’t really have a reason to stay with HSBC. A responsible me would look for a bank with better credit card interest. Might as well shop around for a new one.

  • @[email protected]
    link
    fedilink
    English
    2825 days ago

    Considering that HSBC is remarkably evil, even compared to other major international banking corporations, this might be a good nudge to stop doing business with them.

    • @Mr_Dr_Oink
      link
      English
      525 days ago

      You would have to be extremely evil to be a far comparison to any other bank.

      Thats impressive.

  • 3 dogs in a trenchcoat
    link
    fedilink
    English
    2225 days ago

    They do a similar thing if you have an accessibility service running that can access the screens content

    Well fuck disabled people I guess?

    • @mcherm
      link
      English
      10
      edit-2
      24 days ago

      Actually, banks are a heavily regulated industry and they have to comply with strict non-discrimination requirements including making all reasonable accommodations for people with disabilities.

      If you know someone who uses a screen reader and is therefore unable to use HSBC’s app, encourage them to file a complaint with the appropriate regulator (in the US, try https://www.consumerfinance.gov/complaint/ ).

      Banks are very attentive about listening to their regulators.

      (Of course, it’s possible that what HSBC did still works with commonly used screen readers for the blind because they actually thought of this.)

    • @HereIAmOP
      link
      English
      224 days ago

      Yeah it is bad. Maybe it’s the case again that the default screen reader is allowed but third party ones aren’t?

      Okay, I just tested turning on the built in screen reader and it launched just fine 😑

  • xep
    link
    fedilink
    2125 days ago

    I understand the reason for this, but if this is what they’ve decided to do they should also provide a trusted HSBC keyboard that can only be used with their banking application.

    • andrew_bidlaw
      link
      fedilink
      English
      5
      edit-2
      25 days ago

      Can apps has their own keyboard and never call the system one? Installing their kb as another app and as a system one at that would be 200% more infuriating. Now THEY can log your keys elsewhere.

      • projectmoon
        link
        fedilink
        English
        1525 days ago

        They can build a keyboard into it, sure. It’s just UI elements and a bunch of buttons. Won’t be a good keyboard, but it can be done.

      • @HereIAmOP
        link
        English
        824 days ago

        It’s possible. First example I can think of is NYT’s games app uses their own keyboard. It’s clunky, but if someone is concerned (or data hungry) enough for the users security they certainly could.

  • M137
    link
    English
    -425 days ago

    HSBC - High school before Christ

  • @serenissi
    link
    English
    -824 days ago

    You guys use banking apps?

    • @[email protected]
      link
      fedilink
      English
      124 days ago

      I do. Not for like spreadsheeting my spending/saving but just checking if something went through, sure.

      • @serenissi
        link
        English
        124 days ago

        I find banking apps pretty infuriating. Don’t support rooted/custom rom. Too easy to make mistake. Susceptible to ‘malware’ (ie intent jacking or if the app logs tokens in logcat lol). I use netbanking when needed. For txn logs, mostly SMS works fine.

        I find keeping bank account logged in always isn’t necessary and just a invitation of hassles.