Recently I ran into a problem with the mobile application of my bank. My favourite bank, Raiffeisenbank ♥️.
I was not able to authorize a payment. Actually, that is not an entirely accurate description. Let me clarify that: I was blocked from spending my money. Against my will.
What might have been the reason? The app was detecting an active phone call. In reality, it was just my phone in a superposition where it was reporting an active call - see the green icon in the top-right corner indicating an active microphone - even though I was not in a call.
How is it even possible? How can any application on my phone detect whether I’m in a call or not? I never gave the app any permission to access my microphone or call status. This is extremely worrisome.
The underlying API leaking such information is Play Integrity API. The same API used to block you from using banking apps on rooted phones or custom ROMs. Better not install any spyware on your phone! Except the one pre-installed by your phone manufacturer, that is. For our security, of course.
When did it become acceptable for banking apps to block people from moving their money without explicitly opting into such protections?
I might even be somewhat fine with the limitations if I were not required to use the app to authorize payments. But I did not install the app voluntarily - I was forced to. I can’t even access my money without it. And it’s a UX nightmare to use. Be ready - I have a couple of examples prepared for another post.