Recently I decided to attend an online learning about safety for Internet Banking to see what advice that they gave to their customers in general and this has prompted me to write about Mobile Security.
While I was watching the video there was a live chat to talk to a specialist about any issues that i had with internet or mobile banking.
Personally, I cant use the app on my phone (Huawei P40 Pro) for the following reasons
- Google Play Store – These phones don’t have Google Play Store
- The app requires Google Mobile Services which these phones don’t have
So, I explained I couldn’t get the app and he initially told me to go to the play store and download it despite me saying there is no article. He eventually asked me for my phone the second time (screenshot below) which is when the penny finally dropped as to why.
His response to this is what prompted me to write this article because I genuinely couldn’t believe the response. Please be aware this is one of the largest financial institutions in the UK.
My banks solution was to sideload Google Play from a 3rd party site id found on Google!
This was in an online talk around mobile security and internet security!
The issue with this falls into some major categories with usability and security.
The method a lot of these use is a script that installs multiple APK’s for Google Mobile Services. This script can be altered (by anyone that wants to host a copy) to slip a malicious APK inside this script. An alternative could be to modify a known APK to include a malicious payload. Both of these scenarios are not something I would be interested in.
Straight off, these methods are not 100% working, some will work, some wont. There’s also the possibility that It can affect security and feature updates further down the line. I do know of someone that has done this and received a security warning from google within a week of this process completing.
Hopefully, my post explains why this is a bad idea! So if your bank ever recommend side loading an application to bypass your phone manufacturer and Google’s security id think twice before you do it!