Exactly one month ago I said I was going to write a post about my bank's app permissions and the issues with privacy on it.
I had a quite unusual and weird "Twitter talk" with my bank regarding privacy and app permissions.— Ricardo 'Bug' G. S. (@debugweshell) April 22, 2016
I think I'll translate and publish it.
So here's it.
Disclaimer: I'm no expert in Android permissions, no expert in security and no expert in privacy. What I'm about to write here is about a conversation I had with my bank on Twitter and my opinions about it. I'm also no expert in that app, so I can't speak much about it. Keep that in mind for what you're about to read.
Let's talk overkill
I have mixed feelings about my bank. Mostly because it's a bank, so they're nice to you when you have money, but it's a big fuck you when you don't have. You know how banks work, right? My bank is no different than any other big one. And my bank has an app. And that app requires a lot of permissions:
Version 220.127.116.11 can access:
- find accounts on the device
- read your contacts
- receive text messages (SMS)
- read your text messages (SMS or MMS)
- directly call phone numbers
- modify or delete the contents of your USB storage
- read the contents of your USB storage
- take pictures and videos
- Wi-Fi connection information
- view Wi-Fi connections
- Device ID & call information
- read phone status and identity
- receive data from Internet
- full network access
- view network connections
- control flashlight
- prevent device from sleeping
- control Near Field Communication
I actually found some of these permissions really weird (in bold). You see, there's no reason for this app to read my contacts, read my messages, see my wifi networks (what?) or even control my flashlight (WHAT?!). Preventing my device from sleeping is weird - why the hell would my bank want to do that for? Meh, let's contact my bank, shall we?
We need to talk
The following are the tweets regarding the "conversation" I had with my bank. I'll provide a (accurate enough) translation for each one, since they're obviously in Portuguese. Relax and enjoy.
Porque o app do @BancodoBrasil requer acesso ao telefone, SMS, contatos, câmera, status da wifi e o pior: fotos, mídias e arquivos?— Ricardo 'Bug' G. S. (@debugweshell) April 3, 2016
"Why the app from @bancodobrasil requires access to the phone, SMS, contacts, camera, wifi status, and the worst: fotos, medias and files?"
I honestly didn't expect them to answer... but they did.
@debugweshell Olá, Ricardo! O Aplicativo BB foi projetado para adaptar-se facilmente aos principais sistemas operacionais existentes, ...— Banco do Brasil (@BancodoBrasil) April 3, 2016
@debugweshell ... explorando funcionalidade que utilizam recursos nativos de cada dispositivo (componentes gráficos, câmera, GPS, etc) e...— Banco do Brasil (@BancodoBrasil) April 3, 2016
@debugweshell ... a consequente melhoria na experiência do usuário, usabilidade, performance, otimização de tráfego de dados e rapidez.— Banco do Brasil (@BancodoBrasil) April 3, 2016
"Hi, Ricardo! The BB app was designed to easily adapt to the main existing operating systems, exploring features that use native resources of each device (graphical components, camera, GPS, etc), and consequent improvements in user experience, usability, performance, traffic optimization and speed."
Well, that sounds like bullshit to me, to be honest. It sounds really like a default response, like someone was trained to answer this to me (and this is probably what happened). So let's go further, since I still think this is an overkill of permissions.
.@BancodoBrasil Me parece um pouco de overkill de permissões para um app de Internet Banking, não?— Ricardo 'Bug' G. S. (@debugweshell) April 3, 2016
"That sounds to me like a bit of permission overkill for an Internet Banking app, no?"
And then they replied:
@debugweshell Ricardo, o Aplicativo BB utiliza os recursos nativos de seu aparelho para realizar transações a partir deles, por isso as...— Banco do Brasil (@BancodoBrasil) April 3, 2016
@debugweshell ... permissões são solicitadas. Vc pode permitir ou não que o Aplicativo BB faça uso desses recursos.— Banco do Brasil (@BancodoBrasil) April 3, 2016
"Ricardo, the BB app uses native resources of your device to make transactions, and hence the permissions are requested. You can allow or deny that the BB app use those resources."
Well, not really. I mean, sure, I can try to deny some permissions on Android, but it's not the default behavior, at least with my old version here (old phone, meh). I can download an app, get there, disable some permissions, but not everything. And that's actually not really the point: what I really want to know is why do they need that.
.@BancodoBrasil Desculpa, mas a minha pergunta é mais do ponto de vista técnico mesmo. Em qual transação que vocês precisam de acesso (1/2)— Ricardo 'Bug' G. S. (@debugweshell) April 3, 2016
.@BancodoBrasil aos meus contatos e SMS? E mídia e arquivos? E, curiosamente, status da wifi?— Ricardo 'Bug' G. S. (@debugweshell) April 3, 2016
"I'm sorry, but my question is from the technical point of view. In which transaction do you need access to my contacts and SMS? And media and files? And, curiously, wifi status?"
And, sure, they replied what I kinda expected:
@debugweshell Ricardo, não é possível fornecer os detalhes técnicos que vc deseja por motivos de segurança.— Banco do Brasil (@BancodoBrasil) April 3, 2016
"Ricardo, it's not possible to provide the technical details you want for security reasons."
Well, that sucks. I mean, it's my data you're accessing after all, right? So you could tell me at least why you need some of those permissions. So, yeah, I'm sorry, but I might have to disable what I can:
.@BancodoBrasil Justamente por motivos de segurança (e privacidade), talvez eu tenha que desativar algumas dessas permissões. :S— Ricardo 'Bug' G. S. (@debugweshell) April 3, 2016
"Exactly for security reasons (and privacy), I might have to disable some of those permissions. :S"
So there's that.
So... what now?
Oh well. There isn't much I can do about it. Sure, I can disable some app permissions, but they won't tell me why they need them for. I actually use the app quite a lot, considering that their website requires some very vulnerable stuff to installed on my machine to even login into my account (thanks, virtual machines). I can't say, however, what they need some permissions for, and what issues it might cause to the app. I mean, it crashes by itself, so... yeah.
Nevertheless, let me go through some permissions again. The general stuff, like access to media and camera, is fine though. You see, accessing USB data is in the same category as accessing photos and media, which is weird, but understandable. They do save files on your phone, like when you do a transfer or pay some bill, you can save the image, PDF or text file with the receipt of such transaction. And since sometimes I need those receipts, that's fine to me. Camera too: I need to read barcodes to pay stuff anyway.
But what really scares me are the other permissions. Contacts? Really? What the hell do you need that for, bank? Maybe some integration I don't know about (very much possible)? And SMS? What do you need to read my messages for? I know you do some authentication stuff by SMS, but I don't remember having to receive a SMS to confirm the app usage. Also, reading all messages is creepy. I don't like it.
And then it gets weirder: Wi-Fi connections. But why?! And my.. wait, flashlight? Are you kidding me? What in the world would a bank need that for?
But ok, let's just say they are weird permissions and Android is blocking them to do something important because of that. Or maybe they're collecting device information for whatever tracking and analysis they do. Let's just ignore that. But then you want to prevent my phone from sleeping? Tell me more about that. I do hope you only use that in extreme cases, like during transactions, scanning codes, etc, and not the whole time.
Meh. My bank doesn't want to provide enough information about their app. I can't even tell if it's 100% safe (probably not), and I'm too lazy to reverse engineer it. But then again, they could at least give me some information, right? I mean, in the name of my privacy maybe? But, hey, it's a bank, for sure there's a good reason for everything. Right?