I’ve just checked & no it doesn’t. But presumably it should 
I don’t think it can - apps can’t retain their state if deleted (unless they put all of it in iCloud Drive), and I think the iOS security subsystem also clears app’s secrets like the one used for fingerprint locking.
That’s the point I was initially making. App lock is just that, a localised app lock. Your security lies in the email auth, main phone lock. Either that or you go legacy bank with three random chars from your secret word everytime you open app (no please) 
By the way,
[quote=“bhonobo, post:116, topic:6218”]
I personally don’t care for this extra security, my phone is pin/fingerprint protected and I’m its only user.
[/quote] just throwing things into the mix. 
4 Likes
Hang on…so you don’t think there should be a PIN now?
One is security of funds, the other is security of personal data…two separate issues.
2 Likes
I’m aware that they’re separate (though related) issues but I’m not sure what the link is between that & the points that I’ve been discussing with Patrick, could you please clarify?
I don’t think his issue is with weather the app secures your data with a pin or fingerprint as he seems not to want to much hassle getting in. It seemed to me more like a query as to the technicalities of how fingerprint identification in the device and it’s OS interact with the Monzo app and if deleting and reinstalling the app changed the app’s state thereby removing any fingerprint protection and stuff like that. One for Monzo techies I think, if they can follow the thread or should his various points be sumarized in one place (as it hard to follow being split up with other posts)
1 Like
Not at all. Apologies for all confusion I’m creating. 
I have personally never really worried about Monzo not having said lock on android, and may not turn this feature on if optional (will definitely not use if fingerprint without PIN). I have been arguing in favour of a PIN if we are given the option of fingerprint unlock.
All the techy questions I was asking were rhetorical. I already knew the answers but was asking to try and prove my points (with no great effect 
). I was trying to discredit the notion of recovery, there is absolutely no reason not to create a simple fingerprint/PIN fallback were in worst case scenario you just reinstall app. Otherwise I’m 100% comfortable with Monzo’s approach to security/privacy 
4 Likes
Having used the ‘protected app’ feature on LineageOS successfully for a few days Monzo now crashes every single time I try to open it. This seems to be because ‘Leah from Monzo’ seems to want to give me an update, and wants to restart Monzo, but it is protected by the OS, so it crashes. I had to unprotect Monzo to see the message and stop the crashes.
It seems to me that relying on Android features to protect Monzo isn’t going to work well, for me at least. I really don’t understand the reluctance of Monzo to add pin protection (my mobile doesn’t have fingerprint support). It would somewhat ease the fears of users such as myself who worry about such things.
Oh, and by the way, please put dates on your messages. I have no idea when the problems you’ve been happening occurred since I don’t open the app every day and don’t know if messages are being stored up for sending or are just ‘real time’. Was the problem today (Thursday 6th July), yesterday, or when?
2 Likes
I’ve just made the leap from an iPhone 7 to an S8+ after many years with iOS and much annoyance and it’s my first experience of the android ecosystem.
I’ve briefly read through this thread and I too am a little perturbed that the app doesn’t ask me for a pin or fingerprint to open the app after using touchid on iOS
Please at least give us the option, I don’t want people to just be able to open the app and see my spending habits if they have my phone
2 Likes
Exactly, that is what you are doing, making up for a lack of security of your personal data. Your funds may be secure but there is a failing on the part of Monzo to protect your personal data in their app.
2 Likes
OpenYOLO and its pairing partners (Dashlane, LastPass etc) might be something to look at?
If someone has access to your phone, Monzo should be the last of your worries.
Even if Monzo had a PIN/password nothing prevents them from leaving malware on your phone so next time you type the PIN they will still get it (and with malware they can do much worse than stealing money from your Monzo).
Your real security is in the phone’s actual passcode/passwords (which also serves as an encryption key to encrypt storage at rest - so they can’t just take the memory chips out and put them in a computer) - if an attacker bypasses that you’ve already lost and should consider all data on that phone compromised.
3 Likes
Different security performs different jobs at different layers. Monzo without security is like leaving my bank statements on the coffee table when people come in for a drink.
1 Like
The ICO describe it as the “security” of personal data…not “privacy” of data.
2 Likes
I’m pretty sure this is out of scope of the ICO as the data is safe from random attackers on the internet. The data is safe and secure as only you and your device can access it (just like with other bank apps).
1 Like
There is an obligation on companies not just to keep personal data secure on servers but in apps too. Failing to provide such security of personal data and making a user dependent on a third party app to secure there data arguably does not meet their obligations.
However Principal 7 of the Data Protection Act 1998 is not prescriptive in nature so there in an onus on Monzo to prove they are following the spirit and intent of the DPA rather than just the working of this principal.
Formal correspondence has been sent to Monzo on 11th July 2017 pointing out the current requirements and seeking their comments. The ICO will be reviewing the reply sent as part of open case number ENQ0689063 to see if there is sufficient evidence that they are meeting the requirements.
3 Likes
My point was, Monzo is not more nor less secure than any other bank app against an attacker having physical access to the device - in both cases all it takes is leaving some malware on the device or dumping its storage (which includes the authentication tokens it uses to talk to the app’s servers) to get access to that same data.
It’s not always about security though, for me it’s privacy. In a household full of children, if I give them my phone to play a quick game (some of them have worked out my security code now), I don’t want them to have easy access to my account balances.
2 Likes