alt.hn

12/31/2025 at 3:43:11 PM

The HSBC app refuses to work if "Bitwarden" is installed on user's Android phone

 https://twitter.com/nixcraft/status/2006133658495656377

by fortran77

12/31/2025 at 4:17:17 PM

why does Google even allow HSBC to see the list of other installed apps?

Maybe because Google and it's products have little respect for user privacy?

Have you thought about using Aurora Store? You can usually see a list of the permissions the app requires before you install.

by jqpabc123

12/31/2025 at 5:38:17 PM

Maybe because Google and it's products have little respect for user privacy?

That's incorrect. Querying installed apps has been severely restricted (and thus mostly useless) and also requires a special nuclear-scale permission since Android 11.

I am wondering what exploit HSBC is using because I really don't think they are using official APIs for this.

by mindcrash

1/1/2026 at 5:27:45 AM

The QUERY_ALL_PACKAGES permission (what an Android app needs to see all the packages installed on your phone) is a little weird. The user doesn’t get prompted and explicitly grant permission for it like they would for something like MICROPHONE- having it in the app’s manifest alone is sufficient to query packages. However, Google Play Console does make you submit a video of how the permission is used in your app in order to publish on Google Play if they detect it in your manifest.

The acceptance criteria made sense for our app (it displays your phone’s notifications on your smart glasses HUD, and users need a way of selecting which apps can/can’t display notifications). I don’t know how HSBC justifies it though.

by alex1115alex

1/1/2026 at 1:17:25 PM

The user doesn’t get prompted and explicitly grant permission for it like they would for something like MICROPHONE

Why implement this in such an anti-privacy way that side steps the user?

Answer - see the original post above.

by jqpabc123

1/1/2026 at 4:51:41 AM

Still, I have had issues with this too. My work uses an antimalware app when you use BYOD. Fine, but that app (lookout for work) installed in the work profile, and it complained that I had a tracking blocker (trackercontrol.org) installed in the MAIN profile :( This really pissed me off. Not only is an app in the work profile not supposed to even look at what I've got installed on the personal side, but it's actually a legit app. There's nothing wrong with tracker control. And it comes from a legit source, the Oxford university. The lookout guys are just being obstinate blocking it.

by wolvoleo

12/31/2025 at 5:54:19 PM

I am wondering what exploit HSBC is using

Why was querying installed apps ever allowed? Why is an exploit or permission available now?

Answer --- see the original post above.

by jqpabc123

12/31/2025 at 6:23:01 PM

You don’t think your phone should let you run certain programs, even with elevated permissions?

by SpicyLemonZest

1/1/2026 at 4:32:36 PM

Sure, but framed that way you also need to be able to run programs that think they have higher permissions even though API calls are returning mocked/sanitized data. And more generally, the ability to run programs with high permissions that can completely modify the behavior of other lower-permissions programs (eg HSBC).

by mindslight

12/31/2025 at 6:30:23 PM

Were elevated permissions granted by the user in this case? If so, then this entire discussion is baseless.

by jqpabc123

1/1/2026 at 5:22:39 AM

mine doesn't work because of kde connect, and an open source keybooard i slightly modified and rebuilt myself

by vrighter

1/1/2026 at 9:24:22 AM

What keyboard did you modify and why?

by parlortricks

1/1/2026 at 12:42:28 AM

It only works when narco-trafficking money laundering apps are installed.

That's why it doesn't work.

by burnt-resistor

12/31/2025 at 3:47:48 PM

I think it may be because of a sideloaded app. That does seem like a more reasonable thing to warn about.

by fortran77

12/31/2025 at 5:15:34 PM

Warn? Yes. Refuse access? No.

I would close my bank account over this. That’s not saying much though because they literally pay you to open new bank accounts these days…

by wryoak

12/31/2025 at 10:54:05 PM

If the sideloaded app manages to hack HSBC and steal the customers money they are going to have a demand to refund the customer a bunch of money. I can understand their position.

by tim333

1/1/2026 at 3:47:26 AM

I understand that, but the thing I've never understood is that banking apps only care about meaningless measurements like whether a device passes Play Integrity. I have a tablet that passes Play Integrity but is also over 6 years behind on security updates. That device should not be allowed to run banking apps.

Why not refuse to run on devices that don't have current security updates? How useful is Play Integrity actually for avoiding these types of problems?

by protimewaster

12/31/2025 at 5:37:37 PM

If you cared even slightly about the app, you wouldn't have a HSBC account anyway, you'd have Starling or Monzo or maybe Revolut

by walthamstow

1/1/2026 at 4:54:26 AM

Most banks now require their app for MFA for payments, sadly. They used to offer these "calculator" devices but most banks I know of in my country now require their app. Which sucks for me because I don't want to have my authenticator on a hackable internet-connected device.

by wolvoleo

1/1/2026 at 5:27:18 AM

and as soon as you login to their app once, that other key gets invalidated.

It took weeks to convince them to switch me back to that key because they couldn't understand the concept that their app refused to run on my phone

by vrighter

1/1/2026 at 5:50:42 AM

Yeah here they just sent an email "from <date> onwards all verificators are revoked, from now on you must use the app" :(

by wolvoleo

1/1/2026 at 4:52:30 AM

Yes the problem is when all banks start doing this BS though.

by wolvoleo

12/31/2025 at 10:36:14 PM

This is a freedom we have on Android

by unixhero