Should I contact Commbank now that they've started using the Play Integrity API?

Equal2024

My bank is Commbank. I got a notification today that they're using the Play Integrity API. Normal functionality seems to work and I haven't had an issue yet.

Should I wait until I have an issue to contact them? Or should I pre-empt it?

de0u

Equal2024 If you are a computer professional you might try asking for an in-person chat with a security person on their development team, briefing them on upstream security bugs GrapheneOS has fixed, and showing them the attestation guide. If not, you could of course send them a polite note saying you have heard that other banks have handled this wrong and you hope they won't.

Just ideas! Note that I don't speak for the GrapheneOS project.

Equal2024

de0u I'm a sysadmin but I won't pretend I know much about this topic :) The former option is definitely outside of my comfort zone.

According to this report, Commbank has long gated the NFC pay feature behind Google Play Services, but everything else seems to work aside from that if you don't have Google Play Services: https://github.com/PrivSec-dev/banking-apps-compat-report/issues/75

My optimistic thoughts are maybe they would limit Play Integrity blocking just to that one feature...

My instinct is that it's best to let sleeping dogs lie...telling them about GrapheneOS might motivate them into action by explicitly blocking GrapheneOS like Revolut's SDK provider did. On the other hand, if they decide to block GrapheneOS in a few months, it will be too late.

Commbank has been very aggressive lately about protecting Australians from scams, and puts many barriers in place when you try to pay someone new and tries to make sure they are who they say they are, asks for multiple confirmations, etc. I'm concerned a Play Integrity block might be part of those new steps.

I can always go back to using SMS 2FA for Commbank instead of the app if they ban it, I suppose.