Citibank SG

[zymsbgt]

Is there an existing issue for this?

• I have searched the existing issues

App name

Citibank SG

Link to app

https://play.google.com/store/apps/details?id=com.citibank.mobile.sg

App version

v18.3

Country of the app

Singapore

Build Number

TQ3A.230705.0012023072600

Device list

Pixel 6a

Profile app tested in

Owner profile

Google Play installed

Installed

Google Play services Network permission revoked?

• Revoked
• Not revoked
• I did not have Google Play services installed

Native code debugging

• Enabled
• Disabled

Exploit protection compatibility mode

• Enabled
• Disabled

Stock OS compatibility

• Works
• Does not work
• Not tested

Description of the app's functionality

The app works as intended

Are there any extra notes you think users should know about?

No response

ADB logcat of the app if necessary

No response

[NagyGa1]

As of 2nd of Oct 2023, CitiBank SG stopped working, reporting GrapheneOS as jailbroken/rooted and unable to proceed.

The Monetary Authority of Singapore forces all banks to implement these, not sure what exactly.

[akc3n]

@NagyGa1 thanks for commenting on this banking app report.

reporting GrapheneOS as jailbroken/rooted and unable to proceed

Out of curiosity, was that the error message you were prompted exactly, or was it more specific? If so, and if you have time, may you please provide the exact error message?

Also, may you please provide some more details @NagyGa1

• Do you have the Sandboxed Google Play Services installed
• Did you install your banking app from the Google Play Store or from AuoraOSS Store?
• Have you read through the official GrapheneOS usage guide on Banking apps native code debugging and exploit protection compatibility mode
• Perhaps, after reading through the official usage guide on this topic, if you'd like the basics, check out these possibly solutions

Please let me know if any of those resolve your issue @NagyGa1, if not, I will update the list on the web page afterwards.

[NagyGa1]

• Do you have the Sandboxed Google Play Services installed: Yes
• Did you install your banking app from the Google Play Store or from AuoraOSS Store? Google Play Store
• Have you read through the official GrapheneOS usage guide on Banking apps native code debugging and exploit protection compatibility mode: Yes, it is not crashing. Tried both settings both ways but does not help.
• solutions: I think tried them.

Wonder if I could just modify the .apk?
It is java bytecode inside right, there is an if() somewhere, I could just modify that to not be an if any more.

[NagyGa1]

BTW, the app worked up to today. I am quite a sizeable customer of theirs, will talk to them at the branch (can't even message them via the Web UI without logging in from the App first...). They are a small bank, maybe can get to talk to some IT about implementing the MAS requirement without locking everyone on custom roms out.

[NagyGa1]

Oh UOB app still works with GrapheneOS, at least I have some bank to move to, and can tell the Citi guys "see, UOB can do it!".

[akc3n]

I see. Thank for all the details.
@NagyGa1, the initial report for this app was by @zymsbgt for version 18.3 on July 29, 2023.

BTW, the app worked up to today.

The latest version is 18.8 and was updated on Sep 19, 2023. Please read this brief note titled SafetyNet replaced by Play Integrity API, there will be additional information in the citations.

Wonder if I could just modify the .apk?
It is java bytecode inside right, there is an if() somewhere, I could just modify that to not be an if any more.

I'm not a developer, sorry. Either way, those two points, I can't imagine it ever working out the way one may think; due to a number of reasons.

UOB app still works with GrapheneOS

Not sure what that app is?

[NagyGa1]

It is the United Overseas Bank's app: https://play.google.com/store/apps/details?id=com.uob.mighty.app
I happen to have an account with them.

Some new information:

I have a OnePlus 8T with LineageOS on it. Upgraded the Citi app to the latest 18.8 on that as well (haven't used this phone for months), logged in, works so far. There is a 12 hours cooloff, I wouldn't put past Citi that they only check after that (even though on Graphene seems immedate)

There are a few more details, I will spare you them (managed to log in to 18.8 on Graphene for a short while), will report back once I figured what's going on.

If any idea, let me know.

Will point the Citi guys to the relevant information if I get the chance, thank you.

[zymsbgt]

This is an interesting development. I'm also a cutomer of Citi which is why I decided to do this report. I switched to a GrapheneOS phone recently and I think this is gonna be a dealbreaker for me. Gonna see if I can feedback it to Citibank staff at a branch as well.

[NagyGa1]

This is an interesting development. I'm also a cutomer of Citi which is why I decided to do this report. I switched to a GrapheneOS phone recently and I think this is gonna be a dealbreaker for me. Gonna see if I can feedback it to Citibank staff at a branch as well.

I think what they are slightly more sensitive of is the Google Play ratings.
Nowadays 90% of the customer interactions with the bank, specially in Singapore with PayNow and PayLah and whatever is the App. All of them monitor the feedback from there. I gave them 1 start and a short note that this is a dealbreaker.

Happened with OCBC before, got a response to the comment within hours.

[akc3n]

Thanks for your feedback @zymsbgt

I'm also a cutomer of Citi which is why I decided to do this report.

In the past, before GrapheneOS released the compatibility layer / Sandboxed Google Play, what worked for most users is the mobile web version of their banking app via the Vanadium browser and/or installing a PWA version in some cases.

I switched to a GrapheneOS phone recently and I think this is gonna be a dealbreaker for me.

It would be beneficial to read and share our Attestation compatibility guide with your bank (IT, dev, w/e department).

Gonna see if I can feedback it to Citibank staff at a branch as well.

GrapheneOS users are strongly encouraged to share this documentation with app developers enforcing only being able to use the stock OS. Send an email to the developers and leave a review of the app with a link to this information. Share it with other users and create pressure to support GrapheneOS rather than locking users into the stock OS without a valid security reason. GrapheneOS not only upholds the app security model but substantially reinforces it, so it cannot be justified with reasoning based on security, anti-fraud, etc.

@zymsbgt may you please confirm if this banking app is working or not. This was the last comment from @NagyGa1 in that regard...

I will spare you them (managed to log in to 18.8 on Graphene for a short while), will report back once I figured what's going on.

[NagyGa1]

Meanwhile I looked at the comment on the UOB and OCBC bank apps on Google Play.
Around August '23 there are tons of user comments when they implemented the MAS requirement the most stupid way: no banking for you if you have anything installed on your phone from outside sources, ti not Google Play.
Lot of people switched banks as well. The apps just said that and exited.

But by now I can confirm the UOB app totally works both with GrapheneOS and stuff installed from F-Droid.
Downloaded the OCBC app and seems fine, but I can't log in as I am not a customer.

So, I believe banks fix their failures over time, might be the case with Citi as well.

BTW, can't use the web version, it requires you to log in from the App. Can't even message their support. :)

[zymsbgt]

Hi, just saw the past few messages. Back when I did this report on July 29th on app version v18.3 the app worked just fine. But currently on version v18.8 I am getting the same message as @NagyGa1 once I open the app. So yeah. App used to work, no longer working now.

[sebkamil]

i use the citibank app for Hong Kong. it started having issues at the same time this one did. my workaround is to lock the phone when the app is opening. this will prevent the "Unable to proceed" popup from appearing and everything works normally. it also works for scanning qr codes, etc. confirming (online) purchases from the notification works as well; i just sign-in with fingerprint and ignore the pop-up - the transaction still goes through.

[NagyGa1]

Works, tks!