Comment by graemep

Comment by graemep a day ago

26 replies

View on Hacker News

This sort of things happens a lot. A few years ago a British bus company put certificates in the app to sign tickets.

The HSBC UK app will not run if you have any apps installed from outside play store. I cannot log into the website without the app. Luckily all I have with them is a lightly used credit card with a low limit so I have just stopped using it and rely on paper statement.

I find it disturbing that any app can examine your device in this much detail.

robertlagrant a day ago

> I find it disturbing that any app can examine your device in this much detail.

When I did a tiny bit of Android development a few years ago, I was astonished how free the app I made was to just examine the file system. I assumed it would be like the web, where each website can have its own little SQLite database and cookie store equivalent, but that's it. I don't know if it's changed, or if it was just because I was in a "dev mode" somehow, but that was very surprising.

Reply View 10 replies
  • dspillett 21 hours ago

    It has certainly been locked down a bit. This makes easily backing up all your data using some techniques harder/impossible.

    I can't include podcasts in the backup I do via rsync via termux anymore, unless I switch to an app that uses a shared storage area instead, as termux can not longer read app directories only its own and shared storage. You have to rely on each app that used app-local storage to have its own backup method. Not that I really care from the podcast PoV, hence I've done nothing about it, but it is a sign of apps being better sandboxed at the filesystem level than they used to be.

    Reply View 1 reply
    • dv_dt 11 hours ago

      That's doesn't make sense either - not an android iser or dev but shouldn't there be a system level backup interface. Even if its storing the app-local storage as an opaque blob with a label?

      Reply View 0 replies
  • xbmcuser 20 hours ago

    Is it not the same for computers most of the apps data is accessible by all the apps. Mobile OS came from the paradigm of the past and as the way we use our phones change so do the way how mobile os work. For a long time Android devs have wanted to obfuscate the disk from the user like iOS does but have faced push back from users and developers so in the end they created a permission where an app needs to ask permission to access the disk. Keeping the file system a black box or allowing user/apps to mess with it is a development question of the times dumb it down or not. Then people here complain children don't know anything about computers these days well yeah because we have dumbed it down so much in the name of security and usablity.

    Reply View 2 replies
    • whstl 19 hours ago

      Definitely the same for computers. LOTS of software rely on saving data on "secret" locations for shareware-style trials.

      macOS for one has been asking to allow access to specific folders. Other OSs are possibly starting to do the same, but it used to be a free-for-all.

      Reply View 1 reply
      • [removed] 16 hours ago
        [deleted]
        Reply View 0 replies
  • liontwist 21 hours ago

    That is how it works. Apps on android and iOS can’t access data outside of their contsiner.

    Reply View 3 replies
    • SpaghettiCthulu 10 hours ago

      Afaik all apps on android have the ability to list directories across most of the "sdcard" file system even without storage permissions.

      Reply View 2 replies
      • TeMPOraL 7 hours ago

        Sure, but all the interesting data is stored in a subtree that mostly won't even show on that list. In fact, there doesn't seem to be a way for a user of non-rooted phone to view this data. This sucks.

        Reply View 1 reply
ajb a day ago

You could try getting them to give you a physical security key, they used to supply them and I think still will if you can't use the app (just say it doesn't work on your phone). I have one and the website still works with it.

Reply View 2 replies
  • graemep a day ago

    Thanks, I was thinking of phoning and asking, but good to know there is some point in waiting in the queue to talk to someone!

    Reply View 1 reply
    • ajb 17 hours ago

      If you're near a branch you can also just pop in and ask for one; might be faster. I did that when the battery ran out on my last one. There's no process upfront, you then have to pair it with your account. Well,you will probably have to convince them to switch your account to use a physical key - maybe that means you have to call anyway, I don't know.

      Reply View 0 replies
1317 21 hours ago

It used to let you use it with a full-on rooted phone, it just popped up a message saying 'it's not our problem if you get robbed'

i wonder what caused the change

as others have said, you can ring them up and get a physical security key, it works for the website

Reply View 3 replies
  • miki123211 21 hours ago

    > i wonder what caused the change

    In many countries, if the consumer gets defrauded, the bank foots the bill.

    I don't think the problem here is consumers getting defrauded by having an insecure rooted device. It's fraudsters using the mobile app APIs for nefarious purposes, and the best way to prevent that is to use SafetyNet and other similar mechanisms.

    Reply View 1 reply
    • TeMPOraL 7 hours ago

      > and the best way to prevent that is to use SafetyNet and other similar mechanisms.

      It's not the best way to prevent it. It's the easiest way for the bank to avoid liability.

      The ugly truth of cybersecurity is that, in the real world, most of it is an exercise in shifting liability around and diffusing it. Making systems actually secure is not necessary.

      Reply View 0 replies
  • Mindwipe 18 hours ago

    The app works perfectly well on my device, parent comment is just mistaken.

    Reply View 0 replies
White_Wolf 15 hours ago

The HSBC app runs fine on my rooted phone with a few magisk plugins and 5 marketplaces installed and a ton of sideloaded apps.

Reply View 1 reply
  • graemep 9 hours ago

    It used to work on my old phone. Stopped with nee one. May depend on Android version or when you installed.

    Reply View 0 replies
jimjambw 14 hours ago

Do you happen to remember which bus company this was? Is there any article you can link me too as I’m quite interested in reading some more on it.

Reply View 1 reply
  • graemep 9 hours ago

    I think it was Arriva. Defineitely one that operated in Manchester st the time. Cannot find a link.

    Reply View 0 replies
ksp-atlas a day ago

The app works for me just fine despite having lots of non-google play apps installed, is this an Android 15 thing?

Reply View 1 reply
  • Mindwipe 18 hours ago

    It works fine for me on Android 15 with non-Google Play apps installed too.

    Reply View 0 replies
gunian 20 hours ago

Kind of ironic since you can't easily export data as an end user without some friction

Reply View 0 replies
Mindwipe 18 hours ago

The HSBC UK app runs perfectly well on my Android phone, including full biometrics, 2FA for the website and for major functionality like transferring money.

I have at least a dozen apps installed on my phone that are not from the Play Store - a mixture of other stores (Samsung/Epic) and apps that are not from any store but I've compiled myself, or downloaded APKs directly from the developer website.

This isn't true.

Reply View 0 replies