HSBC app takes a dim view of sideloaded Bitwarden installations Some HSBC mobile banking customers in the UK report being locked out of the bank's app after installing the Bitwarden password manager via an open source app catalog. Neil Brown, board member at F-Droid, said he was blocked from accessing HSBC's UK mobile banking after a security screen flagged Bitwarden as a risk. Brown had …
If I'm getting this right, the current EU policy landscape of "no accessibility mandate" has lead to "serious" apps that will not work with accessibility features.
But if the EU sticks with "no accessibility mandate", why would such "serious" apps bother to fix anything? Seems to me that leaving it the way it is... just leaves it the way it is, with features broken or ignored.
Seems illogical to decide that an accessibility standard would somehow break it worse..
You don't even need to be partially sighted.
The latest website design craze seems to be the use of ultra light grey boxes and ultra light grey text on a white background!
I can hardly see what's on the effing screens, or where I'm supposed to type things in!
Do the so-called modern 'web devs' ever do any usability testing? Or is it decided by the marketing department arguing about colours rather than customer experience and usability?
Green screens were better than this rubbish!
This grey text on a similar grey background was stated to be a dreadful usability error many years ago!
The best colour contrast for clear reading is very light greyish text on a dark grey, not quite black background (and NOT pure white text on a pure black background, as that is harder for those with dyslexia to read). What you are probably seeing is "cool young dudes", who are not as clever as they think they are, building "cool" websites.
When I first came across this advice 20+ years ago I thought rubbish, pure white on pure black is best contrast. So I made two identical pages, one using the pure colours and one using the off white and off black colours. Switching between them was a shock - the pure colours version was clearly too stark a view when switching to to it. Now any web pages I work on follow this 20 year old advice. Cool young dudes really do need training in usability engineering before being let loose on customers' websites. just google good contrast of colours on a website for readability, and play with the WebAIM contrast checker.
PS This site could do with some small contrast adjustments, to be honest.
PPS I forgot to mention that "very light greyish text on a dark grey, not quite black background" is rarely used, even if it is claimed to be best way to work.
Most sites readability is improved with a very light greyish background and a dark grey, not quite black text, and that is what is used on a lot of sites.
Looks like I accidently managed to delete that from my own comment!
I wish I could remember the URL to shame them, but I recently experienced a website where the tickboxes were already ticked. Clicking them made them slightly more bold. It feels like I'm a cliche when I say logic is dying but it truly is. Corporate cults everywhere subscribing to the latest drivel all because they're afraid of being irrelevant. God help us.
It's a safety control, apps can block other apps from "seeing" that app window, this includes accessibility apps. (You can easily tell this by trying to screenshot an app, it won't work for protected apps).
I do understand this to some degree, but at some point it's the users' responsibility IMO. Android warns you 10 times that you're giving access to everything that's on your screen when you enable accessibility perms, and regularly warns about apps that have accessibility perms enabled. There is a legitimate use cases for those, and users should be able to enable it if they want to.
I can definitely understand your frustration, modern tech seems to become less and less accessible despite technological advancements in that field. I don't have any disabilities, and even i am impacted by this. Example: "smart" appliances and their horrible touch screen interfaces. They're bloated, not logical, have a bunch of fancy animations and decorations i don't need, and the touch screen is hard to use, especially when i've got wet or dirty hands (while cooking for example). I can't imagine trying to use my oven if i had some sort of physical or visual impairment, and even without disabilities it's just better to have buttons and knobs.
Just... stop calling it sideloading. It is an installation that Google is unhappy about and complains. It is not in some weird grey zone that is barely legal. It is legal and since I paid for the phone I can damn well do with it what I want. Calling it a security risk is echoing the position of Google (and Apple) and is anti competitive behaviour and abuse of their position.
I agree 110%, and I notice something similar regarding the term "Custom ROMs", which I think "downgrades" some serious alternative Android distributions like LineageOS or GrapheneOS, and makes them sound like hobby projects made by some random guy in their basement, which they really aren't (especially the latter).
I just think it's straight up bizarre that the Android community clings on to that outdated and derogatory term. Like, for instance, Do you think it makes sense to say "screw Windows, I'm gonna flash this Linux ROM on my computer"? No. Then why should Android be so different?
There are two major differences that I think warrant talking about PCs and smartphones differently.
1) Android phones come with an OS image that is both
a) the manufacturer's customized (to varying degrees) fork of AOSP
and
b) specifically developed for that particular model of phone
Windows or a given Linux distro is distributed as a single generic image that can be installed on any PC, and while PC OEMs can and do make small customizations they are not *nearly* on the level of what smartphone OEMs do. We're talking about preinstalling a few apps and drivers and changing the wallpaper, versus developing an entire GUI and tuning drivers and behavior for the specific model of phone. Both in the wider world of devices and in the history of computers, IBM-compatible PCs are remarkable in that generic OS images are expected to be able to be installed on any make and any model of PC; that's not very common.
2) The possibility and process of installing an OS of any sort is dramatically different between PCs and smartphones. PCs are happy to scan through any number of attached storage devices and boot any OS it may find (including bootable installers), but with smartphones changing the OS is more of a major operation. A smartphone holds the expectation that there is only one OS and that said OS will be found on its internal storage. Installing a different OS requires tethering the phone to a PC and wiping the internal storage before flashing the new image, no repartitioning or dual booting or keeping your data. And that's assuming that you can install an OS in the first place! Most phone manufacturers other than Apple and Google won't even give you a way to flash their stock OS back into your phone without going to a repair shop or shipping your phone to a service center. And if you're going for a third-party OS, you'll need both an unlockable bootloader and a third-party OS with an image for your device, two things which are increasingly uncommon.
So I think the differences are pronounced enough to warrant speaking about PCs and smartphones differently in this regard.
(In case anyone was wondering, I didn't use the word "ROM" here because it doesn't feel quite appropriate. It's not read-only; even though for the end user it's difficult to impossible to change it, the manufacturer will be updating it a number of times.)
They are some of the worse apps out there - driven by the institutional arrogance thats built into the banking industry.
Case in point. My Banking app has a secondary facial recognition function build into the app for certain actions, that is an entire duplicate of the OS level stuff build into my phone. Fine if it works, but needless to say it doesnt work at all reliably, unlike the OS level on. And Im white and male. Gawd knows how it works for someone who isnt.
So now instead of using that function I just move my money to another bank who doesnt have the stupid facial recognition failures.
Dont have that on my apps, but I have 2 from the same banking group. the finger print reader on my phone is utter shit and as I do quite a bit of DIY my finger prints are often buggered so fail
One of the banks app fails as soon as my finger gets near to the reader, the other lets me have 3 goes before it wants the password.
Don't mind, but then the MFA is often text - so bloody useless
Ah, fingerprint readers.
As a rule I only use the middle finger on Windows machines. I wish Apple had left it on iPhones because the whole facial thing intensely dislikes privacy screens and you'd at least use the consciously. I don' like it unlocking because I just looked at it, so maybe I'll go back to PIN only..
Not seen the facial recognition stuff; my patience runs out when someone like Santander decides I need to use their stupid pretend keyboard instead of the one I want to use.
Rather than make something more secure, I always feel they're introducing an additional weakness.
I'm actually quite happy with mine although it slowly starts to suffer from featuritis (they're adding many extra things) - their app was the original reason I selected this bank in the first place because it was decent, well laid out and actually quite secure. It's rare that I prefer to use a mobile phone app over an online browser, but they managed that remarkable feat.
That said, based on my personal experience I'm quite glad there's yet another reason to avoid the Highly Suspect Banking Crooks. The only app they should have is one that simply displays "DON'T" in big fat red blinking letters, accompanied by unmutable, loud alarm claxon sounds.
I'm not, nor have I ever been a Bank App developer. I have worked as a developer in Financial Services for the better part of the last 30 years. I do not use Banking Apps. For one, the UI workflow is sub optimal - much easier with a mouse centric design rather than touch to get things done. And more importantly, why install and carry about a device that can get stolen which has access to your bank account.
I do my online banking on the laptop in a separate VM, reserved just for that purpose
This bit me a few months ago. I was also told to:
- Uninstall heliboard
- Disable debugging over USB and WiFi
I could probably work around one of these but not all three. My solution was to deregister and uninstall the app which forced me to order the old school hardware fob doohickey.
This didn't work for other HSBC regional app (some of which have ridiculously decommissioned hardware fobs), in which case an alternative Android profile (if your device supports it) may be enough.
I am currently in the middle of a complaint with another UK bank who had made similar moves.
> A browser shouldn't be able to tell what is installed on your pc
I agree but have you seen the stuff that browsers are allowed to do in the settings tab these days? Most of these are set by default to Ask, so for the average user they just click Yes and allow all sorts to occur. My least fave is an Indian website that constantly tells the user through web notifications that Norton has expired and you need to renew it by clicking here, even if Norton has never been near your PC. Malware Bytes is good at silencing that one with its browser guard.
“Several UK banks online banking web app will fail with a “contact us” fraud warning if you have AnyDesk installed.....”
Leaving aside the question of how the heck a website knows what applications you have installed, I suspect that the logic here is that AnyDesk is one of those software items that hackers will try to get you to install as part of an attempt to take control of your device and steal money from you. Banks do have a duty of care to their customers, and although that might seem a bit OTT, I can see where they are coming from.
I don't use any but it's unbelievable that they get to decide if I have to update the phone or if I can have an open source app installed (or an OS without the google spyware)
I'm fine with raising a warning but i need to have a way to override it.
My bank does not require the use of an app (which I never tried anyways) the moment it does I hope other app-free options are available)
I use Bitwarden and use the F-Droid release. Why do I "risk" sideloading? Quoted from Bitwarden's FAQs: "For those who prefer to exclude all 3rd party communication, Firebase and Microsoft Visual Studio App Center are removed completely from the F-Droid build." It is also available from github in both Google Play and F-Droid flavors and in DIY compile it yourself.
I have voted with my wallet and moved to other banks for similar situations. Such as blocking VPN access so I cannot bank while on business travel. Ironically, that very same bank required their employees to use VPN while on travel. Blocking VPN is just security theatre. Cloudflare helps promote that stance.
Using the website isn't really an option for HSBC.
Firstly, if you use the website, you still need the app to generate 2FA codes.
If you do a cardholder not present transaction, you need the app to authenticate/approve it.
Some accounts, such as the Global Money account (if you are receiving / sending money abroad, this is a lot cheaper than doing it on the regular current account), only work on the app, not the website.
But not using HSBC is an option.
I don't want to sound like I'm an a$$h0le, and I know it's a PITA to change, but if you stick with them you are part of the problem.
There might be some deal ot better conditions you can get if you change bank (maybe by talking to a human and not just doing it online)
There's also the fact that they're actively complicit in the accelerating erosion of liberty and democracy in Hong Kong to consider. I cut ties with them over that years ago so thankfully haven't had to deal with their ridiculous technical decisions since. There's plenty of less scummy alternatives out there.
I changed back, it's a bit of hassle but easily doable,.
Not because of online banking (I don't do that as have zero faith in their not been flaws in their system) but because bank i was with closed branches in the 3 towns near me, meaning no readily accessible branch, so I switched to a bank* that had a branch in a nearby town (as I do quite a few transactions that need a branch - e.g. cannot yet get bags of various coins from an ATM).
* building society, but in UK essentially same as a bank
> Firstly, if you use the website, you still need the app to generate 2FA codes.
You can get them to send you a hardware authenticator thing.
> If you do a cardholder not present transaction, you need the app to authenticate/approve it.
Use another card. They get less business.
> Some accounts, such as the Global Money account (if you are receiving / sending money abroad, this is a lot cheaper than doing it on the regular current account), only work on the app, not the website.
Plenty of alternatives for that
According to my bank my rooted, firewalled, adblocked, spyware removed, Google debloated, unnecessary services in application disabled is NOT a secure device. On the other hand, a new phone with all the spyware (Google, Facebook, Netflix, Samsung et all) activated IS a secure device.
So I guess the definition of security for the banks is 'how easy the user can be tracked'.
Can't speak for apps as my security stance is absolutely NO financial apps on my phone.
But Tesco Bank, I believe now owned by Barclays, uses cookies to 'secure' access to its website! Hopefully Barclay's will migrate the Tesco stuff to their own systems over time.
Normally I don't keep ANY cookies when I close my PC browsers, but I have to keep them on one just for this.
-- Can't speak for apps as my security stance is absolutely NO financial apps on my phone. --
Ditto
-- Normally I don't keep ANY cookies when I close my PC browsers, but I have to keep them on one just for this. --
I just accept that I have an extra hoop to jump through since without cookies the bank can't remember this is a trusted device.
I'm in NC, US, and have accounts with SECU, Webster's (Brio Direct, a high-yield savings account), Citi, and Barclaycard. None require an app; all have usable webpage interfaces.
I considered several high-yield savings accounts before going with Brio Direct; one was rejected because it was ONLY accessible via a phone app.
In the UK Starling and Monzo have good apps. Chase isn't bad either.
Starling also has good website banking (requires the app though to login).
(big fan of Starling if I'm honest - think it's less cluttered than Monzo, but ymmv)
Lloyds and HSBC/FD are probably the better of the older banks, but that's hardly a glowing recommendation - TSB were dismal when I switched into them for the free cash last year. The others are all pretty meh.
I've been playing "musical banks" for the last few years, well they were giving money away!
That means that I've had accounts with all of the major banks (avoiding the likes of Revolut) and the one I've stayed with is Chase.
The app works well with nice touches like notifications the moment money leaves or enters the account, also the day before a regular payment goes out so it's easy to keep money in a saver account until it's needed. From the way that transactions update in real time, I suspect that their IT infrastructure is more modern than some where transactions are marked as Pending until the following day. Cherry on the cake, if you need to phone them do it from within the app and you are pre-authorised so you avoid all the "I just need to ask you a few questions to establish your ID".
I agree with your assessment of Lloyds and HSBC!
I can't say anything about accessing them via their smartphone apps but logging into their websites is a battle unless one is using a bog standard mainstream browser, with no noscript, no blacklists etc. After logging in, Lloyds send a code via sms for MFA. Barclays after logging in require you either run an app on your smartphone to generate a code, or they'll give you a standalone device to generate a code.
I use Halifax (same as Lloyds bank and Bank of Scotland) and I actually quite like the app. It’s easier to use than RBS anyway. They seem to have made an effort to put features in there that I need (like a search that actually works).
I got stuck with ING due to various reasons, and their app is quite bad.
Does KBC also impose the dreadful, issue loaded, privacy invading and data hoarding, "ItsMe" authentication app? That by itself is worse than any of the banking apps.
Actually, ItsMe is quite OK.
What I think you ought to watch out for is MyGov, that doesn't strike me as as trustworthy as it's 100% based on Microsoft products. ItsMe is Linux - not that that in itself is a guarantee but I have come across their CISO at some conference a while back and the man was refreshingly sane and BS free - something I personally like in security people because it means they're serious about the job.
As far as I can tell, MyGiv is by someone in government pushing this as a personal project as they would love to have a slice of the ItsMe profits but don't have the first clue about actual security.
Just my opinion and assessment, do with it what you want. I will never install the MyGov as long as I have a choice.
Yes. I use the apps for several banks, including HSBC, HBoS, Barclays and Nationwide. They're all different but each does what I need as and when I need it. I actually prefer the apps to access via a browser for routine transactions (my main browser use is when setting up a new payee). But I confess I use an iPhone and actually appreciate Apple's walled garden approach as it lets me do what I need to do without too much hassle. My needs are basic but I provide IT support to groups of elderly folk across the county and the biggest hassles are with non-Apple kit (despite well over half the folk coming to workshops have it). The Apple environment isn't perfect but it works adequately for the average domestic user I encounter. Of course, IT folk have other needs and Apple's restrictions get in he way, which is why I think the greater freedom with competing kit is necessary - but that does mean the naive user can more easily fall foul. As always, YMMV.
Everything was app-ified because plugin-free, standards-compliant web browsers were getting in the way of the screw-the-customer control freaks. Most non-technical users really didn't see the long-term problem with allowing loads of client-side software to infest a device they don't fully control, rummage through it, deliver advertising, and exfiltrate data.
Autonomy was traded for convenience. In fact, enough people traded autonomy for convenience that it normalized stuff like this. People today don't even think twice before clicking install at the slightest prompt or autofilling a new account registration profile. People look at you funny if you say "I'm not installing that" and even funnier if you say "I don't install stuff on my phone."
Privacy and control issues are not fixable under the current paradigm. The only winning move is not to play.
It won't be fixed. It will get worse as users surrender even more data and autonomy to app-ified AI agents which pretty much need to hoover up and exfiltrate every bit of personal data to operate.
You will do as you are told, cloud consumer. Your bank and the advertising company which made your phone OS know better.
I'm with you and walked away from a free London Museum that insisted I had to provide my personal details before walking in.
(I then used a little known entrance around the side, where there was no such palaver.)
My wife filled in all her details into the app to get into the main entrance and then had to show its QR code to get past a second layer of checking.
And she has been getting spam ever since requesting donations.
"I ... walked away from a free London Museum that insisted I had to provide my personal details before walking in."
Give false info. My name is John Smith, my DoB is 1/1/1950, my postcode is W1A 1AA (or BS8 2LR or SW1A 0AA or ... ), my phone number is 07123 456789. Enjoy.
If they insist on an email, have a spare Gmail that you never look at, or a rubbish address - it does not have to actually exist. For those websites that want to send you a verification code I use a temp email provider e.g. https://temp-mail.org/en/
-- The only winning move is not to play. --
This is the option I've taken. The ONLY reason I have a smartphone is that I was moved to a continuous glucose monitor and it was either carry a brick of a reader plus my beloved Doro or go to a smartphone. However, I will be gobsmacked (and bloody worried) if my phone bill ever turns up saying I've had data usage.
Even their web site is poorly implemented.
The login requires an extra ID (NS&I number) in addition to the username and password, so using a built in password manager doesn't work (by default). Not that much of an issue, as I store the details in a separate KeePass file anyway, but still.
But worse the initial login always (for me anyway) just drops you back to the login page, no error, no indication of why, and you have to put the details in again!? 2nd time it will get in fine.
They do not have the option of any sort of proper MFA (e.g. code generator etc), and as far as I can see, they force the use of SMS for one time access codes, which are used if you log on from a 'new device'.
And I say 'new device'. because on first access from an actual new device, it goes through the SMS process to add it as a new trusted device, but this doesn't really work properly. Not sure how they are fingerprinting the device/browser, but it only works for a short while, like days, after which you have to go through the SMS process again, even though I'm on the same machine using the same browser.
Even their secure messaging system is unreliable. first few unread messages you read, remove the 'unread' status, but after that, they stay at unread, even after being read! I have to log out and back in and read the messages again for the status to be updated.
And don't hit page reload or the back button at any point, as they'll just log you out!
"...Our app performs checks to identify potential malware risks and can require users to take additional steps to keep their accounts safe."
Since when did potential risks become conflated with actual risks?
Toilet paper is a "potential risk" to one's dwelling, because that (dry) toilet paper can provide fuel to a housefire, but the risk is minimal compared to other factors, so we continue to store and use toilet paper in our homes.
I had an issue a while ago where a bank named after a Yorkshire town failed to load. Well, not just me, but my partner, my daughter, and other relatives. The thing we all have in common? We all used adguard or alternative DNS, and we all used to bank with the same Yorkshire town namesake.
I use Pi_hole, and that totally breaks currys.co.uk. Filters do nothing, can't change the number of items that are displayed - only interaction that works are the menus and links.
Hmm. Looks like it's been updated (I reported the issue a few month ago) and it's now happy with alternate DNS / ad blocking.
Still, I have come across other sites that don't work.
Remind me - local hospital only allows Google to be used as a search engine. My phone is defaulted to duckduckgo, which gets blocked as "Threat category : Search Engines". Muppets.
In the past, internet banking was available and fairly easy, AND being something you can do from home on a computer that is secure in your home, was quite safe.
Especially with one of the password generator things they provide.
Now they want me to do everything on a telephone, that can be lost or stolen.
Or I could be abducted from the street and forced to open the account.
How is banking on a telephone better?
For me it is foolishness.
Although internet banking is still available, unfortunately HSBC Singapore let some 5 year olds loose on the site design/layout some years ago and it is now all but unusable.
Maybe that was intentional?
As others have said - the bank will take no responsibility if your account is breached in any way.
Don't make it easy.
> Also some stupid "you are using the same password" warning on Windows 11 for a system to authorise system use that requires the same password!
This! Started seeing this a couple of weeks back on the client's laptop trying to log in to their Confluence (when the "remember me" had run out) but it's all SSO via AD so there's no possibility of using a different password even if I wanted to.
It stopped as of yesterday which I take as a sign that the IT people managed to undo whatever dumb-ass change MS had made.
Step right this way...
Malware-ridden apps made it into Google's Play Store, scored 19 million downloads
https://www.theregister.com/2025/08/26/apps_android_malware/
I do have some (very limited) sympathy for UK banks, as they are financially liable for fraud where an app is compromised, even if it wasn't their software that was at fault (for those not in the UK, that also includes where someone is tricked into transferring funds to a fraudster in response to a scammer calling them).
However, they should be assuming that the execution environment is potentially insecure, and making sure that their app does not make external (non-OS) calls or trust data that it cannot verify.
Yeah. I refused to install that and switched my business banking to Starling (which had the added advantage of restoring free banking*).
* It was the "pay a monthly fee for the privilege of being charged to send funds overseas with a pathetic exchange rate" that was the final nail in the coffin for them.
Er its one thing to not work on a rooted phone, but telling me what app's I can or cannot install on my personal device is none of a banks fcking business.
But I see my banking app, has this fcking query permission also and despite using GrapheneOS, there is no way to disable that specific permission.
Having just moved to another bank after a security issue, it is galling to hear the same old crap reason. "we do this for your safety blah blah blah". You can't speak to someone at the bank to point out their own failings, you just get "We're right, you're wrong. It's the same with those systems that prevent pasting passwords. Instead, you have to type out your long generated password on your phone keypad as this is "so much more secure". Wouldn't it be good if they all worked to the same standard!
they should not have the autofill feature enabled by default .... its an attack vector that is too dangerous for something holding such valuable info
also go to your settings online and enable some of the highest crypto stuff on your cloud stored wallet, so if the bitwarden site gets hacked your wallet would take centuries to decrypt (lastpass wallets are prob still being decrypted way after their leak)
ps u are using a strong inconveniant master password, yes???
I don't trust the "cloud" email because I like to have email sent to me directly, via TLS to a machine that I physically control. That usually entails a tunnel from some cloud device. HSBC is the only MTA that won't do end to end path mtu discovery. The only way to get it to work is to use a proxy (TPROXY from lonux so that you get the origianal IP addresses) on the cloud machine that has an MTU 1500.
Also, why is the APP 300MB+ and how many trackers does it need with tracker connect? I got so pissed off that I asked for the old 6 digit generators. Much more secure. They can be locked up in a safe, not carried around in your arse pocket.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
