Barclays app no longer working, detecting GOS as "rooted device"

cow-in-a-box

EverettHitch That's a weird thing to infer from my comment? I don't think disabling just one exploit mitigation - the secure app spawning - is this catastrophic.

pdagenius I've only bothered with the main Barclays app. Should be the most recent version, says 8.21.0 under app info.

Dreamsiren

TranceSeven
That may have been the article I was talking about, sorry for not including a source earlier.
Mirror since this site appears to block VPNs

MikeAustin

Just joined, using GrapheneOS on Google Pixel 9 Pro.
I have four online banking apps working just fine: NatWest, Smile, Cooperative (x2), Metrobank. The only issue for me is Lloyd's. We all know it is possible to allow GrapheneOS through the Play Integrity API, but they choose not to.
As someone said earlier, "we need to start raising formal complaints." But where to? Chat lines and phones are no good because logging is either limited or non-existent. I see app-support@barclays.com posted above. Has anyone got similar support email addresses for other banks?

chinook

MikeAustin re complaints: you need to make it formal to have a chance of success.

IANAL, fact check me (don't have time to triple check and polish it), caveats apply, etc; but:

1) raise it with the company (bank) - you can call them and say you want to raise a complaint, open a complaint from the website or any other way you want

Make sure to raise points you will later emphasise with Financial Ombudsman.
Make sure to state your desired outcome (this one is critical).

their baseless decision is cutting you, using a "legitimate", secure device from your money
Google Play Integrity does not promise device security, only that the device has preinstalled google play
if the bank wishes to claim the security issues, how come their latest version (check on Google play) can be installed on Android Oreo (to be verified, APKMirror claims 8+ (API 26) is required), operating system that was released in 2017 and EOLd in Jan 2021
emphasise that the EVERY monthly Android security bulletin lists several severe (critical) security vulnerabilities allowing the innocent user to be infected whilst using normal software, browsing normal websites, connecting to normal wifi networks, also even without their action and knowledge (via MMS with exploit). Broadpwn, BlueFrag, Stagefright. Find several good CVEs to add to the list.
some older, very vulnerable handsets have been modified, rooted, and then Google Play Integrity checks spoofed using methods well known to google for years. Meaning an incredibly vulnerable, potentially malware-ridden phone is accepted by Google and by extension is baselessly considered safe by the bank
emphasise that Graphene OS is the safest and most secure operating system, exceeding even Google's own devices, that it's patched against some of the known vulnerabilities that will be patched in major manufacturers phones several months later
request the Bank to either expressly allow GrapheneOS which is easy with its support for the hardware attestation, or immediately ban all the phones with Android lower than 16 and/or unpatched for more than 3-6 months, because they pose grave security risks for users and financial risk for the bank.
request the bank to ban all the devices manufactured by the companies known to ship the hardware with backdoors (especially OnePlus and Xiaomi)
if the bank refuses the above, request the bank to provide they actually conducted a security analysis that concluded that allowing phones on the ancient OS, unpatched for almost 10 years is safe, but allowing the safest Android OS on the planet is unsafe - either for the user or the bank

Emphasise you could use the app in the past, and now the bank unilaterally and unfairly changes the terms of service for you. Bank suggesting you must use old device, for example a staggeringly insecure 10 year old phone and expose your finances and private information to the malware, thieves and scams is acting unfairly and unreasonably.
Repeat that the bank suggesting this is in the interest of security is misleading and from your perspective of the security-minded user, acting in the bad faith, blocking safe, but allowing grossly unsafe devices.

(add some variants of the last two, FCA hates financial companies doing this stuff. Of course bank will be lying in their response they aren't, but it's important you say it out loud for the next step)

2) predictably the bank will tell you to pound sand

3) to which you complain to the Ombudsman. I would suggest you add some materials proving the "Integrity" is the security theatre and you suspect bank knowingly ignores the immense dangers to unsuspecting users opting for the compliance box checking instead: the fact the bank knowingly does that whilst refusing to consider whitelisting the safe OS proves it's a fake action not grounded in facts.
Emphasise the bank knowingly allows vulnerable handsets - by setting the minimum API level so low - otherwise Bank's response to your complaint stating it's for the security reasons is made up and you consider it a lie (your feelings are valid!)

Ask the Ombudsman to force the bank to disclose the statistics of the OS use in their customer base (which will show them the staggering number of the vulnerable and very vulnerable devices bank accepts), and the disclosure of the reasons to allow the very vulnerable handsets - point that the bank's response is, "to put it mildly, demonstrably false, by claiming it has basis in security considerations" or so.

Ask the Ombudsman to force the bank to stop blocking security-minded customers from accessing their money by forcing the bank to adopt hardware attestation and allow GoS in particular and possibly similar projects in the future. Mention that not even Cellebrite is able to break in. Show Release Notes with a list of CVEs not patched in anything else yet.

Your letter to the Ombudsman should contain a list of the critical RCEs and EoPs since the month of the release of Oreo.

Basically state the facts, don't be afraid to say it's a well known security theatre, remain polite :p
Force the bank into corner (maybe they'll admit it was just laziness). Remember both your initial complaint and their response will be read by Ombudsman.

I think we need to move a bit further and quicker (as users) and that all the impacted users should do it, otherwise we face the situation where all the banks use it.

MikeAustin

@chinook Wow! Plenty of ammo there!

chinook

MikeAustin Been there, complained about Lloyds. Takes ages to write it well. Eh, I wish I had a good lawyer on the retainer :D

I think we (as in users) should use/change/improve the above, and do a snowball effect - the easier is to complain with arguments that are very hard to actually refute, the higher the chance they'll fold -- oh, I forgot to add you can shame them by mentioning challenger, pro-customer banks that explicitly support GoS already :)

perozzi

chinook How did it go with Lloyds?

chinook

perozzi didn't get anywhere yet.

MikeAustin

Well, the chat on Lloyds Business Banking was utterly fruitless! The agent's first reply did not bode well, "Can you please elaborate about GrapheneOS?"
After some hopeless attempts by the agent to understand, they agreed to raise a complaint for me. They asked for my phone number, email address and a passcode. After I sent these, the chat reset to the beginning!

« Previous Page