Requirement to login bypassed when launching with assistant

Issue:
While using Google assists to launch Monzo, this bypasses the need to login without the need for a pin/biometrics. This essentially gives access to users account to anyone using the phone.

Details to reproduce:
1.Ensure device is unlocked
2.Ensure Monzo app is not already open
3. Launch Monzo with Google assistant - “Hey Google launch/open Monzo”
4. User is taken straight into account without the need to enter login details

OS:
Android 12
*Device:
Pixel 6
App Version:
4.11.1
Screenshots:

Just tested it on my Pixel 5, opening Monzo via voice still asks for my fingerprint.
It only asks for fingerprint after a certain amount of time though, or if Monzo is closed fully.
Try swiping the app away from the recents list, then launching via voice again. That causes it to ask for fingerprint again.

1 Like

I can close the app restart my phone and launch via assistant and it still bypasses the need for a fingerprint or a pin

Oh strange I’ve just dived into my Monzo settings and it appears unlock with biometrics had been disabled despite previously having it set :confused: still wouldn’t explain why it wouldn’t request a pin though

The :monzo: app updated to 4.11.1 recently. I’ve found that following app upgrades, biometrics have been disabled on my phone in the past. Although I’ve not spotted a pattern to it yet - and the recent upgrade didn’t disable the enabled biometrics for me this time.

1 Like

I get that an update may have disabled biometrics (which is a bug in itself) but the fact that it didn’t even ask me for a pin to access my account is quite worrying.

Remember though, even if someone got into your app, they can’t do anything to transfer money out without needing pin or biometrics. Yep they’ll see your balances and transaction history etc but that’s all.

I couldn’t even transfer my own money last weekend without my account getting frozen, so it would be nigh impossible without the Pin tbf

1 Like

I have a pixel 6 with the same app version and biometrics are still turned on.

Have you recently changed some biometrics or security settings such as adding a fingerprint or changing your phone unlock pin?
I don’t think that’s what caused it but I’m curious.

Think I’ve found the pattern. I do a teardown of the Monzo app to see upcoming features/changes and part of this process is switching to another phone to run Monzo briefly, before switching back to my daily driver. I have found I can reproduce something similar…

Try this:

  • In Monzo, go to Settings>Privacy & Security and ensure ‘Unlock app with biometrics’ is enabled. If not, enable it
  • Close the Monzo app (don’t log out) and go back to your home screen for a minute
  • Open the Monzo app - it will ask for your fingerprint. All good so far.
  • In the Monzo app, go to Settings>Log out and confirm you wish to log out, you’ll be returned to the Monzo log in display - tap on Log in, enter your email & follow the instructions to get access to your Monzo app. Part of this process is to enter your (Personal account) PIN and once you’ve done this, you’ll have access to your Monzo app.
  • Now, if you look at Settings>Privacy & Security, the biometric setting you previously enabled is now disabled - BUT - don’t change it yet. Close the Monzo app (don’t log out) and go back to your home screen for a minute, in fact, let your phone go to sleep through non-use first. When it has, wake your phone, go to the home screen and tap on the Monzo icon to open the Monzo app - voila - instant access without a fingerprint or PIN required

Dangerous - access to view the account is possible. But a PIN is still required to move any money out of the account so it isn’t totally compromised.

Only when you go to Settings>Privacy & Security and enable biometrics again do you protect the login sequence.

OS:
Android 12
*Device:
Pixel 5
App Version:
4.11.1
Screenshots:

1 Like