Implementation of SafetyNet & Screenshot Prevention - Security


(Mathew Brack) #1

Many banks have tight security over their Android apps, two of the most common forms are:

Use of the SafetyNet API - AndroidPay uses this and it essentially blocks you from using an app in the event you are using a modified device unless you have Magisk also installed on your device. Non-modified users will likely never know this security layer is in place.
Pro: Very difficult to bypass for non-experienced users.
Con: Many users have legitimate reasons for modifying their devices.

Use of Flag_secure - This stops a user from taking screenshots of an app, it also prevents the app displaying content when viewed in the “recent apps” panel.
Pros: Stops someone who has access to your device copying sensitive information
Con: Would severely stunt the ability to share information intentionally such as the in-chat support.

I imagine in the future as Monzo increases in size and evolves there will likely be increased pressure to improve in-app security, while I don’t necessarily think the above are necessary at all I would like the ability to lock the app with fingerprint or pin. What do you guys think?


#2

While I wholeheartedly support banking apps not running on modified or rooted devices as a user I find it very inconvienient to discuss problems with my account or app when a bank stop me from being able to take a screenshot to send to customer support. I love the idea of protecting the app with a PIN but wish it was user customisable with a setting for 4, 5 or 6 digits as per your preference


(Marta) #3

Hmm, educate me please.
I generally dislike idea of blocking screenshots, very unfriendly and you usually find out about it after trying to make screenshot and exactly when you need to make a screenshot… :disappointed:
If user is allowed to make screenshots, does it automatically mean that any crappy something can make sneaky screenshot of my app/data as well?
Ideally, I want to be able to take screenshots, but I wouldn’t like for any other sneaky malware to take screenshots either. If I can’t have both, I would trade one for another - I would prefer to be able to make screenshots over my security (rubbish, I know :sweat_smile:).

Rooted phones. Ideology wise, if Monzo would restrict app from rooted phones, it would make me think ‘just like high-street bank’ - seems the opposite of Monzo goals. I know people who adore rooting, they are wholeheartedly ‘mobile first’ type of user and exactly ones who would value Monzo.


(Justin Hunt) #4

General security log in stuff with both web and phone app, actually makes the banking experience very tedious. Logging in, then typing your passcode wrongly because you have fat thumbs, typing it again then finally getting in, just so you could look at your balance to make sure you’ve got the funds to pay for something at the checkout.
I totally get why its needed, but Monzo has actually been a joy to use purely because I can actually get stuff done without all the f**king about :wink:

Security is a 21st century necessary evil, Banking and Flying have largely become a cumbersome and tedious experience due to the need for it.


(Alex Sherwood) #5

I’m not sure about this. I don’t think Monzo are neglecting security just because they’re small &/or can get away with it. Instead they’re taking a different approach, which might seem less secure (if you’re used to having to complete painful security verification for your legacy bank) but may not be -

Monzo are liable for any fraud due to unauthorised access to your account so it’s in their interest to get this right.

Personally Touch Id is perfect for me & this is an option for iPhone users. It’s on it’s way for Android users too.

But as @MIROW will tell you, a PIN would be useful for some users too.


(Patrick) #6

I never understood the necessity to block people from taking screenshots. If someone has accessed that far into the app, least of my worries is them taking a screenshot and screenshots can be greatly helpful. Just the other day I wish I could take a photo of a transaction in my legacy bank account so I could WhatsApp to whom I though had sent me the funds, to ask if that was him.

What benefit would it be for Malware to take screenshots of my transactions?


(Marta) #7

I don’t think transactions are the weak point. Access to data like account info, email registered, as well as address - this is more sensitive.


(Patrick) #8

Whoever is viewing that information, but unable to screenshot, is still accessing said information. Can they not write all this on paper with pen? To me security should prevent unauthorised people from accessing that information in the first place. I would seriously question why anyone is that far into my data and attempting the screenshot in the first place. Damage limitation in event of unauthorised access feels wrong to me, security focus should lie much earlier in the process


(Mathew Brack) #9

Yes, but that doesn’t mean malware is anymore likely. Most of the time malware on Android can be entirely avoided by just using common sense when installing apps. Google’s last annual Security review shows just how rare malware actually is and also shows that it can easily be avoided.

I certainly did not mean to imply that their security was lacking, it’s more than possible I articulated myself poorly. I simply meant that the larger investors and other outside influences may pressure them for more perceivable security measures if that makes sense.


(Marta) #10

@bhonobo I had malware in mind, not “social” hack. While my knowledge on the subject is low, but @MathewBloomerBrack just gave some details how rare malware is (thanks!).

I read about flag_secure, and apparently this is applied per view/screen. So it would be doable to block it on settings, where most sensitive data is, while allow it elsewhere. Seems like it could be good middle ground.

Reasons @MathewBloomerBrack mentioned, but also, users might expect Monzo to behave :rolling_eyes: like proper banking apps do, otherwise users might not trust an app that allows screenshots because of what majority of other banking apps do (what a circle…).


(Mathew Brack) #11

People don’t realise how uncommon it is for most users. The most notable vulnerability to ever hit Android was named “Stagefright” and when it was first discovered 95% of devices were at risk but it did change Android in a good and very large way that most users will never be aware of. After the dust had settled it was revealed that there had never been a single confirmed case of infection.

Perception is obviously important but I certainly hope neither of the above methods are implemented.


(Patrick) #12

I also had malware in mind, anything that is in a position to attempt a screenshot is already way too far into the app in my humble opinion. If malicious software are at that point where the sensitive information is to be harnessed, is a screenshot the only way the software can record this information? I like Monzo’s invisible approach to security, were the app is easily accessible and very usable. To me preventing screenshots is on a par with all the other burdensome, and unnecessary, security steps legacy banks take.


(Rika Raybould) #13

I fully support high standards of security but only for the exact items that need protecting. It would be a pain if I didn’t have the ability to take screenshots of my feed but I do support methods of removing full card numbers from the card screen if a screenshot is taken or making screenshots of the PIN screen useless in addition to not allowing the PIN screen to show in the app switcher of either platform.

Blocking screenshots is a bit heavy handed and forces people to seek out ways around it, defeating the entire point and making people angry in the process.

SafetyNet I’m not entirely sure is appropriate for many aspects of the Monzo app, however it is critical to some related things such as Android Pay. Given how Android Pay works, I consider it entirely reasonable that you should choose between having root access to your phone and being able to run a VM of an entire payment card with full access to your money (even if the tokens are revocable). If you’re going as far as bypassing SafetyNet to use Android Pay, you should understand the risks and that you can’t blame anyone if it goes wrong.

In the Android app today, there are some basic protections to prevent other apps overlaying themselves over more sensitive parts of the UI to prevent the interception of taps over something like a PIN entry or outgoing payment screen. I like this as it allows people to use their nighttime screen filtering apps and such when casually using Monzo but only requires them to be disabled when going to do something that requires a slightly higher level of security such as paying others. The messaging behind this could be better though.

@daniel, @priyesh, and others probably have opinions on these types of restrictions and security measures. I know some of what they would like to do but I won’t spoil it! (If you look closely at the iOS app, you might be able to see the beginnings of it and guess the direction.)


(Simon Morris) #14

I’ve noticed that you can take screen shots of all the screens within the app on Android. Having found this I have now tried to do the same with my other banking apps and they all block this. Surly this is a major security problem.

Your thoughts would be appreciated.

Simon
Beta Monzo user


(Alex Sherwood) #15

Hi Simon,

I’ve moved your post here as there’s been some discussion about that ‘security measure’ in this topic.

I think Richard’s comments in the earlier post are spot on. I also find it very useful to be able to screenshot my feed & transactions.

If you’re still not sure about the points that’ve been raised, I’d be interested to hear more about the security implications that you’re concerned about.


#16

I disagree with blocking rooted or modified devices. You should pass liability on to users that do this, rather than banning it.

Modifications: Android is open source, which means that there exist quite a few open forks such as Cyanogen. Remember that desktop PCs can already do this. I’d argue the custom OSes are more secure than most Android phones given that they tend to be up to date, whereas most Android phones are very old, and are so vulnerable to issued which have already been fixed. For example, StageFright.

Rooting: Rooting without a password, however, is an issue - as any malicious mods can just use it without asking. However, most rooting systems don’t do this - they require apps to ask for super user using a mediator.

Secure flag: Secure flag stops a preview of the app being shown in the task manager, which I agree with. However, taking screenshots should be allowed.