Starling Bank - Mobile Banking

[shompoe]

Is there an existing issue for this?

• [X] I have searched the existing issues

App name

Starling Bank - Mobile Banking

Link to app

https://play.google.com/store/apps/details?id=com.starlingbank.android

App version

2.41.2.63454

Country of the app

United Kingdom

Device

• [ ] Pixel 6 Pro
• [ ] Pixel 6
• [ ] Pixel 5a
• [ ] Pixel 5
• [ ] Pixel 4a (5G)
• [X] Pixel 4a
• [ ] Pixel 4 XL
• [ ] Pixel 4
• [ ] Pixel 3a XL
• [ ] Pixel 3a
• [ ] Pixel 3 XL
• [ ] Pixel 3

Google Play installed

• [X] Installed
• [X] Not installed

Google Play services Network permission revoked?

• [ ] Revoked
• [X] Not revoked
• [ ] I did not have Google Play services installed

SafetyNet Enforcement

• [ ] Enforced
• [ ] Not enforced
• [X] Unsure

Native code debugging

• [ ] Enabled
• [X] Disabled

Stock OS compatibility

• [X] Works
• [ ] Does not work
• [ ] Not tested

Profile app tested in

• [X] Main user profile
• [ ] Secondary user profile
• [ ] I used a work profile device manager app (Please mention more details about it down below like the app)

Description of the app's functionality

Everything works except mobile wallet, which relies on gpay. Notifications work if Google play services are installed.

When you select the card screen there is a message about granting permission to Google play services but this can be ignored.

Are there any extra notes you think users should know about?

No response

ADB logcat of the app if necessary

No response

[akc3n]

@shompoe thank you for taking the time to submit your banking app report!

[eylenburg]

Seems like Starling has stopped working on /e/ and made an announcement that they don't support "custom ROMS": https://community.e.foundation/t/list-banking-apps-that-work-on-e-os/33091/192

Does it still work on GrapheneOS (no root, locked bootloader)?

[shompoe]

Yes, works fine on GrapheneOS.  But no NFC payments.

---

Mark Desrousseaux

18 Jun 2023, 11:02 by @.***:

Seems like Starling has stopped working on /e/ and made an announcement that they don't support "custom ROMS": > https://community.e.foundation/t/list-banking-apps-that-work-on-e-os/33091/192

Does it still work on GrapheneOS (no root, locked bootloader)?

— Reply to this email directly, > view it on GitHub https://github.com/PrivSec-dev/banking-apps-compat-report/issues/39#issuecomment-1596080767> , or > unsubscribe https://github.com/notifications/unsubscribe-auth/AM6VTX5QC5QXDOANYN74WCTXL3G2DANCNFSM5RW7355A> . You are receiving this because you were mentioned.> Message ID: > <PrivSec-dev/banking-apps-compat-report/issues/39/1596080767> @> github> .> com>

[brxken128]

I can confirm this still works flawlessly on the Pixel 6 2023101300 release, albeit no Google Wallet integration (thanks Google!)

[eylenburg]

The Starling app still works as of 24 Nov 2023. No issues at all. No Play Services needed.

(Notifications are not working though. Perhaps fixed with Play Services.)

[schklom]

"Your device hasn't passed our security checks" pops up since a few days ago, with "You have 14 days to factory reset". Let's see in 2 weeks, I will talk with them in the meantime. The app is in my work profile with Google Services installed, on a Pixel 6a.

[eylenburg]

That very concerning. I haven't got this issue yet, on the main profile without Google services. ~My app is up to date according to Aurora Store.~ (edit: it's version 3.46 so for some reason Aurora isn't showing me the update yet)

Please keep us updated!

A workaround might be to try the Huawei version: https://appgallery.huawei.com/app/C102488563 You can download it with Obtainium. But I never tried it, no idea if it even works on a non-Huawei phone. But at least it won't require passing Play Integrity!

edit: I emailed Starling report to request GrapheneOS support

[schklom]

@eylenburg My app (was updated yesterday) version is 3.47.0.97816. I advise you to not update your app as long as you can, put it in Aurora Store's blacklist for now.

I am in touch with their technical team, they will look into supporting Graphene :D I will update here when I have more info.

A workaround might be to try the Huawei version: https://appgallery.huawei.com/app/C102488563 You can download it with Obtainium. But I never tried it, no idea if it even works on a non-Huawei phone. But at least it won't require passing Play Integrity!

Good idea, I will try that on a spare phone. I don't want to remove my working app and risk not being able to move my money out if the reinstall does not work x)

[popogomo]

@eylenburg My app (was updated yesterday) version is 3.47.0.97816. I advise you to not update your app as long as you can, put it in Aurora Store's blacklist for now.

I am in touch with their technical team, they will look into supporting Graphene :D I will update here when I have more info.

A workaround might be to try the Huawei version: https://appgallery.huawei.com/app/C102488563 You can download it with Obtainium. But I never tried it, no idea if it even works on a non-Huawei phone. But at least it won't require passing Play Integrity!

Good idea, I will try that on a spare phone. I don't want to remove my working app and risk not being able to move my money out if the reinstall does not work x)

I also requested Graphene support via the Feature request section of the app. My friend is going to do the same. We need numbers for them to fix it!

Please do keep us updated and thanks for warning to not update.

[madhogs]

Getting the same issue on my Pixel 5, have raised a request with support to see if they can pass on a request for Starling to at least consider not requiring device attestation. 🤞

[bootlesshacker]

This is effecting me today too.

Regarding @madhogs point, we shouldn't be requesting they stop requiring device attestation as that will only spook them and reduces security. GrapheneOS has a way for developers to verify GrapheneOS correctly - https://grapheneos.org/articles/attestation-compatibility-guide

[User1966]

Getting a similar issue on pixel 6a, raised a feature request highlighting attestation-compatibility-guide

[shompoe]

https://cdn.discordapp.com/attachments/1208736672137871370/1236586620686176286/starling.jpeg?ex=66388c89&is=66373b09&hm=cc4fad894c51c6ff094a590c8f251b67bbe8b85f11760841ba0594ce59df24ac&

Found this on the matrix forum. Looks like Starling Bank are working on a fix to accommodate GrapheneOS. In the meantime they condone running an older version.  If you do manual download in Aurora Store and enter version code 97655 you should get the latest version that still works with GrapheneOS.  Hope this helps everybody.

---

1 May 2024, 11:44 by @.***:

"Your device hasn't passed our security checks" pops up since a few days ago, with "You have 14 days to factory reset". Let's see in 2 weeks, I will talk with them in the meantime. The app is in my work profile with Google Services installed, on a Pixel 6a.

— Reply to this email directly, > view it on GitHub https://github.com/PrivSec-dev/banking-apps-compat-report/issues/39#issuecomment-2088277463> , or > unsubscribe https://github.com/notifications/unsubscribe-auth/AM6VTX6KD4NSK7TBLKR7GFLZADBRDAVCNFSM5RW7355KU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBYHAZDONZUGYZQ> . You are receiving this because you were mentioned.> Message ID: > <PrivSec-dev/banking-apps-compat-report/issues/39/2088277463> @> github> .> com>

[bootlesshacker]

I'm getting contradictory advice to that after asking them to confirm this morning:

"GrapheneOS is a custom rom which we do not support and have not been given, or are aware of any timescale for this to happen"

I would suggest this app is marked as not compatible until such time they support it, if they ever do. My confidence levels are low that they actually will support it.

[User1966]

@bootlesshacker I have to agree with you. My starling login error went from you have 14 days to factory reset the device to continue using to not being able to login within 1 day or so. Luckily I had access to another device in order to migrate to another bank. I wonder if my looking for workarounds reduced the timeout. I've raised a complaint, if they allow Starling on GrapheneOS/this changes, I'll try to add a note.

[User1966]

@akc3n Please update report that Starling bank isn't supported on GrapheneOS.

[eylenburg]

Did anyone try if the Huawei version via Obtainium works? https://appgallery.huawei.com/app/C102488563

[spring-onion]

The link takes me nowhere. If that Huawei version doesn't yield any success I'll go ahead and mark it incompatible.

[eylenburg]

I just tried the Huawei version... it just says "device doesn't pass security checks"

[bootlesshacker]

This may reassure some users

[ivstiv]

I've sent an email explaining the problem as well, lets hope they put a higher priority on it before we all switch to monzo.. :see_no_evil:

[marcogrigo]

@ivstiv to whom have you sent the email? The general support email? I'll send one too before switching to Triodos :P

[ivstiv]

@ivstiv to whom have you sent the email? The general support email? I'll send one too before switching to Triodos :P

@marcogrigo Yeah they have a support email here. I just sent it from the same address I have registered with the bank, so it appeared in the app in the Help section as a support message. I got a vague response for now that implies they misread or did not read the message fully as they think it is a rooted device even though I've stated it isn't. I guess I will be patient and hope it gets escalated to the right people.

ps: Never heard of Triodos, looks very nice on the surface, will deffo check them out

[marcogrigo]

just installed latest version (98214) and it still gets the device not valid error

[cloning5480]

In the meantime they condone running an older version.  If you do manual download in Aurora Store and enter version code 97655 you should get the latest version that still works with GrapheneOS.  Hope this helps everybody.

This is not working for me now, asks me to update the app when i try to login

I have emailed Starling now as well

[ivstiv]

I got a response back from customer service that sounds hopeful:

We're looking into this, and will be in touch as soon as we have an update.

[madhogs]

Just updated the app to version 3.49.1.98645 (latest in google play store) and I have access again 🥳 . Had re log in, but otherwise not done anything special. Assuming they listened to the feedback and fixed it for GrapheneOS 😄

[bootlesshacker]

Just updated the app to version 3.49.1.98645 (latest in google play store) and I have access again 🥳 . Had re log in, but otherwise not done anything special. Assuming they listened to the feedback and fixed it for GrapheneOS 😄

The update also no longer shows the error for me

[schklom]

It works for me too! Thanks everyone for sending them a message :D

[eylenburg]

I just got a message from customer services saying that version 3.49 is compatible with GrapheneOS. Not sure what they changed but hey - this might be the first bank that specifically caters to us GrapheneOS users!

@spring-onion we should update the website and perhaps add a star next it to signal that this bank explicitly supports GrapheneOS?

[bootlesshacker]

I just got a message from customer services saying that version 3.49 is compatible with GrapheneOS. Not sure what they changed but hey - this might be the first bank that specifically caters to us GrapheneOS users!

@spring-onion we should update the website and perhaps add a star next it to signal that this bank explicitly supports GrapheneOS?

I'm exercising caution currently as they seem to be issuing contradictory advice. I'm being explicitly told they don't support Custom ROMs, but to contact them if non rooted GrapheneOS stops working. They said that the update breaking GrapheneOS wasn't intentional but at the same time reminding me custom ROMs are not supported. It doesn't make much sense.

I've asked them for clarification as to what they specifically mean by this. I assumed they implemented SafetyNet attestation which looks for Google Approved OS's. They've potentially rolled this back(?) (I'd be surprised if they actually now do hardware attestation for GrapheneOS) but this very much could become an issue in future unless they specifically state they support GrapheneOS and have implemented the hardware attestation.

[shompoe]

What are usually referred to as custom ROMs are when the original OS is modified and the device is then left not bootlocked so that these modifications will persist. GrapheneOS on the other hand is a fully bootlocked operating system. It is not modified in the way "custom ROMs" are but it is changed from the AOSP in the same way as any OEM has to in order to make it work on their phones. A custom ROM is when somebody then starts tinkering with the OEM release. If you were to unlock the bootloader on your GrapheneOS phone and then root it for example, that would not be GrapheneOS, it would be a 'custom ROM'. So Starling are right in saying they do not support custom ROMs but they do support GrapheneOS.

Feel free to correct me if you disagree but this is how I understand it.

16 May 2024, 18:16 by @.***:

I just got a message from customer services saying that version 3.49 is compatible with GrapheneOS. Not sure what they changed but hey - this might be the first bank that specifically caters to us GrapheneOS users!

@spring-onion https://github.com/spring-onion>> we should update the >> website https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/#united-kingdom>> and perhaps add a star next it to signal that this bank explicitly supports GrapheneOS?

I'm exercising caution currently as they seem to be issuing contradictory advice. I'm being explicitly told they don't support Custom ROMs, but to contact them if non rooted GrapheneOS stops working. They said that the update breaking GrapheneOS wasn't intentional but at the same time reminding me custom ROMs are not supported. It doesn't make much sense.

I've asked them for clarification as to what they specifically mean by this. I assumed they implemented SafetyNet attestation which looks for Google Approved OS's. They've potentially rolled this back(?) (I'd be surprised if they actually now do hardware attestation for GrapheneOS) but this very much could become an issue in future unless they specifically state they support GrapheneOS and have implemented the hardware attestation.

— Reply to this email directly, > view it on GitHub https://github.com/PrivSec-dev/banking-apps-compat-report/issues/39#issuecomment-2115803992> , or > unsubscribe https://github.com/notifications/unsubscribe-auth/AM6VTX2SKM47WDOIX6FUTH3ZCTSYFAVCNFSM5RW7355KU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMJRGU4DAMZZHEZA> . You are receiving this because you were mentioned.> Message ID: > <PrivSec-dev/banking-apps-compat-report/issues/39/2115803992> @> github> .> com>

[eylenburg]

Support told me today "If your non-rooted Android device stops working the future, let us know and we will look into it." Which is great news!

[spring-onion]

Shout-out to each and every one of you for bringing this to Starling's attention. I'm very happy to see the amount of pushback from you, this is the perfect example why every single report matters - and it shows!

@spring-onion we should update the website and perhaps add a star next it to signal that this bank explicitly supports GrapheneOS?

Possibly! It would be good to confirm what exactly they've done, judging by a post on the forum they seem to have scrapped play integrity altogether instead of opting for hardware attestation. That's still awesome of course, and in terms of functionality it boils down to the same thing, but you can't really use this as a precedent since other banks could cite the "loss of security" when asked to dismantle play integrity, whereas with hardware attestation, they can have the best of both worlds.

[bootlesshacker]

What are usually referred to as custom ROMs are when the original OS is modified and the device is then left not bootlocked so that these modifications will persist. GrapheneOS on the other hand is a fully bootlocked operating system. It is not modified in the way "custom ROMs" are but it is changed from the AOSP in the same way as any OEM has to in order to make it work on their phones. A custom ROM is when somebody then starts tinkering with the OEM release. If you were to unlock the bootloader on your GrapheneOS phone and then root it for example, that would not be GrapheneOS, it would be a 'custom ROM'. So Starling are right in saying they do not support custom ROMs but they do support GrapheneOS. Feel free to correct me if you disagree but this is how I understand it. 16 May 2024, 18:16 by @.***: …

I just got a message from customer services saying that version 3.49 is compatible with GrapheneOS. Not sure what they changed but hey - this might be the first bank that specifically caters to us GrapheneOS users! > > > @spring-onion https://github.com/spring-onion>> we should update the >> website https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/#united-kingdom>> and perhaps add a star next it to signal that this bank explicitly supports GrapheneOS? > > I'm exercising caution currently as they seem to be issuing contradictory advice. I'm being explicitly told they don't support Custom ROMs, but to contact them if non rooted GrapheneOS stops working. They said that the update breaking GrapheneOS wasn't intentional but at the same time reminding me custom ROMs are not supported. It doesn't make much sense. I've asked them for clarification as to what they specifically mean by this. I assumed they implemented SafetyNet attestation which looks for Google Approved OS's. They've potentially rolled this back(?) (I'd be surprised if they actually now do hardware attestation for GrapheneOS) but this very much could become an issue in future unless they specifically state they support GrapheneOS and have implemented the hardware attestation. — Reply to this email directly, > view it on GitHub <#39 (comment)>> , or > unsubscribe https://github.com/notifications/unsubscribe-auth/AM6VTX2SKM47WDOIX6FUTH3ZCTSYFAVCNFSM5RW7355KU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMJRGU4DAMZZHEZA> . You are receiving this because you were mentioned.> Message ID: > <PrivSec-dev/banking-apps-compat-report/issues/39/2115803992> @> github> .> com>

I see where you're coming from and as much as I agree, Starling probably view it differently in the sense its not the OS that ships from the OEM.

Starling have not released the technical details to myself as to what they've done. My hunch is that they've dropped play integrity rather than do hardware attestation.

I've asked them questions what they mean about "not support", and here are some key points in their response:

• " What we mean by not support is that we are unable to guarantee we'll be able to help if the app stops working on these devices. We will review these issues on an individual basis and apply fixes as we see fit, but can not promise ahead of time that we will ensure the app functions on any non-standard operating systems indefinitely"
• "I do appreciate that GrapheneOS is theoretically no different to running a factory OS, and I believe our response to this particular issue demonstrates that Starling has taken a pragmatic view on GrapheneOS"

What this essentially tells me is they're happy for customers to use it, but it isn't necessarily supported.

I've asked them a further question on how they define "nonstandard". I.E how do they differentiate an OS forked from bootloader locked AOSP made by e.g Samsung, vs a bootloader locked OS forked from AOSP made by GrapheneOS.

[User1966]

Also no confirmation on hardware attestion

From my complaint: "You also asked the following questions;

1) I still need clarity with what fix was pushed through aka GrapheneOS hardware attestation compatibility or not, just a yes we added it or a no we have not? .... Due to our internal policies and security we are unable to provide you any information surrounding the fix to support GrapheneOS. As we are an APP based bank, part of our terms and conditions is you need a compatible device to be able to log into the Starling APP, this is part of the terms and conditions when you signed up to open your Starling account which are below; https://www.starlingbank.com/docs/legal/account/Current-Account-Terms-and-Conditions-General-Par t.pdf"

[bootlesshacker]

Nice to know they've copied and pasted parts of their complaint response! I've received the exact same wording.

Anyway, what they have advised me today in final response to my complaint is this:

"To confirm, Starling does not officially support GrapheneOS or other non-standard operating systems..." "However, if the app stops working on your non-rooted Android device in future, please let us know and we'll be happy to look into it"

This is clear to me at least they probably haven't done implementation of hardware attestation (not sure if there's a technical way to check if an app is doing this type of attestation if anyone knows?), but it at least clarifies that they do not support GrapheneOS officially and support is best endeavors. Therefore users should use it at their own risk.

The definition they have provided for non-standard OS's are:

• No-standard is anything outsode of standard Android OS and iOS
• Custom ROMs are an altered or modified version of Android

Quite odd definitions in my view given this basically covers literally any Android device you buy off the highstreet (given they are all just modified AOSP ROMS at the end of the day), but at least with their explicit wording of not supporting GrapheneOS officially should give users the information they need as to whether to decide using this service with GrapheneOS or not.

[User1966]

@bootlesshacker My worry is that probably no banking apps will have hardware attestation, and you need to manage the risk that all banking apps will NOT work on Graphene OS at some point. This probably needs making clearer? **

This could mean:

1. Stop using app only banks if you aren't willing to buy a separate backup phone that you keep up-to-date running stock ios/android (see point 3)
2. Use a bank that you can access via a web app, branch, telephone, so if the app stops working it isn't a big a deal.
3. Avoid using GrapheneOS as your daily driver and use it as a backup device for only some functions (this is option would annoy me greatly as it somewhat reduces the value of the project)

That said, much of the new banking I think is 'app only' and they guess are resistant to offering full functions for web apps which offers redundancy for something as critical as banking.

Aka your phone is lost, you go to a laptop/friend's device/library/web café... Some of these have security issues, but you have options that aren't buying a new, expensive phone. You can get budgeting apps and features that Starling and Monzo offer by other providers that aren't just 'mobile app only'.

** I am aware of the existing warning, but maybe we need better reviews/rankings? Aka list apps that haven't stopped working for 1-5 years vs ones that broke and were fixed and ones that no longer work. In this case Monzo might be safer vs Starling but that's getting into comparisons which this thread isn't about.

[glidingthrough]

"Your device hasn't passed our security checks" pops up since a few days ago, with "You have 14 days to factory reset". Let's see in 2 weeks, I will talk with them in the meantime. The app is in my work profile with Google Services installed, on a Pixel 6a.

Looks like this is happening again with the newly released 3.55.0.100330

[threedaymonk]

Looks like this is happening again with the newly released 3.55.0.100330

I'm seeing the same message on the same version.

[User1966]

"Your device hasn't passed our security checks", with version 3.55.0.100330, only updated today. Previous 3.54.0.99955 was fine. I understand the latest version is 3.56. Raised support request with a specialist Starling team, asking if newer 3.56 version can be pushed to all devices if this fixes the issue.

[nonalloc]

Just updated to 3.55.0.100330. I can confirm the same thing happens on my end. However, unlike the last time when I was able to tap "OK" and keep using the app, tapping "OK" now doesn't do anything.

I contacted them to let them know about the issue and find out whether they're planning to fix it. I suggest others do the same: https://www.starlingbank.com/contact/

[shompoe]

Hi,   has anyone actually reported this to Starling Bank? They did say they would look into it if it happened again.

---

Mark Desrousseaux

27 Jun 2024, 20:48 by @.***:

Just updated to 3.55.0.100330. I can confirm the same thing happens on my end. However, unlike last time when I was able to tap "OK" and keep using the app, it is now stuck in a loop and won't let me access the app. Tapping "OK" doesn't do anything.

— Reply to this email directly, > view it on GitHub https://github.com/PrivSec-dev/banking-apps-compat-report/issues/39#issuecomment-2195556668> , or > unsubscribe https://github.com/notifications/unsubscribe-auth/AM6VTXZLT6ORL2EXTYPFL7DZJRUCHAVCNFSM5RW7355KU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMJZGU2TKNRWGY4A> . You are receiving this because you were mentioned.> Message ID: > <PrivSec-dev/banking-apps-compat-report/issues/39/2195556668> @> github> .> com>

[User1966]

Just updated to 3.55.0.100330. I can confirm the same thing happens on my end. However, unlike the last time when I was able to tap "OK" and keep using the app, tapping "OK" now doesn't do anything.

Same here yesterday and today, added this to my ticket/issue.

@shompoe Looks like 2 tickets so far in the thread. I included my previous complaint ticket ID where they didn't provide 14 days access but just kicked me out within 1-2 days.

[popogomo]

Guys, can anyone please share a screenshot of the message?

I've raised this with their support and they told me that are working on this but also requested a screenshot. I did not update to the latest version so my app is working fine. Can you please post a screenshot so that I could provide to them? Thanks.

[nonalloc]

@popogomo Sure, there you go

[popogomo]

@popogomo Sure, there you go

Thanks a lot, just sent this to them.

I think we all need to contact them and report this so that we will have numbers, like we did before. I have 2 friends using Starling and both are going to do the same.

[nonalloc]

Thanks for doing this.

I contacted them via email and here's what they said.

Likely a clueless rep or a subtle way of saying they won't support GOS?

[spring-onion]

It's possible Starling started checking for other apps installed, especially accessibility ones. Try launching it in an empty second profile, and see if disabling TalkBack (it's a system app) has any impact.

[nonalloc]

@spring-onion Thank you for your suggestion. I tried it and it doesn't appear to have any impact unfortunately.

I asked for clarification and it appears that they are planning to release a fix providing a "grace period" early next week, whilst they are exploring the possibility of supporting GOS long-term? In any case, I'll keep chasing for updates until we know what their policy is.

There has been a lot of mixed, even contradictory, advice initially about them supporting GOS. Now they're clearly saying they're not supporting custom ROMs, which GrapheneOS isn't, by the way.

Last time this ended with them restoring full access to GOS users and clarifying that they are always happy to look into any potential issues provided the device isn't rooted. Now they're saying they "may not be able to restore access" - whatever that means.

Will keep everyone in the loop and let you know as soon as I find out more.

In the meanwhile, downgrading to 3.54.0.99955 will allow the app to run as expected.