FNB's Android banking app adds COVID-19 contact tracing - But only staff can use it

[Hanno Labuschagne]

FNB's Android banking app adds COVID-19 contact tracing - But only staff can use it

FNB is using its mobile banking app for COVID-19 contact tracing among its employees, the bank has confirmed to MyBroadband.

A MyBroadband reader recently noticed that the latest FNB mobile banking Android APK – 5.8.5-33 (53) hce, version 1901 – contained traces of BlueTrace code.

BlueTrace is an open-source contact-tracing protocol developed by Singapore’s government for use in its official TraceTogether application for smartphones.

 

[Aghori]

Yeah I'm uninstalling the FNB app after reading about this. I'm not comfortable with the seemingly "disabled" tracing functionality that only works for Staff.

 

[Sinbad]

Yeah I'm uninstalling the FNB app after reading about this. I'm not comfortable with the seemingly "disabled" tracing functionality that only works for Staff.

LOL

kneejerk reaction much?
There's no location info, no personally identifiable info, nothing. It just alerts you if you have been in contact with someone who has reported testing positive via the app.

 

[jannievanzyl]

LOL

kneejerk reaction much?
There's no location info, no personally identifiable info, nothing. It just alerts you if you have been in contact with someone who has reported testing positive via the app.

Yeah, would be good if people first read up on BlueTrace before starting conspiracy theories.

I wonder if people are going to stop using Android and IOS when this same type of contact tracing is baked into the core OS? It's already rolling out.

 

[CranialBlaze]

I had a good launch when reading the articles regarding the tracing, it was done with utmost privacy in mind, as both the US and EU governments have taken them to task for.

These same governments are now complaining that the tracing does not offer any personally identifiable information and therefore makes it useless for tracking people and dealing with quarantines.

It’s like you can’t have it both ways guys, you can either care about our privacy or not. You cannot pick and choose when it is convenient for you.

Correct me if this part is wrong, but from what I recall the actual informing bit happens via Bluetooth, short range device to device communication, the app then sends basic non identifiable info to whomever database.

No real need to worry about FNB, if you have an iPhone you will know the moment they turn it on generally once iOS 14 is out, each app has to explicitly request Bluetooth and local network aka AirPlay and ChromeCast, access.

Same should come to android soon enough, assuming you on something other than Samsung that actually gets updates.

 

[CranialBlaze]

I had a good launch when reading the articles regarding the tracing, it was done with utmost privacy in mind, as both the US and EU governments have taken them to task for.

These same governments are now complaining that the tracing does not offer any personally identifiable information and therefore makes it useless for tracking people and dealing with quarantines.

It’s like you can’t have it both ways guys, you can either care about our privacy or not. You cannot pick and choose when it is convenient for you.

Correct me if this part is wrong, but from what I recall the actual informing bit happens via Bluetooth, short range device to device communication, the app then sends basic non identifiable info to whomever database.

No real need to worry about FNB, if you have an iPhone you will know the moment they turn it on generally once iOS 14 is out, each app has to explicitly request Bluetooth and local network aka AirPlay and ChromeCast, access.

Same should come to android soon enough, assuming you on something other than Samsung that actually gets updates.

 

[bobloblaw]

Date Monday, August 3, 2020 1:11 PM
From Bob Loblaw
To Hanno Labuschagne

Hello Hanno

Good work on the followup with FNB and the publication of your article. To date I still haven't received a reply from FNB, surprisingly not even a simple auto reply from a ticketing system.
Following your article in which you explained that this functionality is limited to FNB staff only, over the weekend to satisfy my own interest I managed to get a screenshot of an FNB staff member's mobile phone showing the "Contact Tracking" screen. See attachment.

For the record: I'm not an employee of FNB and I didn't modify their app apk. I'm running the standard FNB app downloaded from Google Playstore and installed on a normal locally available android phone. The "Enable Tracing" notification seen in the screenshot sent earlier appears every time I restart my phone. It's this consistent behaviour that caused me to look into the apk source code. Since I'm not a low-level android developer, I'm afraid I can't investigate much further, but I assume that this behaviour is triggered as part of the FNB app "phone home" procedures that registers the phone's unique identifier with their back-end system.
Even though FNB stated that this feature is not activated on mobile phones of non-employees, I find it rather alarming that this message continues to be sent on my mobile phone given I am not an FNB employee.
Additionally even though FNB claims that this solution fully respects privacy, the fact that this tracing protocol (BlueTrace) requires a centralized server to store and process user tokens (and optionally user contact lists) makes it a legitimate privacy concern, privacy experts have even publicly declared this:

"However, PEPP-PT and BlueTrace rely on a centralized server to generate the temporary ID codes, which an analysis from the DP-3T developers claims could let the server identify the individual behind any temporary code and trace their movement." - https://protonmail.com/blog/privacy-contact-tracing-apps/

Finally, security researchers have recently identified a major bug in the OpenTrace protocol (the open source version of BlueTrace), which has been assigned an official CVE code + severity level of "9.8 CRITICAL" by NIST. - https://nvd.nist.gov/vuln/detail/CVE-2020-12856


In summary, it can therefore be concluded that, despite FNB's assertions to the contrary, the embedding of this BlueTrace code in the app FNB's customers are installing on their personal phones definitely represents a non-zero risk. I cannot speak on behalf of others, but personally I would definitely feel more comfortable if this functionality were removed and FNB publicly confirmed this.

Bob

 

[Sinbad]

Non-zero risk to employees that opt in, until the vulnerabilities are fixed. If you don't opt in, which you as an employee can't, how can the bluetrace work?

 

[brentthought]

Yeah I'm not happy about this,and it doesnt matter what anyone says FNB supports the WHO and UN completely, which in my mind if you dont already see what's happening in our country because of their influence amongst others then keeping this app on your phone.. well it's your choice. Im pretty sure that if a lot of people were notified that there is a covid trace permission which it does not state anywhere in the google play store... they bend the truth actually by saying It's a location tracker oc where you drew money or something... but the app itself has covid 19 labeled as a permission to turn on and off, for someone already using the app, if your phone auto updates you are Never notified and the update is installed and that's, that, silowly running in the background you never know until you happen to come across it by mistak. When you read the description and what's new for any person who's not familiar with technology then I would say that they are lying to you saying that its location is to track all the places you have drawn money' but it's clearly Labeled Covid 19 trace in the app... So they are lying to their customers as well as betraying their trust as far as I'm concerned... not once do they mention covid 19 trace in Their description.. here the ask you to install the covid 19 alert app in the fnb covid 19 settings.... so why they hell did I have to turn off the covid 19 location permission if it was already on which to me seems that it's already on the covid 19 alert Is just a formality.... actually gonna turn it on again use phone for my laptop as wireless hotspot and see what happens.....they want to "censor the internet" in the "name of protecting our children" movies games music books everything and everything will have to be reviewed before going online we are already behind compared to the rest of the world , imagine a "special unit on the film and publications board screening games and movies products ads, and getting back to you when they have managed to teach your content lol which you have to pay to be approved if it's not approved lose money, so freedom of online speech and freedom of expression online, taken away to protect the children from violence, games that turn children into kick boxers or vigilantes, pornography supplied by the same people trying to protect the kids, it's all a load of be,so if they want to do all these things in order to reform society through enforcing socialism communism, why the hell wouldnt our government and partners enable that tracing permission from the word go.....

 

[CranialBlaze]

Yeah I'm not happy about this,and it doesnt matter what anyone says FNB supports the WHO and UN completely, which in my mind if you dont already see what's happening in our country because of their influence amongst others then keeping this app on your phone.. well it's your choice. Im pretty sure that if a lot of people were notified that there is a covid trace permission which it does not state anywhere in the google play store... they bend the truth actually by saying It's a location tracker oc where you drew money or something... but the app itself has covid 19 labeled as a permission to turn on and off, for someone already using the app, if your phone auto updates you are Never notified and the update is installed and that's, that, silowly running in the background you never know until you happen to come across it by mistak. When you read the description and what's new for any person who's not familiar with technology then I would say that they are lying to you saying that its location is to track all the places you have drawn money' but it's clearly Labeled Covid 19 trace in the app... So they are lying to their customers as well as betraying their trust as far as I'm concerned... not once do they mention covid 19 trace in Their description.. here the ask you to install the covid 19 alert app in the fnb covid 19 settings.... so why they hell did I have to turn off the covid 19 location permission if it was already on which to me seems that it's already on the covid 19 alert Is just a formality.... actually gonna turn it on again use phone for my laptop as wireless hotspot and see what happens.....they want to "censor the internet" in the "name of protecting our children" movies games music books everything and everything will have to be reviewed before going online we are already behind compared to the rest of the world , imagine a "special unit on the film and publications board screening games and movies products ads, and getting back to you when they have managed to teach your content lol which you have to pay to be approved if it's not approved lose money, so freedom of online speech and freedom of expression online, taken away to protect the children from violence, games that turn children into kick boxers or vigilantes, pornography supplied by the same people trying to protect the kids, it's all a load of be,so if they want to do all these things in order to reform society through enforcing socialism communism, why the hell wouldnt our government and partners enable that tracing permission from the word go.....

Have you heard of this novel idea call a paragraph, I gave up trying to figure out your rankings as you seem to have 1 massive run on sentence and your not actually making any sense as you have no clue what you talking about.

Maybe if you format your message properly so that it’s more legible I’ll read the rest and see if you get to a point that’s founded in reality or if your simply a flat earthier believing the ramblings of your own socks.

 

[Sinbad]

Yeah I'm not happy about this,and it doesnt matter what anyone says FNB supports the WHO and UN completely, which in my mind if you dont already see what's happening in our country because of their influence amongst others then keeping this app on your phone.. well it's your choice. Im pretty sure that if a lot of people were notified that there is a covid trace permission which it does not state anywhere in the google play store... they bend the truth actually by saying It's a location tracker oc where you drew money or something... but the app itself has covid 19 labeled as a permission to turn on and off, for someone already using the app, if your phone auto updates you are Never notified and the update is installed and that's, that, silowly running in the background you never know until you happen to come across it by mistak. When you read the description and what's new for any person who's not familiar with technology then I would say that they are lying to you saying that its location is to track all the places you have drawn money' but it's clearly Labeled Covid 19 trace in the app... So they are lying to their customers as well as betraying their trust as far as I'm concerned... not once do they mention covid 19 trace in Their description.. here the ask you to install the covid 19 alert app in the fnb covid 19 settings.... so why they hell did I have to turn off the covid 19 location permission if it was already on which to me seems that it's already on the covid 19 alert Is just a formality.... actually gonna turn it on again use phone for my laptop as wireless hotspot and see what happens.....they want to "censor the internet" in the "name of protecting our children" movies games music books everything and everything will have to be reviewed before going online we are already behind compared to the rest of the world , imagine a "special unit on the film and publications board screening games and movies products ads, and getting back to you when they have managed to teach your content lol which you have to pay to be approved if it's not approved lose money, so freedom of online speech and freedom of expression online, taken away to protect the children from violence, games that turn children into kick boxers or vigilantes, pornography supplied by the same people trying to protect the kids, it's all a load of be,so if they want to do all these things in order to reform society through enforcing socialism communism, why the hell wouldnt our government and partners enable that tracing permission from the word go.....

Sounds like trump in a debate

 

[TelkomUseless]

Yeah I'm uninstalling the FNB app after reading about this. I'm not comfortable with the seemingly "disabled" tracing functionality that only works for Staff.

I'm not with FNB. But I agree. No conspiracy etc but I don't want tracking in my BANKING app. Even if it's disabled. I don't care if it's anonymized to the moon and back.

What a load of crap.

 

[Pineapple Smurf]

Doesn't bother me, my phone is always at home, every day I go to the shops and leave it at home. Google used to keep asking me How was so-and-so shop you just visited? Now I never hear a word from Google anymore.

 

[TelkomUseless]

LOL

kneejerk reaction much?
There's no location info, no personally identifiable info, nothing. It just alerts you if you have been in contact with someone who has reported testing positive via the app.

But why would your BANKING app need to do this? Screw that.

 

[Jet-Fighter7700]

But why would your BANKING app need to do this? Screw that.

good point, but then again FNB has very slowly been salami slicing into our privacy for years with loads of opt in "features"

I get it, convenience and discounts and sales data all go hand in hand.

 

[Sinbad]

But why would your BANKING app need to do this? Screw that.

Because it was for staff, for the bank's own COVID-19 tracing use...?
The FNB app has a LOT of staff functionality on it that you never see. Approval workflows, payslips, leave management... Even the smart app approvals are used for 2FA for access to some systems.

 

[Aghori]

Doesn't bother me, my phone is always at home, every day I go to the shops and leave it at home. Google used to keep asking me How was so-and-so shop you just visited? Now I never hear a word from Google anymore.

Google maps stopped asking me for Adult World reviews after I did this too.

 

[TelkomUseless]

Because it was for staff, for the bank's own COVID-19 tracing use...?
The FNB app has a LOT of staff functionality on it that you never see. Approval workflows, payslips, leave management... Even the smart app approvals are used for 2FA for access to some systems.

But then they should have split it for Personal vs customer app. I really don't like this idea of banking app doing "everything". So they can embed all this tracing crap... and you must just swallow it ? Nope.

 

[TelkomUseless]

good point, but then again FNB has very slowly been salami slicing into our privacy for years with loads of opt in "features"

I get it, convenience and discounts and sales data all go hand in hand.

I know. They are not a bank alone anymore.. more component/pc/laptops etc provider.
If I wanted to be tracked... I would have downloaded the governments app.

 

[Sinbad]

lol you guys. Google, facebook and apple are doing a lot more tracking of you than any government or institution - especially via the GAEN API