privsec
Banking applications want this authorisation to protect against fraud.
When checking the IMEI of your phone, this authorisation allows you to be sure that it is really you and not a thief who has stolen your phone to get your money…

BTW: My bank app requires access to location and phone (device location, WLAN name and IMEI)
This app also works without these authorisations, but then without the extended account protection that my bank offers me when authorisations are granted.

The background to such requests for authorisations from banks is that everything now works with just one app and no really good additional protection such as a second device is required.
If such an app is successfully attacked, your money can be gone.
The bank saves itself the expense of separate devices and pays in the event of a loss if you have given the app authorisation and something happens anyway.

But: read your bank's terms and conditions and data protection regulations, because your bank may not protect you any better if you give their app all the authorisations.

    Eagle_Owl Banking applications want this authorisation to protect against fraud.
    When checking the IMEI of your phone, this authorisation allows you to be sure that it is really you and not a thief who has stolen your phone to get your money…

    As per the post by privsec, starting with Android 10, apps are not allowed to access IMEIs. So if a bank is telling you that their app is protecting your account by reading IMEIs, they are blatantly lying to you.

    Eagle_Owl When checking the IMEI of your phone, this authorisation allows you to be sure that it is really you and not a thief who has stolen your phone to get your money…

    This does not make sense and if your bank is telling you this then they are again lying to you. An IMEI does not follow a person. If someone steals your phone, the IMEI does not change. There is no way that your bank is detecting that someone grabbed your phone and stole your device credentials based on an IMEI which their banking app cannot even access.

      If they use the phone permission to check the phone number of your SIM it gives them some extra confidence. It is either you or someone has managed to take control of your phone number by stealing your SIM card or tricking your carrier to issue a new SIM with the same number.

        Carlos-Anso You may be right, but I'm not sure if I can follow your reasoning.

        The bank initially doesen't have my mobile phone number. I install their wallet app. (Activation must be confirmed by 2FA.) The app asks for phone permission and let's say they get it. Then they know the mobile phone number of that device. And possibly can make calls and read the phone history. What for? Why would this lead to "some extra confidence"?

        The app keeps using the phone permission by the way. You cannot revoke it after installation.

        Is your reasoning, that they link my app installation to the phone number and thus achieve more security? Sorry, I don't understand, how this would be achieved.

        It's only the banks wallet app that asks for the phone permission. Their normal banking app doesn't.

          • Edited

          privsec The app keeps using the phone permission by the way. You cannot revoke it after installation.

          Why shouldn't you be able to revoke phone permission for an app?

            privsec Is your reasoning, that they link my app installation to the phone number and thus achieve more security? Sorry, I don't understand, how this would be achieved.

            It is their guarantee for using their banking app as a secure solution although you can do everything with their app and no second app or extra device is used for security.
            They use the ‘phone’ permission not to obtain the phone number, but the IMEI, and argue that this allows them to recognise whether I am making transfers from this device or using a completely different device (which would then be a reason to suspect fraud).

            But If the stock Android OS don't give this information to other apps since Android version 10, then they are lying or assuming that many customers are still using such old devices/software.
            The second authorisation they demand for ‘extended account protection’ is localisation.
            This is really practical for a plausibility check. I have granted this authorisation.

            fid02 Eagle_Owl When checking the IMEI of your phone, this authorisation allows you to be sure that it is really you and not a thief who has stolen your phone to get your money…

            This does not make sense and if your bank is telling you this then they are again lying to you. An IMEI does not follow a person. If someone steals your phone, the IMEI does not change. There is no way that your bank is detecting that someone grabbed your phone and stole your device credentials based on an IMEI which their banking app cannot even access.

            Yes, you are right, this IMEI check alone (if possible!) isn't a protection, only together with a location check or a location check alone would help in that case.

            sav Why shouldn't you be able to revoke phone permission for an app?

            Because the app I am talking about then won't work anymore, so that I could also delete it right away. There are other apps, that ask for phone permission, where you can grant it, revoke it or not grant it and still use the app. Not in the case of my banks wallet app.

            2 months later

            In the new private profile (Android 15) there seems to be no phone or sms app, unlike in user profiles.

            What are the consequences for apps that require phone permission and that are installed in such a private profile?

            Will those apps still be able to read the sim cards phone number if phone permission is granted?

              privsec

              Private space is essentially a nested user profile. The phone permission will let apps see your phone number regardless of which user profile you're on. I assume the same applies to the SMS permission too.

              Relevant: This thread