HSBC blocks its app due to F-Droid-installed Bitwarden

Original Article ↗ Hacker News Discussion ↗

Why HSBC Blocks the App (Overlays, Sideloading, Liability)

  • Many assume the trigger is Bitwarden’s overlay/accessibility permission and/or its installation via F-Droid (a non–Play Store source).
  • Some argue this is reasonable risk management: UK banks are increasingly liable for fraud losses, and sideloaded apps plus overlay permissions are a known attack vector for scams.
  • Others counter that it’s “security theatre”: Android already offers secure UI APIs (e.g., Trusted UI / protected confirmation) that don’t require enumerating or blocking other apps.

Scope of HSBC’s Restrictions

  • Reports that the HSBC app:
    • Refuses to run if overlay-capable apps are present or installed from outside official stores.
    • May also block when developer mode is enabled.
    • Uses broad app-visibility permissions (QUERY_ALL_PACKAGES) under special allowances for financial apps.

User Freedom vs. Bank/App Control

  • Strong pushback on letting a bank dictate what software users run on their own devices.
  • Some see a slippery slope: from blocking F-Droid/overlays to requiring MDM-style control or hardware-backed attestation that effectively removes user control.
  • Others reply that since banks bear legal/financial risk, they are justified in banning “footguns,” even at the cost of power users’ freedom.

Google’s Role (SafetyNet / Play Integrity / Attestation)

  • Discussion that Google provides APIs to:
    • Detect OS integrity, root/jailbreak, and developer mode.
    • See installed apps and, increasingly, where they were sourced.
  • Criticism that Google is enabling app vendors to enforce restrictive policies and that this resembles earlier “trusted computing” power grabs.

Workarounds and Alternatives

  • Some users:
    • Switch to banks with more tolerant apps (e.g., ones that merely warn on root rather than block).
    • Use web banking plus physical tokens or RSA fobs instead of apps.
    • Keep a dedicated, “clean” banking phone, often offline or minimally used.
    • Avoid mobile banking entirely where web access remains possible.

Broader Themes: De‑banking, Censorship, and Digital Control

  • Long tangent on “de-banking” driven by US sanctions, FATCA, and payment networks (Visa/Mastercard), showing how financial infrastructure can be used to punish individuals.
  • Concerns that banking apps, app stores, and sanctions regimes collectively erode autonomy, pushing interest in cash, crypto, or future alternatives like a (hopefully less surveillant) digital euro and open-web/PWA banking solutions.