HSBC blocks its app due to F-Droid-installed Bitwarden

<- Back

HSBC blocks its app due to F-Droid-installed Bitwarden

_____k

Comments (182)

sschueller
That's Google's SafeNet. HSBC picked a level that causes this. Google manages the blacklist of apps.We are rapidly losing our freedoms to the will of these companies. If they decide they don't want to they can even if the law doesn't forbid it.People in Switzerland and the EU are being de-banked by local banks because of US pressure allowing them to force any bank that wants to use USD. The US has started to sanction people for free speech resulting in de-banking.Swiss law requires one bank (Postfinance) to offer banking irregardless but if you are sanctioned you can't use the wire system, no other currencies, no credit cards and you cant use Twint either so it's in effect useless. You can't pay for your health insurance or rent.
lol768
Plenty of UK banks that don't require this, and whose apps will also work on a rooted device. Monzo will display a warning that sets out the fact there's an increased risk, and then lets you be an adult and choose to continue to use the app if that's what you want to do.The best part is that the Current Account Switching Service makes it very easy to make the jump from a legacy bank like HSBC.
noobermin
My wife has tried to use a flip phone just for nostalgia's sake and she has a newer phone that supports android 14 (technically android go 14) and thus should work with most basic apps. However, one of her banking apps refuses to work claiming an app is screensharing (the POSB bank app thankfully identifies it as the "android system" app.) likely what is occuring I think is the second screen is drawn using some sort of thing that is reported as screen sharing, that POSB thinks could be malware.Of course, asking POSB for help has lead to nothing being done. By and large the biggest threat to people finance wise in singapore isn't malware but are scams (what is called "pig butchering" in America is rampant here) whilst malware is always a threat sometimes I feel like just refusing to function is problem due to overzealous viligiance to a low probability threat.
merek
If you've ever built a website for mobile but never heard of PWAs (Progressive Web Apps), I recommend checking them out. In essence, adding 2 files can make the site installable from a mobile browser and define caching behavior for offline functionality.1. manifest.json: a JSON file that defines the app's name, icons, theme colors, and how it should launch when installed.2. Service worker: a JS file that controls things like resource caching for offline usageUnfortunately PWAs don't receive first class support compared to native apps. Still, I still hope to see wider adoption. I think for many not-too-complex apps, they can significantly lower the cost of development, and the development experience could be as simple as- Building with HTML + JS + CSS. No clunky SDKs, reduced need to test on painfully slow emulators or expensive physical devices- Installable from a browser. No need to maintain a listing in the Playstore/App Store, avoiding policy headaches, rent, etc.https://developer.mozilla.org/en-US/docs/Web/Progressive_web...
yellow_lead
I thought Google removed the API that let you see other apps on the device. Maybe there's another API I'm not aware of though
firen777
Tangentially related, but some banking apps also implement their own in-app keyboard in their password fields, making password manager unusable and basically forcing me to use a easy to remember (to guess) password.
danw1979
HSBC still operate a perfectly functional website for banking.The more people who continue to use this, the better. It sends a clear signal that customers prefer the open web over restrictive and inconvenient mobile apps.I’m also hanging on to my bank’s physical RSA fob as my 2FA, instead of using their app based version.
hasperdi
It will not work either if you have developer mode enabled.These things HSBC app does, I think it's overreaching
oliwarner
Banks in the UK take partial liability for their customers succumbing to scams, and refund lost funds unless customers go out of their way to ignore warnings.Loss of control of devices is undeniably part of the scam lifecycle. Faking and intercepting messages from banks is a large part of that. An antivirus needs global permissions.All of that being true, you don't have to be a contortionist to understand why they might want to lock down client devices as far as they can. Google happens to offer them an easy method.
grishka
Isn't it funny how most banking apps do all this borderline malware crap, yet most banks also have online banking that you use through a web browser that they have no technical means of "trusting"?
merek
I recently came across Open Web Advocacy (OWA) who summarize my mobile-platform concerns well. They "advocate for the future of the open web by providing regulators, legislators and policy makers the intricate technical details that they need to understand the major anti-competitive issues in our industry and how to solve them."Their top 3 priorities:1. Apple's ban of third party browsers on iOS is deeply anti-competitive2. Web Apps need to become just Apps. Apps built with the free and open web need equal treatment and integration. Closed and heavily taxed proprietary ecosystems should not receive any preference.3. All artificial barriers placed by gatekeepers must be removed. Web Apps if allowed can offer equivalent functionality with greater privacy and security for demanding use-cases.Website: https://open-web-advocacy.org/en/
happymellon
I switched away due to HSBCs final straw for me being blocked due to not using the phone built in keyboard.Apparently using an open source keyboard runs the risk of my keypresses being shared with a 3rd party. Unlike Googles keyboard?
greatgib
HSBC is on my list of the worst bank anyway. Just connecting to their online banking portal you feel like throwing up!
lousken
Never use a banking app on a phone especially since internet banking websites exist.
csmpltn
Getting a (cheap) dedicated device for banking purposes (perhaps without a sim card, wifi only) is a good way to «work around» this.
throwaway81523
I use a separate phone for non-F-droid apps.
nubinetwork
Most banks do this, they won't let the app run if you have developer mode turned on as well, even if you're not using it for root (or anything else in the developer menu)
hkt
Ditch apps on your phone and pick banking that gives good, robust online banking. I was cut off by Starling for something similar and had to choose between a factory reset of my phone and my bank. I explained that my phone had free software on it, some of which I'd written, and it made no difference.Apps are a tool of control and surveillance and it is time we stopped tying ourselves to them. Dumb phones or degoogled operating systems (like e/OS/) are probably the answer here.
kevin061
404 error
charcircuit
It's worth trying to work around this by creating a work profile to isolate the apps.
SXX
HSBC is also one of few apps that dont let you use it with iPhone Mirroring.
zb3
We can't let banking apps invade our property.. things like banking apps need so much control in order to be secure that they need to exist on dedicated devices.
haunter
Source post deleted
itsthecourier
probably because bitwarden has a permission to overlay other apps and HSBC thinks it's malware stealing your access to your bank
nurumaik
At least now it should be pretty easy for any tech person to patch apk removing this check
thevania
can't wait for digital eurohttps://www.consilium.europa.eu/en/press/press-releases/2025...https://www.ecb.europa.eu/press/key/date/2025/html/ecb.sp251...i hope it will be part of the digital wallet initiative: https://github.com/eu-digital-identity-walletthere is an active discussion there on NOT integrating play integrity API or any other US-dependent remote attestation: https://github.com/eu-digital-identity-wallet/av-doc-technic...
Adesany
[flagged]
Adesany
[flagged]