Uproar over OCBC banking app’s new security feature is clearly misplaced
Yong Jun Yuan
THERE has been uproar over OCBC’s mobile banking Android application refusing to run unless a user’s sideloaded apps are uninstalled.
Sideloaded apps refer to those installed from third-party sources outside of the official app stores such as the Google Play Store and Huawei AppGallery.
The move has led some to call it an invasion of privacy, evoking dramatic Orwellian themes. Others have complained that the move makes it less convenient for them to access apps that are locked to certain countries.
One can easily imagine a world where sideloading would be useful. Users have complained that they sideload geo-blocked apps, such as China-centric ones, that are essential for work but can’t be installed from the app store.
However, allowing sideloaded apps to sit on your phone with your banking apps and other personal data is plainly unsafe. It is akin to leaving the door open for robbers to enter your home and steal your valuables, and is widely seen as a security risk.
Users should take heed of OCBC’s warnings instead of complaining about privacy violations or convenience penalties. In fact, other banks should implement the same feature to protect their users.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
Bad actors have employed very strong social engineering attacks to trick people into sideloading apps. Most users may not know that they even have such apps sideloaded.
Sideloaded malware has already caused harm to users who unsuspectingly download and install them.
On Aug 13, police warned that a malicious “GST Voucher” app was being circulated through social media apps such as Facebook and WhatsApp. Android users were asked to download and sync the app with their bank accounts.
Before this, in June, police said at least two Android users lost S$99,800 of their Central Provident Fund (CPF) savings to scams involving malware. In this case, the victims were responding to ads for groceries such as seafood.
There are those who will blame victims for being careless. Android, for its part, makes it abundantly clear – with three separate warnings – that sideloading apps can compromise users’ phones.
Yet, there will always be a vulnerable segment of the population who fall for such scams. I would argue that this segment is larger than the savvy power-user segment who crave the convenience of sideloading apps.
In such a situation, it makes sense for the bank to block its app from running alongside sideloaded apps.
OCBC last year offered “full goodwill payouts” to customers who lost a combined S$8.5 million due to a phishing scam involving the use of SMS technology in December 2021.
In May 2022, the Monetary Authority of Singapore also imposed an additional capital requirement of about S$330 million on OCBC for how it handled the scam.
Since the bank implemented the security feature, the bank has said that it has not received any malware scam reports, suggesting that it is achieving its purpose of protecting users.
Furthermore, the bank has said that it does not collect any personal data from users and that it does not conduct surveillance on its customers’ phones.
I am inclined to believe them.
In recent years, Google has taken steps to prevent apps from collecting data about a user’s installed apps unless they have a legitimate reason to do so. App developers are also required to declare their purpose for doing so.
This came after Twitter (now known as X) began tracking users’ installed apps to deliver targeted content in 2014.
Even Avast, a free android antivirus app, collected users’ installed app data for about five years before it eventually prompted users to opt out in 2020.
We cannot expect everyone to choose the right antivirus software to protect themselves from rogue sideloaded apps. If their bank is willing to do so, in good faith, for free, why not?
What, then, are power users supposed to do? Changing mobile operating systems is not an option, since iOS does not allow sideloading anyway. This security feature did not even have to be implemented on Apple’s devices.
The ability to sideload apps is a useful feature, but such apps should live on a user’s secondary device. This would physically separate the user’s banking apps from other sideloaded apps that could be compromised.
The secondary device, which could be an old phone, should not contain the user’s personal information either. Instead, users should create a burner Google account and use that instead to set up that device for use with sideloaded apps.
Smartphones are arguably the most sensitive devices that people own – even more so than their PCs ever were. They contain our credit cards, banking data, Singpass data and one-time passwords that are often used to authenticate any number of secure services online.
We should take our personal devices more seriously and not take unnecessary risks.
Copyright SPH Media. All rights reserved.
