Android Beta 1.5.3 update & Twilight app


(John) #1

Hello,

i’m on the Android Beta program and just updated the app to 1.5.3.

I use twilight app which adapts the screen based on the time of day dampening the blue light with a screen overlay.

Any with the latest Monzo Beta update i’m unable to click the red + icon in the bottom right of the screen unless i pause the screen overlay software. all other touch features of the monzo app work ok. Previous versions of the Monzo Beta app worked fine with twilight.

As a work around i can place an exception in the twilight app to stop the screen overlay when the Monzo App is opened. No big deal just wanted to flag it up :slight_smile:


(Ivan) #2

Hi John,

The latest beta (1.5.3) includes changes that disable some buttons when another app overlays the Monzo app. This is a security measure to prevent Tapjacking.

I’m afraid for now you will have to keep Twilight disabled :pensive: but thanks for letting us know :slightly_smiling_face:


Top up buttons not working on Android
Overlay warning (can't press Send Money button) just started
#3

Other banks like ABN Amro also restrict use of Twilight as a perceived risk


(John) #4

Cool I was suspecting it was intentional. Hope you guys have no plans to block screenshots :see_no_evil:

Out of interest is there anywhere on monzo to see the full change log of app updates? I love your description in the Google store updates menu… But would be good to see the full list of changes if possible :+1:


(Josh Bray) #5

I think this is something they will do. It’s a security measure to avoid people accidentally leaking bank information. There isn’t much to go on at the moment but once bank account no and sort codes come in it could be dangerous.


(Dave) #6

Would it be possible to detect the overlay & give a message to the user?

I’m also using Twilight & didn’t even realise this is what’s causing the problem til I came here to report a bug with v1.5.3


(Ivan) #7

Yes, we are making this a bit better. Next update will show a message if you are using a screen overlay and you tap on one of the disabled buttons :slight_smile:


(Dave) #8

Cool, thanks Ivan! :+1:


(Adam Williams) #9

This is a bit frustrating as someone who uses Twilight all the time. I did explicitly give Twilight access to draw over apps after installing it - it’s operating with my full knowledge and my understanding of Android is that all apps require permission to do this.

I’m of the opinion that it’s entirely my own fault if I install and authorise a malicious app that manages to fool me in every step of the money sending process by overlaying with something else. Are there any plans to add an opt-out to this for users who know what they are doing?


(John) #10

Why not just add an exception within Twilight for Monzo?


(Adam Williams) #11

Because I don’t want to be blinded whilst viewing the white background on my feed at 11PM? :stuck_out_tongue: It’s installed and in use for a reason, that reason doesn’t go away because apps don’t play nice. I had a similar issue with Stagecoach’s bus app and just uninstalled it.


I figure it might be useful to document my attempts to fix this manually:

  1. Grab APK ($ pm path co.uk.getmondo + adb pull)

  2. Grab Apktool

  3. apktool d base.apk

  4. Strip the annoying attributes out with egrep -lRZ 'filterTouchesWhenObscured' base/ | xargs -0 -l sed -i -e 's/android:filterTouchesWhenObscured="true"//g'.

  5. Rebuild APK with apktool b base

  6. Use jarsigner and then zipalign to sign the APK with your own key and then correct the archive alignment. Something along the lines of jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore some-keystore-file.keystore base.apk alias_name. zipalign works like zipalign -f 4 base.apk new.apk

  7. Uninstall the existing app, install patched version.

Proof it works: Video


(James Billingham) #12

I wholeheartedly disagree with attempts by financial companies trying to improve “security” by blocking relatively normal activities - like jailbreaking etc

I had not expected Monzo to do this. It seems very uncharacteristic.

Although I accept that there is a very small increase in potential risk, I do feel that there should still be a way to override this.

e.g. users could go into some “advanced settings”, turn off overlay detection, and then show a warning on the screen whenever you would have used the detection.


(Emma Guy) #13

I agree we have probably been a little overzealous in this case.

We released 1.5.4 to the beta store yesterday which limits the number of buttons which has this protection down to the ‘confirmation’ buttons only - so send money and confirm top up. This no longer affects the FAB or anything else. We also show a message now to explain to the user that they have an overlay in use, if they try and use those few buttons with the overlay.

Our intention is certainly not to annoy our users nor block apps like Twilight, it’s just an unfortunate side effect of adding this measure.


Top up buttons not working on Android
(John) #14

I wholeheartedly disagree with attempts by financial companies trying to improve “security” by blocking relatively normal activities - like jailbreaking etc

Jailbreaking is not a normal activity to most. Also if you implemented the warning like you said and one of your jailbroken apps managed to exploit your phone and transfer £100’s/£1000’s of money from your monzo card are you willing to take the hit on that becuase you acknowledged the warning or would you be going to monzo for reimbursement?

I only made this thread to confirm the screen overlay blocking was intentional as i suspected. I’m happy for monzo to implement security features that disable apps that could potentially peak at what i’m doing.

Keep up the good work guys :+1:


(John) #15

I wouldn’t say overzealous, love the development of this app and happy to be a beta tester. Which proves the process works, as now we have a notification for the screenoverlay which can be rolled out :). I love the update description you guys put in the play store, i’d also like to see a full change log posted somewhere for beta release, as i would have checked that before creating this thread.

For instance there’s a reddit app i use called redditsync which i’m a beta tester for and the guy who develops it posts a change log with every update like this https://www.reddit.com/r/redditsync/comments/5s87ai/sync_for_reddit_v1211_is_now_going_live_on_google/

not sure if linking is allowed so feel free to remove if not :S


(Rika Raybould) #16

Linking is permitted. :thumbsup:

Monzo staff can feel free to correct me if I’m wrong but I believe the Monzo website is built with the static site generator Jekyll. If true, Monzo could archive all the release notes on a page by using Jekyll’s collections system and a folder full of markdown files for each release. Either that or just a restricted thread here. :wink:

EDIT:
Proof of concept (live example).


(James Billingham) #17

This could only happen if the user had explicitly opted in via both their Android device settings, and via the Monzo app settings. Monzo would have to sufficiently warn the user of the potential risks.

Within those boundaries, there are no FCA/TCF issues with putting the liability on the user.

And obviously you could only opt-in to this setting in the Monzo app while the overlay was disabled.


(Adam Williams) #18

100% agreed on everything you’ve said here. This is pretty disappointing to see from Monzo and is almost as bad as the companies using SafetyNet to “improve security”. What’s next, the OAuth login system requiring a kernel module to be running to make sure you don’t log in to Monzo on a machine with f:lux/redshift running?

It’s my device, I should be able to decide whether or not I’m competent enough to be able to use an overlay app. This should be opt-out with an appropriate warning. Until it’s made opt-out I guess I’ll be patching each new version so I can continue to use the “Send Money” feature without having to temporarily disable the tool that I use all of the time on my device.

Absolutely, that would be completely my fault. Android already ensures that the user is very clearly asked before an app is given the ability to draw over the screen - and I’d be 100% responsible if I allowed this and then fell victim to a malicious tapjacking app. I would not try and blame my bank.


1.5.4+ Patching Instructions:

1.5.4 no longer uses the XML attributes I described in my original post. Instead, we now have a central "Secure"Button class in co.uk.getmondo.common.ui.

As before, grab the APK with an adb pull and run apktool d base.apk to extract/disassemble everything. Then, cd base/smali/co/uk/getmondo/common/ui and open SecureButton.smali with vim or another appropriate text editor. Look for the .method public onFilterTouchEventForSecurity(Landroid/view/MotionEvent;)Z virtual method.

Replace it with these contents (returns true always to allow use of the button):

# virtual methods
.method public onFilterTouchEventForSecurity(Landroid/view/MotionEvent;)Z
    .locals 1

    .prologue
    const/4 v1, 0x1
    return v1
.end method

Save the file and then run apktool b base to rebuild the APK. Uninstall the existing Monzo app.

Use jarsigner and then zipalign to sign the APK with your own key and then correct the archive alignment. Something along the lines of jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore some-keystore-file.keystore base.apk alias_name. zipalign works like zipalign -f 4 base.apk new.apk.

Install the patched app, enjoy being able to use it properly again.

Edit: above procedure works fine with 1.6.1 too.


"Screen overlay detected" due to Android's own Night Mode enabled
(Rika Raybould) #19

Something that might affect views on this issue. Android O will notify you if apps are overlaying themselves on the screen and provide an easy way of turning them off.


(Adam Williams) #20

Urgh, not particularly thrilled to see that. I already have a notification from Twilight - good to see it can actually be turned off though.