BOI Mobile - nothing fishy; needs better documentation

series: Privacy & Apps
A mobile banking app that is under-documented, but not suspicious

navigate: blog; research; main site
tags: banking; privacy; Privacy Guard; security;

Mobile Banking allows us to easily access our accounts and make payments and transfers from the comfort of the palm. Bank of Ireland is one of the major banks in Ireland, and they have a mobile app called BOI Mobile as a counterpart for their digital banking service called 365 online. As with any activity involving personal data and financial actions, one must be extremely careful and cautious on the side of suspicion. To that end, this post examines the permissions and data used by the BOI Mobile app on Android with a keener eye.

While the app itself offers no explanation, and is little more than a mobile version of the website, the terms and conditions clearly mention with a larger emphasis on the data collected, and how it is not stored, or is made anonymous. In light of the upcoming GDPR, these terms and conditions also mention the use of consent multiple times, which enforces user choice and rights. However, none of these explain the permissions the app requires, or why it needs them in the specified manner, nor how it uses the data entered.

On Android, the app requires/uses the following permissions, and are followed by explanations with the following convention:

Contacts

Location

Photos/Media/Files

Internet and Other Connectivity options

Other

As a banking app, BOI Mobile asks for a lot of permissions that are exactly clear in terms of usage. Their terms and conditions mention their approach to data - which is to maintain user privacy. This is good, the BOI Mobile app poses no dangers in terms of privacy, but I'm more concerned in terms of security as it stores and maintains the user's account details. The app automatically logs out whenever it is closed or another app is opened over it. Apart from the permissions mentioned by the app, it also has the capability to read SMS and call logs, something that is never actually used by the app when running. It may be used to contact BOI and for verification through security codes, but this is mere speculation. Overall, BOI Mobile seems to work fairly well, does not seem suspicious, but needs a lot of clarification in terms of telling users what the app is doing on their devices. This is important especially for the background activity aspect.