According to TheRegister.com, some HSBC mobile banking customers in the UK are being locked out of the app after installing the Bitwarden password manager via the open-source F-Droid catalog, rather than Google Play. Neil Brown, a board member at F-Droid, was personally blocked after a security screen flagged his sideloaded Bitwarden installation as a risk. Bitwarden, an open-source password manager, is also available through official channels like Google Play. HSBC did not provide a clear explanation for the block, only stating that its app performs checks for potential malware. Representatives from both F-Droid and Bitwarden suspect the issue originates from HSBC’s own security configuration. Both companies are open to discussing the matter with the bank, but no meetings have been scheduled.
How the block probably works
Here’s the thing: this isn’t really about Bitwarden being malicious. It’s about where it came from. Gary Orenstein from Bitwarden nailed it when he suggested HSBC’s app is likely using its permissions to scan for other apps not installed from the Google Play store. If it finds one, it just says “nope” and refuses to run. This is probably tied to Android’s Play Integrity API or a similar third-party service like SafeNet. The app is basically checking the device’s environment and deciding it’s not “pure” enough because software came from outside the walled garden. It’s a blunt instrument. And for a security-conscious user who deliberately chooses F-Droid to avoid Google’s ecosystem, it’s incredibly frustrating.
The security vs. control tradeoff
Look, I get it. Banks are paranoid, and for good reason. Sideloading can be a risk vector if users are installing shady APKs from random websites. But that’s not what’s happening here. F-Droid is a curated, open-source repository. Bitwarden is a widely respected, audited security tool. By blocking this specific combo, HSBC isn’t stopping malware; they’re stopping a specific, legitimate user choice. They’ve decided that the risk of any sideloaded app—even a password manager—outweighs the principle of user control over their own device. It’s a heavy-handed approach that punishes tech-savvy customers. Basically, they’d rather you have a weak, re-used password from a “trusted” source than a strong one managed by a sideloaded app.
What can users do?
So what’s the workaround? Neil Brown mentioned a few options, like using a separate device profile for banking or, the nuclear option, a whole separate physical device. That’s just not realistic for most people. His simpler suggestion might be the best: ditch the app and use the bank’s website through a mobile browser. It’s less convenient, but it reclaims your control. This whole situation highlights a growing tension. As our phones become our primary computers, who really controls them? The user, or the most restrictive app on it? When a banking app can dictate what other software you’re allowed to run, that’s a problem. It’s a level of oversight that feels more like corporate IT policy than a service offered to a customer.
A broader trend of lockdown
This isn’t just an HSBC quirk. It feels like part of a broader trend where big institutions use “security” as a blanket justification to lock down user environments. We see it in enterprise software, in certain industrial and manufacturing settings where hardened, locked-down systems are the norm, and now it’s creeping into consumer banking. The logic is similar: reduce variables, reduce risk. But when that logic bleeds over into punishing users for legitimate software choices, it backfires. It erodes trust. And honestly, it might just push those security-minded customers to another bank. After all, if you can’t trust me to manage my own phone, why should I trust you with my money?
