i’m on the Android Beta program and just updated the app to 1.5.3.
I use twilight app which adapts the screen based on the time of day dampening the blue light with a screen overlay.
Any with the latest Monzo Beta update i’m unable to click the red + icon in the bottom right of the screen unless i pause the screen overlay software. all other touch features of the monzo app work ok. Previous versions of the Monzo Beta app worked fine with twilight.
As a work around i can place an exception in the twilight app to stop the screen overlay when the Monzo App is opened. No big deal just wanted to flag it up
Cool I was suspecting it was intentional. Hope you guys have no plans to block screenshots
Out of interest is there anywhere on monzo to see the full change log of app updates? I love your description in the Google store updates menu… But would be good to see the full list of changes if possible
I think this is something they will do. It’s a security measure to avoid people accidentally leaking bank information. There isn’t much to go on at the moment but once bank account no and sort codes come in it could be dangerous.
This is a bit frustrating as someone who uses Twilight all the time. I did explicitly give Twilight access to draw over apps after installing it - it’s operating with my full knowledge and my understanding of Android is that all apps require permission to do this.
I’m of the opinion that it’s entirely my own fault if I install and authorise a malicious app that manages to fool me in every step of the money sending process by overlaying with something else. Are there any plans to add an opt-out to this for users who know what they are doing?
Because I don’t want to be blinded whilst viewing the white background on my feed at 11PM? It’s installed and in use for a reason, that reason doesn’t go away because apps don’t play nice. I had a similar issue with Stagecoach’s bus app and just uninstalled it.
I figure it might be useful to document my attempts to fix this manually:
Strip the annoying attributes out with egrep -lRZ 'filterTouchesWhenObscured' base/ | xargs -0 -l sed -i -e 's/android:filterTouchesWhenObscured="true"//g'.
Rebuild APK with apktool b base
Use jarsigner and then zipalign to sign the APK with your own key and then correct the archive alignment. Something along the lines of jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore some-keystore-file.keystore base.apk alias_name. zipalign works like zipalign -f 4 base.apk new.apk
Uninstall the existing app, install patched version.
I agree we have probably been a little overzealous in this case.
We released 1.5.4 to the beta store yesterday which limits the number of buttons which has this protection down to the ‘confirmation’ buttons only - so send money and confirm top up. This no longer affects the FAB or anything else. We also show a message now to explain to the user that they have an overlay in use, if they try and use those few buttons with the overlay.
Our intention is certainly not to annoy our users nor block apps like Twilight, it’s just an unfortunate side effect of adding this measure.
I wholeheartedly disagree with attempts by financial companies trying to improve “security” by blocking relatively normal activities - like jailbreaking etc
Jailbreaking is not a normal activity to most. Also if you implemented the warning like you said and one of your jailbroken apps managed to exploit your phone and transfer £100’s/£1000’s of money from your monzo card are you willing to take the hit on that becuase you acknowledged the warning or would you be going to monzo for reimbursement?
I only made this thread to confirm the screen overlay blocking was intentional as i suspected. I’m happy for monzo to implement security features that disable apps that could potentially peak at what i’m doing.
I wouldn’t say overzealous, love the development of this app and happy to be a beta tester. Which proves the process works, as now we have a notification for the screenoverlay which can be rolled out :). I love the update description you guys put in the play store, i’d also like to see a full change log posted somewhere for beta release, as i would have checked that before creating this thread.
Monzo staff can feel free to correct me if I’m wrong but I believe the Monzo website is built with the static site generator Jekyll. If true, Monzo could archive all the release notes on a page by using Jekyll’s collections system and a folder full of markdown files for each release. Either that or just a restricted thread here.
This could only happen if the user had explicitly opted in via both their Android device settings, and via the Monzo app settings. Monzo would have to sufficiently warn the user of the potential risks.
Within those boundaries, there are no FCA/TCF issues with putting the liability on the user.
And obviously you could only opt-in to this setting in the Monzo app while the overlay was disabled.
100% agreed on everything you’ve said here. This is pretty disappointing to see from Monzo and is almost as bad as the companies using SafetyNet to “improve security”. What’s next, the OAuth login system requiring a kernel module to be running to make sure you don’t log in to Monzo on a machine with f:lux/redshift running?
It’s my device, I should be able to decide whether or not I’m competent enough to be able to use an overlay app. This should be opt-out with an appropriate warning. Until it’s made opt-out I guess I’ll be patching each new version so I can continue to use the “Send Money” feature without having to temporarily disable the tool that I use all of the time on my device.
Absolutely, that would be completely my fault. Android already ensures that the user is very clearly asked before an app is given the ability to draw over the screen - and I’d be 100% responsible if I allowed this and then fell victim to a malicious tapjacking app. I would not try and blame my bank.
1.5.4+ Patching Instructions:
1.5.4 no longer uses the XML attributes I described in my original post. Instead, we now have a central "Secure"Button class in co.uk.getmondo.common.ui.
As before, grab the APK with an adb pull and run apktool d base.apk to extract/disassemble everything. Then, cd base/smali/co/uk/getmondo/common/ui and open SecureButton.smali with vim or another appropriate text editor. Look for the .method public onFilterTouchEventForSecurity(Landroid/view/MotionEvent;)Z virtual method.
Replace it with these contents (returns true always to allow use of the button):
Save the file and then run apktool b base to rebuild the APK. Uninstall the existing Monzo app.
Use jarsigner and then zipalign to sign the APK with your own key and then correct the archive alignment. Something along the lines of jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore some-keystore-file.keystore base.apk alias_name. zipalign works like zipalign -f 4 base.apk new.apk.
Install the patched app, enjoy being able to use it properly again.