As we are discussing the UK bank Lloyds too, I have same problem with the UK Halifax bank App which is part of HBOS which is part of Lloyds. I wrote to them some months ago and have never received a reply. If anyone is interested or can make use of it, this is what I wrote:
Halifax Bank: In your own words, tell us about your problem and the impact it had on you.
I have decided to start using your Android app because, under the right setup, this is now more secure than using a web browser on a PC and I now have a phone dedicated to just banking and financial apps. Except, your app incorrectly accuses me of rooting/jail breaking my phone (Google Pixel 8, Android 14/GrapheneOS, fully updated) which is not true; and the phone is not OEM unlocked either.
I used a link from your website to download the app from the Google Playstore and installed it using the Google Playstore app.
The Halifax app had me enter all my banking login credentials before telling me "9******0: Sorry ... we detected ... your device ... jailbroken/rooted".
If you think a phone is insecure, why not tell your customer this before having them enter all their security/login credentials into the app on what you regard as an insecure device? I think this is the substance of my complaint. I was left concerned that I had somehow downloaded the wrong app from the PlayStore and entered all the data into a phishing app - but I knew I had carefully used the link from your website so I didn't think this was possible.
My Pixel 8 with GrapheneOS fully supports the 'hardware attestation feature' of Android and you are able to check the integrity and certification status of my phone by using this. I would be very grateful if you would fix your app to use the Android hardware attestation API which provides a much stronger form of attestation than the Play Integrity API. How to do this is explained here: https://grapheneos.org/articles/attestation-compatibility-guide. I found this information summarised here: https://grapheneos.org/usage#banking-apps
Thank you for your patience reading this. Please reassure me you will pass this on to the App development team.
Halifax Bank: Ideally, how would you like us to fix this?
Two things:
Firstly, please don't require someone to enter all their security credentials into the app before then telling them the app will not work. This is frustrating because it took me about 10 minutes to enter the very long username and passwords; but also frightening and looks like one has fallen for an app phishing attack.
Secondly, please fix your app to use the Android hardware attestation API which provides a much stronger form of attestation than the Play Integrity API.