(Rant)

At somepoint, HSBC decided KDE Connect installed via F-Droid is less secure.

Photo of the HSBC UK app urging I install KDE Connect via GPlay or Galaxy Store

Then it decide non-whitelisted keyborads are a security risk. Only Gboard and Samsung Keyboard is confirmed within the whitelist.

Photo of the HSBC UK app telling me to switch input method citing security risk


I understand the point that risk can be introduce at various points, yet this is simply too much. Yeah there are people phone infected by malware but from Play Store. Not a single time I heard one ever happened on F-Droid distributed apps, at least not from the official repo. Also, I will put more trust on an open source keyboard than any proprietary keyboard.

Furthermore, I’m shocked that an app can read my app list, and current keyboard (introduced in Android 14). This just make building a profile much easier as I belive everyone almost have an unique set of apps they like. I don’t think any apps need such functionality. Why the f it needs to care what input devices I uses? This make me worry more about untold (aka burried deep in Privacy Policy) data collection.

  • LiveLM
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    5 hours ago

    Check out Shelter by PeterCxy [FDroid - Source]
    It uses Android’s native work-profile feature to create a separate space for the apps you choose, so you could install the HSBC app there and it wouldn’t be able to see anything outside its little bubble.
    The downside is that AFAIK you cannot have multiple work profiles on the same phone, so if you have a MDM solution from work already installed like Intune you won’t be able to use this, and given how draconian this app is, it might refuse to run if it detects its inside one. Worth a shot though.

    This is the type of shit that has me losing faith in Android.
    They added a fuck ton of restrictions on Clipboard Access because ‘Privacy,’ yet this clear privacy violation (with 0 use cases!!!) is still here.

    You’d think that they’d create a permission you can toggle at will since they care about protecting you so much right?
    Nope. Google’s the one who decides who gets to use this capability and your wishes as a user can go to hell.