BOI Mobile - nothing fishy; needs better documentation

A mobile banking app that is under-documented, but not suspicious
published: (updated: )
by Harshvardhan J. Pandit
banking privacy security

Mobile Banking allows us to easily access our accounts and make payments and transfers from the comfort of the palm. Bank of Ireland is one of the major banks in Ireland, and they have a mobile app called BOI Mobile as a counterpart for their digital banking service called 365 online. As with any activity involving personal data and financial actions, one must be extremely careful and cautious on the side of suspicion. To that end, this post examines the permissions and data used by the BOI Mobile app on Android with a keener eye.

While the app itself offers no explanation, and is little more than a mobile version of the website, the terms and conditions clearly mention with a larger emphasis on the data collected, and how it is not stored, or is made anonymous. In light of the upcoming GDPR, these terms and conditions also mention the use of consent multiple times, which enforces user choice and rights. However, none of these explain the permissions the app requires, or why it needs them in the specified manner, nor how it uses the data entered.

On Android, the app requires/uses the following permissions, and are followed by explanations with the following convention:

  • What? - explains what data this refers to

  • Why? - speculative reasoning as to why the app needs the data and how it is used

  • no access - explains what changes are apparent when the data is denied to the app

Contacts

  • What?
    • These are all contacts as stored in your phone book or accounts registered on the device
  • Why?
    • The app reads contacts to send money via transfer
    • This is explained in the terms and conditions as well
    • It is not clear whether contacts are sent to the BOI server or if the transfers happen locally
    • It is also not clear whether BOI collects all contacts or only the ones specified by the user
  • no access
    • The app can not read contacts, and this prevents it from populating the transfer fields, which prevents you from sending money to contacts within the phonebook

Location

  • What?
    • location with varying granularity based on whether it is gathered using the GPS or network-based
    • can access additional location data to make a better guess to your location
  • Why?
    • used to find ATMs near your location
  • no access
    • The only times the app uses the location is when you open the ATM panel
    • If location is denied, it asks for location explicitly, after which it will fail to get ATMs

Photos/Media/Files

  • What?
    • read/modify/delete from storage
  • Why?
    • No reason was found, though this may be used to store statements and other documentation generated during transactions
    • However, there is no mention of this 'feature' on the app's description page
  • no access
    • Since no features seem to be using this permission, and none of the services have failed so far, I'm guessing that nothing changes in terms of functionality except the failing of whatever document the app tries to save

Internet and Other Connectivity options

  • What?
    • View network connections / Wi-Fi connections
    • Receive data from internet
    • Pair with Bluetooth devices / Access Bluetooth settings
    • Detect network settings
  • Why?
    • A lot of apps use such network connectivity settings to pinpoint location and also to notify the user in case of loss of connectivity
    • As a banking app, maintaining connectivity is important in view of security
  • no access
    • The device needs an internet connection to work as intended
    • The additional Bluetooth settings do not seem to hamper any of the features

Other

  • What?
    • Prevent device from sleeping; keep it awake
    • Run the app in the background
  • Why?
    • There is no reason why the app should do this
    • This could be part of a banking app's security feature where a device is remotely wiped in case of security breach; but if that were the case, then there should be some sort of notification to the user when they install the app
  • no access
    • Nothing happens, the app opens and works fine

As a banking app, BOI Mobile asks for a lot of permissions that are exactly clear in terms of usage. Their terms and conditions mention their approach to data - which is to maintain user privacy. This is good, the BOI Mobile app poses no dangers in terms of privacy, but I'm more concerned in terms of security as it stores and maintains the user's account details. The app automatically logs out whenever it is closed or another app is opened over it. Apart from the permissions mentioned by the app, it also has the capability to read SMS and call logs, something that is never actually used by the app when running. It may be used to contact BOI and for verification through security codes, but this is mere speculation. Overall, BOI Mobile seems to work fairly well, does not seem suspicious, but needs a lot of clarification in terms of telling users what the app is doing on their devices. This is important especially for the background activity aspect.