OCBC Bank app starts flagging users for apps installed through third-party app stores

[jamesrc]

Summary

OCBC, the second biggest bank in Southeast Asia, started rolling out a feature that scans user devices for third-party apps. They supposedly only flag apps with "risky permission settings"

 

Quotes

Quote

“(The feature) will only block apps that are not downloaded from official app stores, and which also have risky permissions settings that could cause the phone and mobile banking apps to be compromised,” said Mr Chua.

(...)

Some users took to the bank’s social media accounts after the security update kicked in on Saturday. Those with high-risk apps on their mobile phones were unable to access their OCBC online banking services.

 

Users shared screenshots on the bank’s Facebook with a prompt that read: “As the following apps are not from official app stores (eg. Google Play Store and Huawei AppGallery), they may be malicious or harmful”. The message then identified the apps and requested users uninstall them before proceeding with their online banking.

 

Users complained that apps such as popular Chinese video-sharing platform Douyin, online payment platform Alipay, and LG's smart appliance control app are among those flagged by OCBC’s security feature.

(...)
OCBC said that other banks are expected to introduce their own updated anti-scam security measures in time.

My thoughts

I feel that this is massive overreach on the bank's part. Being a user of F-Droid and a fan of FOSS (which often don't publish apps on Google Play), this does seemingly put me at risk of being unable to use my phone for internet banking - which is especially frightening with the bank's recent move towards using their mobile app as a digital token for verification of identity. Furthermore, OCBC's position as a major bank in Southeast Asia makes me fear that more banks will start adopting such practices.

 

Sources

https://www.channelnewsasia.com/singapore/ocbc-app-new-security-feature-malware-anti-scam-permission-settings-3687336

[jagdtigger]

They (sadly) successfully demonized rooted devices, now its time they killed the alternative stores......

[Levent]

Considering how dumb most people are, google has to provide far reaching permissions to banking apps. I honestly don’t see anything wrong with it, other than this particular app being too anal with its flagging.

[jamesrc]

1 minute ago, Levent said:

Considering how dumb most people are, google has to provide far reaching permissions to banking apps. I honestly don’t see anything wrong with it, other than this particular app being too anal with its flagging.

Biggest issue, imo, is that the user is unable to continue banking at all unless they uninstall the flagged apps. OCBC uses their mobile app as 2FA for their web banking as well.

[TempestCatto]

Personally I'd never install a banking app from a third party store. The only reason I could see is using an older device that is no longer supported. But even then, if I'm doing anything like that on my phone, I'd rather have an up to date one just to be safe.

[Taf the Ghost]

So, does Samsung Store apps get hit?

[jamesrc]

3 minutes ago, TempestCatto said:

Personally I'd never install a banking app from a third party store. The only reason I could see is using an older device that is no longer supported. But even then, if I'm doing anything like that on my phone, I'd rather have an up to date one just to be safe.

Unfortunately, this isn't the bank stopping their app from being installed from a third party store. It's the bank telling users that other apps installed through third-party means will result in them being unable to bank at all.

[Alex Atkin UK]

11 minutes ago, TempestCatto said:

Personally I'd never install a banking app from a third party store. The only reason I could see is using an older device that is no longer supported. But even then, if I'm doing anything like that on my phone, I'd rather have an up to date one just to be safe.

You misread, this is about the banking app installed from Google Play refusing to work if you have any apps installed from a third party store.

 

I'm not surprised by this, banking apps have long refused to work if they detect your phone is rooted so once people found a way to hide that, they just move onto another way to detect it.

 

I can see both sides, on the one hand I do object to not being able to root my phone because of this, but on the other hand if you install a rogue third-party app that steals your bank details, its understandable the bank wants to avoid liability from this.

[OhioYJ]

27 minutes ago, jamesrc said:

Furthermore, OCBC's position as a major bank in Southeast Asia makes me fear that more banks will start adopting such practices.

Meh, this has gone on for a very long time. Someone finds fix's an exploit, coders find another work around. I've been using a rooted devices for a very long time. Seems like every few months there is some article or someone saying "this is it, the end of root, we'll never find a way around this now." Every time there is another new exploit found, and things continue on.

[TempestCatto]

32 minutes ago, Alex Atkin UK said:

You misread, this is about the banking app installed from Google Play refusing to work if you have any apps installed from a third party store.

My English isn't all that great so that's how I interpreted it. But that's even worse, and definitely an overreach on the bank's part. I guess they're worried about a data breach from some sketchy third party app a user has installed skimming info, logins, etc or something? But then that would mean they have horrible security to begin with.

[Alex Atkin UK]

32 minutes ago, TempestCatto said:

My English isn't all that great so that's how I interpreted it. But that's even worse, and definitely an overreach on the bank's part. I guess they're worried about a data breach from some sketchy third party app a user has installed skimming info, logins, etc or something? But then that would mean they have horrible security to begin with.

The problem with a rooted phone is a third-party app could monitor everything - nothing the bank did on their app could avoid that so no, its not their security which is bad, its that by rooting you undermined the security of the phone.

[RejZoR]

It's because of this crap that I dropped custom ROM's because even though I didn't have rooted device, it had unlocked bootloader and banking app was whining about it. And no, I don't have time and nerves to dick around with Magisk. That's when I went with iPhone for long software support and now I'm on Samsung, for very same reason. It's just too much hassle maintaining all of it because something is always whining about this. Which is unfortunate, because I had awesome experience with LineageOS.

[Kisai]

2 hours ago, jamesrc said:

Summary

OCBC, the second biggest bank in Southeast Asia, started rolling out a feature that scans user devices for third-party apps. They supposedly only flag apps with "risky permission settings"

Y'all were warned over a decade ago.

https://web.archive.org/web/20131008063839/https://owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Dangers_of_Jailbreaking_and_Rooting_Mobile_Devices

 

2 hours ago, jamesrc said:

Quotes

My thoughts

I feel that this is massive overreach on the bank's part.

 

Overreach? Sure. But no more over reach than Google doing itself. You know what else is a problem, pre-installed malware

https://www.trendmicro.com/en_ca/research/23/e/lemon-group-cybercriminal-businesses-built-on-preinfected-devices.html

 

Here's my suggestion. If you want to keep using jailbroken android devices, stop doing banking on them. Set aside a device, be it a cheap unmodified Android phone, or a 4 year old iPhone, and just put your banking app on that. This solves the problem that is really being addressed, is that banks don't want to be responsible for unauthorized transactions that occur on the mobile device due to people using used phones with pre-loaded malware which is only possible due to users being unaware.

 

Or you know, go back to using the physical card for tap-to-pay.

 

Reframe it this way. If you buy a new Android phone, you have the expectation that this will be a device that has not been touched since the factory.  You don't want your ISP or some third party store installing their "fun apps" or pirated games on it, that also include malware, or hidden functionality to steal the accounts of the user.

 

Many Westerner's can't see beyond their own life experience and think these banks are being evil, when, sure, yes they are, but they aren't being evil to YOU, they are being evil for themselves. They are trying to protect themselves from other evil entities. You are just the collateral damage.

[Avocado Diaboli]

Funny how banking apps require these deep permissions on mobile devices to work, but you can still access all the same stuff (more, actually, at least in my case) through regular online banking portals on their websites from literally any browser, including the one on your phone. Almost as if all those added permissions, where a bank tells me what I get to do with my device, aren't actually required at all.

[mMontana]

I'd love to see how much stricly tech-related is this news about a bank policy about its app

[SorryBella]

25 minutes ago, Kisai said:

Here's my suggestion. If you want to keep using jailbroken android devices, stop doing banking on them. Set aside a device, be it a cheap unmodified Android phone, or a 4 year old iPhone, and just put your banking app on that. This solves the problem that is really being addressed, is that banks don't want to be responsible for unauthorized transactions that occur on the mobile device due to people using used phones with pre-loaded malware which is only possible due to users being unaware.

+1. I would do this the second that Central Asian Bank changes their policy the same, as they reflect on a lot of e-banking policies tested on other banks. But really its a motion you should follow in general: One for the plug, one for the load.

[jamesrc]

4 hours ago, Kisai said:

Or you know, go back to using the physical card for tap-to-pay.

 

Reframe it this way. If you buy a new Android phone, you have the expectation that this will be a device that has not been touched since the factory.  You don't want your ISP or some third party store installing their "fun apps" or pirated games on it, that also include malware, or hidden functionality to steal the accounts of the user.

 

Many Westerner's can't see beyond their own life experience and think these banks are being evil, when, sure, yes they are, but they aren't being evil to YOU, they are being evil for themselves. They are trying to protect themselves from other evil entities. You are just the collateral damage.

 

I can totally understand the reasons why banks would move to restrict third party apps on android devices but one issue I do have is that such banks often use mobile phones as 2FA mechanisms. Even if I wanted to move entirely to using my laptop, I still have to use the bank's app (now inaccessible) to authenticate.

 

Furthermore, some users have reported their workplace-mandated applications being flagged as well. Sometimes, moving to a completely separate device isn't financially possible - especially when banks decide that older android/iOS versions are too insecure to be supported.

 

There's a lot of edge cases that effectively result in users being unable to access their accounts entirely, even if they weren't installing malicious applications, and the app flagging is hardly comprehensive enough to actually tackle malware (of course, imo).

 

[Moonzy]

I wonder what these banks are up to, recently Public Bank app refused to even launch on my phone, stating it's being ran on an emulator (tf?)

 

for people saying "just dont use the app, duh" it's not that simple when the bank literally forces you to use it to validate transactions while they're phasing out SMS 2FA

[Avocado Diaboli]

4 hours ago, jamesrc said:

I can totally understand the reasons why banks would move to restrict third party apps on android devices but one issue I do have is that such banks often use mobile phones as 2FA mechanisms. Even if I wanted to move entirely to using my laptop, I still have to use the bank's app (now inaccessible) to authenticate.

Wait, what? Your bank uses their own app as a second factor? That's monumentally stupid. Never mind that only having a single option as a second factor is also entirely too little, given that not everybody can afford a smartphone, or might not want to in the first place.

 

4 hours ago, jamesrc said:

Furthermore, some users have reported their workplace-mandated applications being flagged as well. Sometimes, moving to a completely separate device isn't financially possible - especially when banks decide that older android/iOS versions are too insecure to be supported.

If a workplace mandates an app, they can pay for the device said app is running on. That's why I have two phones, my employer's stuff ain't getting anywhere close to my private stuff and vice versa. 

[LAwLz]

Wow, this was a rollercoaster to read about.

At first, I thought the news was "you can't use the bank app if you downloaded it somewhere else" and I thought that was pretty reasonable.

Then I realized it was the bank app not working if it detected other apps that had been downloaded from third-party stores, and I thought that was outrageous.

 

Then, after having looked into it a bit more and read the statement from the bank, I think this sounds more reasonable again.

Some key things that are important to understand:

1) The bank does not claim they will not flag all apps that have been downloaded from third-party sources. It will only flag apps that have "risky permissions", whatever that means. I am not sure what they would classify as "risky" or not, but this is an important thing to remember.

 

2) This is happening because there was a recent scam going around in Singapore that ended with people getting thousands of dollars stolen. People on Facebook were instructed to download an apk that was going to give them rebates on food orders. Except it didn't...

 

 

On one hand, this seems like good intentions. The bank wants to protect its users from being scammed and/or compromised, which has already happened in the past so it's not an unreasonable fear. I think whether or not this is good or bad will entirely depend on how it ends up being implemented and used. How many false positives or false negatives will they have?

On the other hand, I am not sure I agree that it should be up to the banks to basically do "anti-virus" work on devices. I understand why they would want to, because they get the short end of the stick when these types of things happen (people complain they didn't prevent the scam from happening, or if the scam happens they are tasked with fixing the issue and minimizing the damage).

[mMontana]

1 hour ago, Avocado Diaboli said:

Wait, what? Your bank uses their own app as a second factor? That's monumentally stupid.

It's actually totally corporate.

Who realize the app provide certification about safety. Supported by insurances in case things fails.

So bank rely on the technical partner... instead o a TLC partner, which have been proved "less safe than desirable" with SM system and SIM cloning/replacement.

 

Some countries have different procedures than SIM replacement (if you're no SIM subscriber, you cannot phisically receive the piece of paper as eSIM or the plastic piece of chip) but whatever...

 

Second goal of any bank is "It's your fault" to any customer.

[HenrySalayne]

1 hour ago, LAwLz said:

On one hand, this seems like good intentions. The bank wants to protect its users from being scammed and/or compromised, which has already happened in the past so it's not an unreasonable fear. I think whether or not this is good or bad will entirely depend on how it ends up being implemented and used. How many false positives or false negatives will they have?

On the other hand, I am not sure I agree that it should be up to the banks to basically do "anti-virus" work on devices. I understand why they would want to, because they get the short end of the stick when these types of things happen (people complain they didn't prevent the scam from happening, or if the scam happens they are tasked with fixing the issue and minimizing the damage).

I remember very clearly when the banks started killing SMS Tan and other 2FA systems in favour of an app on your phone for "security" reasons. The app was supposed to be the second factor but immediately turned into a complete online banking suite. Online banking on a PC requires a password and second factor authentication via an app, online banking on a phone requires a 5 digit pin. And here lies the problem: if you want security on phones, add 2FA that's not the phone itself...

 

What makes this even worse are the "permissions" they are talking about.  They are accessibility features, which obviously are a security risk for 3rd party installations methods as well as the "official" store. Many impaired people rely on Androids accessibility features.

The heuristic approach of simply flagging all 3rd party installations with accessibility permissions is questionable. It would be better to inform the users about all suspicious apps (independent from their installation method) and keep a blacklist of apps that are known malicious.

[RoseLuck462]

Seems risky to use anything but their official app…

[Paul Thexton]

Feels to me like a better compromise here would be for the banking apps to say something like "We've detected that Application {x} has permissions {y,z} assigned to it, this is risky because {reasons}", rather than outright refusing to work when it detects such environments.

 

At that point if the user is subject to a scam as a result of said app the bank have done their bit on informing the user, and the users hopefully educate themselves on why you should always be aware of what you're installing on your device(s)

 

Or is that all too logical and puts too much trust in people to read what's on their screen?

[Kisai]

10 hours ago, jamesrc said:

 

I can totally understand the reasons why banks would move to restrict third party apps on android devices but one issue I do have is that such banks often use mobile phones as 2FA mechanisms. Even if I wanted to move entirely to using my laptop, I still have to use the bank's app (now inaccessible) to authenticate.

I wish companies would not use mobile phones as a 2FA while simultaneously being an app. It's no longer 2FA if the 2FA generator is on the same device.

 

10 hours ago, jamesrc said:

Furthermore, some users have reported their workplace-mandated applications being flagged as well. Sometimes, moving to a completely separate device isn't financially possible - especially when banks decide that older android/iOS versions are too insecure to be supported.

Well that's your fault for installing work apps on your personal device, or installing your banks app on your work device. Don't do that. 

 

10 hours ago, jamesrc said:

There's a lot of edge cases that effectively result in users being unable to access their accounts entirely, even if they weren't installing malicious applications, and the app flagging is hardly comprehensive enough to actually tackle malware (of course, imo).

 

 

iPhone does not have this problem does it? Nobody is saying a bank app is good at scanning for malware, far from it, but it likely just looks for side-loading being turned on and any installed apps missing signatures. The only reason it can even do this is because you gave it permission to do so. Will it still work if you revoke elevated access? Who knows.

 

But it's like, this is a lesson we keep having to learn in the IT biz. Customers are idiots. Lock down and remove tools that allow the average customer to do anything with the software or device that you know WILL break it if someone goes pressing buttons. This is why firmware/BIOS's are the way they are, even on desktops. You can customize a firmware (that's how you get boot logo's) it's often NOT worth the effort and potential damage to the system.