Photo of Terence Eden. He has a beard and is smiling.

What's the best way to protect banking apps on Android?

· 8 comments · 1,700 words · read ~562 times.

Lots of people using banking apps on their Android phones0. They're a convenient way to check your balance, transfer money to people, and get alerts about fraudulent transactions. But, like anything related to money, they can be abused.

Nowadays, thieves are not only snatching phones, but forcing their owners to transfer money to the thieves. This is not an isolated incident1.

How can you protect yourself from such a situation2?

Broadly speaking, there are four ways to protect your sensitive apps. Relying on the regular lockscreen, hiding the apps, using a Private Space, or placing the apps in different profile. Let's look at the advantages and disadvantages of each approach.

Regular Lockscreen

Android's lockscreen controls are pretty good - if you turn them on.

Perhaps you have a super-long and complicated password. Maybe a 10 digit PIN that only you know. Biometrics like facial recognition and fingerprints are reasonably strong and fairly convenient.

But that relies on your phone being locked when it is snatched. If you're using your phone when it is taken from you, the lockscreen might detect it and lock automatically, but you need a modern device and to have specifically enabled the setting.

If a thief has shoulder-surfed your 4 digit PIN, that will be enough to let them enter your phone.

But here we are concerned with someone threatening you. Basically, if someone has a knife pointed at you, you're probably going to unlock the phone for them3. So, let's assume we want to protect our banking apps from someone who has access to your unlocked device.

Launcher Hiding

Some Android phones let you hide apps. When an attacker is scrolling through the list of installed apps, they won't be able to see any apps which are hidden.

This, I think, is a reasonable way to hide your banking apps. You can show the thug that there aren't any installed. That may or may not be enough to mollify them. They might still nick your device, but you won't be forced to transfer your savings elsewhere.

This, of course, presents a problem for the regular user. How do you launch your apps if you can't find them? Most launchers will let you type in the name of the app to find it - the app is merely hidden from the default list.

So an attacker would have to try typing "HSBC" or "Barclays" or "Chase" or a dozen different names until they find your app. Will they be angry if you've lied to them? Is that a risk you want to take?

Some launchers will let you change the name and icon of your sensitive apps. You can rename "Midland Bank" to "Calculator" and change its icon. Not every launcher supports this sort of hiding though. It also places a cognitive load on you that you need to remember what you've hidden your apps as. Will you remember than Bank 1 is calendar and Bank 2 is Bumble?

Private Space

Android 15 has introduced the concept of a Private Space. It is like a digital lock-box for your apps. If someone has your unlocked phone, they need to pass through authentication in order to use apps which are locked.

There are two main drawbacks with this approach.

Firstly, locked apps don't run in the background. That means you won't get alerts from them. If you rely on push notifications to tell you if someone is using your card fraudulently, this could be a problem.

Secondly, the Private Space shows up at the bottom of your app list like this:

So an attacker can easily see it and demand that you open it up. You can set the Private Space to be hidden. But then you're in the same position as above - typing in "private space" will show it in your launcher.

Work Profile

Android has the concept of "Work Profiles". They're designed to segregate your work apps and your personal apps. Your work admin can wipe your work profile without touching your personal stuff, and you can't copy confidential emails to your personal area. Nifty!

If you don't have work apps on your phone, you can use an app like Shelter to make your own Work Profile.

You can stick your banking apps in the Work Profile and have them locked away from prying eyes.

The Work Profile button is more subtle than the Private Space.

Work Profile in the quick settings bar.

But it still has the disadvantage that, once locked, the apps are suspended and won't receive any alerts.

Secondary Profile

Finally, modern versions of Android support multiple profiles. They're generally designed so that multiple people can use your device - but there's nothing stopping you from putting your banking apps in there.

The immediate advantages of multi-user profiles are:

  • The profile can be protected by a separate password.
  • The profile switcher is generally more subtle than the Work Profile switcher or Private Space toggle.
  • Apps can run in the background while in a separate profile.

The disadvantage is that, because it is a completely separate profile, you'll need to sign in again using your Google account in order to install apps from the Play store. If you use a password manager and MFA app, you may need to install them in both your main and secondary profile.

Because the apps can run in the background, there may be some (minor) impact on battery life - you're effectively running Google's Notifications Service twice.

If you are being held at knifepoint and a notification from your bank comes through - you may find it socially awkward to explain.

Which is right for me?

It is complicated. I think I can distil it down to the following:

  • If you need alerts from your banking apps - put them in a secondary profile.
  • There are some reports of banking apps not working in secondary profiles - if yours don't work in a profile then hiding apps is your best defence.
  • If you're not using Work Mode and don't need alerts - put them in Work Mode.
  • If you're using Work Mode and don't need alerts - put them in a Private Space and set the space to be hidden.

Remember, you can't fling technical solutions at social problems and expect them to solve everything. In general, crime in England and Wales is at its lowest level but certain crimes, like phone theft, are on the rise. Despite all the technology thrown at the problem, people are still walking around holding machines worth hundreds of pounds. Each of those machines is a gateway to potentially thousands of pounds. Phones and banking apps are incredibly lucrative targets.

The aim of this exercise isn't to solve the problem of crime. It isn't even to make you a less attractive target. It is to allow you to hand over your phone safe in the knowledge that your banking apps are somewhat protected from miscreants while still being useful to you.

If you have any tips on how to keep banking apps hidden, please leave a comment.

  1. "Not me," you say smugly. "I am far superior to the sheeple. If I want to connect to my bank, I just SSH in to a bespoke firewalled box that runs a disposable Docker image which connect to TOR." You continue, indifferent to the exasperated sighs of the waitress "Of course, I only use GNU/Linux on my phones, have you heard of it? I don't even trust password managers! I have my own algorithm for generating passwords using dice. I have some nifty D20s if you wanna see them? Sure beats having a CRapp on my phone! If I want to transfer someone money I generate a new seed phrase for my Bitcoin wallet and then… say, do you take crypto here?" The waitress contemplates stabbing you with a fish-knife but, instead, politely replies "If you don't want to leave a tip, sir, that's OK." She makes the mistake of smiling, which you misinterpret as a flirtatious gesture. You torrented a whole bunch of books about social interactions with girls and yet, somehow, failed to understand any of them. You try negging her. That's bound to work. "Of course, you're probably the sort of girl who uses an iPhone or as I call them…" before you can chuckle about normies running iDrones the waitress has turned and walked away. Bitch. Still, at least you don't have any banking apps on your phone. That makes you better than most people. ↩︎

  2. See also Bank and phone lessons learned after a robbery and I was robbed and forced to transfer money from my banking app↩︎

  3. Here we're mostly concerned with street theft. If you are the target of state-sponsored violence, or the police are searching your phone, then you may have a different threat model. If you think that your snarky posts on your three-subscriber Substack about "lamestream media" and "Micro$oft" make you a target for the CIA, please go outside and run around in the fresh air for a bit. ↩︎

  4. Yes, I know that your self-defence training is impressive, but handing over your unlocked phone is a lot preferable to getting punctured. ↩︎

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

8 thoughts on “What's the best way to protect banking apps on Android?”

  1. says:

    I know some banks, such as Monzo, have additional security options such as "Trusted Locations" (won't allow transfers if you aren't there), QR code (scan a previously provided code to authenticate the transfer) and "Get friend to authenticate the transfer.

    Reply

  2. said on ioc.exchange:

    @Edent the best option, when possible, is not to use apps created by institutions that have reason to sell you out, but to use their websites instead. this typically sidesteps the listed security concerns while also protecting your privacy from the relentless analytics + lowkey (or not-so-lowkey) spyware included in so many apps on android (and on most other platforms).

    apps on android can track you in many more ways than even their "permissions" would imply, and google's measures to limit these have been inadequate.

    Reply | Reply to original comment on ioc.exchange

  3. Andrew Zuo says:

    I’ve thought about this and I’m considering getting a second phone. then if a thief tries to steal it, they won’t get my banking credentials.

    Reply

  5. Ollie says:

    I was excited about Private Spaces until I realised it breaks notifications. A large part of the reason I have banking apps installed is to get notifications to monitor transactions. Without those, Private Spaces are completely useless. I wish Android had a smart feature to hide sensitive apps, e.g. by typing a secret word into the app search to open a biometric auth, then a thief can't find it but it's easy to access by typing penguin or banana or whatever into the search. In the meantime I just don't use my phone in public and am tempted to remove all the banking apps and move them to a home tablet. Android has failed us on this and almost invites robbery.

    Reply

  6. said on toot.net-pbx.com:

    @Edent An extra I've done on my phone is to have a tasker trigger that locks the device if you put it in Airplane mode. From what I've heard snatchers do that to stop people using Find My Phone. I'm not sure it's somehting for every day folk but more modern androids are supposed to have this built in.

    Reply | Reply to original comment on toot.net-pbx.com

  7. said on brucelawson.co.uk:

    Happy New Year, Gentle Reader! Never Forgive Them – “You’re battered by the Rot Economy, and a tech industry that has become so obsessed with growth that you, the paying customer, are a nuisance to be mitigated far more than a participant in an exchange of value… I believe billions of people are in active […]

    Reply | Reply to original comment on brucelawson.co.uk

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">