Chase Bank wants EVERYTHING!!!

[Phil Indeblanc]

I had to stop into Chase bank. The person helping me out said to just download the Chase app and you can see if your deposit is cleared and such. So I looked up the app, and hit install...
So Chase wants:
Identity- Uses one or more account on device, profile data.
Contacts-Uses contact info (but that is already in Identity. This says Contacts, more than 1)
Location-Devices location
Photos/Media/Files-Uses one or more of, also access to External Storage!
Camera- Devices camera. No prob as you take pix to deposit.
Wifi connect Info-View info about wifi, networking, names of connected devices

REALLY!???
This is the type of app I want to use on my phone?

When you check the same app on the Apple device, it asks for
Location
Camera
THATS IT!!!

Did I just swap phones from iOS to Droid for a horrible app experience?
So far I have only been able to install 3 apps, as most other things that have ZERO reason to ask for certain info, require me it to install.

Isn't google putting SOME parameters on these apps? I mean I can understand you getting some questionable access from some game, or supposed productivity app...But CHASE BANKING...I know bankers are thieves, but this is Googles hand in allowing them to do more than just banking.

So as much as I LOVE how it tells me this info, instead of me seeing it on the iOS after I install it, BUT I think there is MUCH to gain from Apple OS if they are checking apps, or setting some parameters to stop apps from having access to things not needed!

One of the reasons I wanted to give Google a shot was this app install feature that makes it more secure as it makes you aware...but I didn't think it would cripple my ability to use either!

Maybe I am missing some function? I mean as soon as you install the app can access, grab and packet the info it wants..in case I'm able to disable specific points of access, I'm not sure if I can control that. But, whats the point once the damage is already done just by installing. Copy of info could even be in the Install file.

 

[Phil Indeblanc]

hmmm
Hard to believe that no one bats an eye at this.

 

[Jhayzone]

I recommend you to ask your bank's representative yourself on why it need this kinds of permission. We cannot give you a guaranteed answer aside from few guesses as to why this permission is needed by a bank app.

 

[zuben el genub]

From Google:

Notes on Permissions:
• Location permissions are needed to determine your current location in order to find Chase bank branches and ATMs near you
• Read Contact permissions are needed to access your contacts to send money via Chase QuickPay(SM)
• Camera permissions are needed to deposit checks via Chase QuickDeposit(SM)
• USB storage permissions are needed to view file attachments

This is the why of some permissions. I don't agree with some either , but they do make sense. If there is more in your app, it would be interesting. Where did you download it?

I've often wondered about the ability of some apps to identify you. Location is one suspect, and even just GPS alone will tell them. If you download any of the TV news apps, you get a lot of commercials.

 

[Crashdamage]

My Commerce Bank app on Android asked for location and camera, nothing else.

 

[Fox Mulder]

It's good that you're checking app permissions before installing them, and if this is that much of a concern for you you're certainly free to not download the app. However I'd say it's far less of a concern with an app from a major bank that it would be if the same permissions were listed for, say, a flashlight app. I'm sure Chase has legitimate reasons for needing those permissions (as indicated above) and they're not out to steal your information.
If other banking apps have fewer permissions it may be because they have less functionality (btw good to see you here Crash).

 

[mikedt]

Why hasn't your bank app got SMS permissions, that's first thing I noticed. Because every time I start my Merchant's Bank app, after entering the password and PIN from the security token, it sends an SMS on the registered phone number and expects a code back to verify the login, part of their security measures.

Yeh, people don't look at permissions, that's why there's so many "free" flashlights and other spyware crap out there.

 

[Sento]

My Commerce Bank app on Android asked for location and camera, nothing else.

ROFL

 

[Sento]

My Commerce Bank app on Android asked for location and camera, nothing else.

I decided to check it out, he is right!! scary.....

 

[El Presidente]

It may well want your location so it can notify you of any branches located nearby.

It might also ask for permission to access storage so you can upload any pictures previously taken as opposed to pictures taken with the app.

I'd be wary of the WiFi and identity permission, but as has been pointed out, it's a legit banking app so I'd probably be ok installing it.

If your device is running marshmallow, or scheduled to be updated to marshmallow, you're prompted to allow apps access to permissions as and when they need them. That way, if you're not comfortable with what an app needs, you can just deny it when asked.

 

[Fox Mulder]

Or if you're rooted and have Xposed you can use XPrivacy to limit permission. Just bear in mind that restricting permissions can "break" the app, if that happens you'd then have to decide if you're willing to accept the app as-is.
Again, in the case of this particular app I wouldn't be at all concerned. Same with other apps that are from well-known sources, it's the ones from lesser-known parties we need to be concerned about.
If the explanations provided regarding the permissions are not adequate for you I'm sure you can contact the developer or Chase online support to inquire further.

 

[Slug]

[...] this is Googles hand in allowing them to do more than just banking.

It's nothing to do with Google. What permission an app requires, and how it uses those permissions, is down to the developer(s). In case of doubt it's always best to ask, as you are doing. One can't be too careful with sensitive info.

Fwiw, my own banking app requires Contacts, Location, Storage & Telephone permissions. Why is explained on the Play Store page, and I'm fine with that.

 

[Phil Indeblanc]

Camera and Location, THATS IT...If you want to give ANYTHING else, it can ask when you prompt a feature. There is NO reason to request all out access like this.

And for those who think that the bank is OK....they are some reputable source...SUre if youre ONLY concerned with spyware, I might have minimal concern, But if you think they don't log copy and exploit your information when needed, you trust banks WAY too much. The last thing in the world I would trust is a bank. Its like trusting a purchased politician. Get your heads out the sand and do some unfiltered reading! If you knew how the banking and loan business was setup, you CANNOT ignore the fact that the banking system is biggest cook in all of economic world. If you don't know, please do yourself a favor and do plenty reading. But of course when individuals have no kids and futures to worry about, who gives a rats arse!

But, in society you cannot survive without a bank. Thats how powerful they are, and thats how they have set it up. SO we have to deal with them. But Its interesting to see how some could care less their full info being exploited or being oblivious to it, as little by little all this slips out of the private person's controll, and there will come a time that this breach of privacy will sting the masses so hard they wont know what happened.

 

[svim]

As it's already been pointed out sometimes an app requires permissions for things that aren't obviously apparent, but as far as their app collecting personal data, your bank already has your most private info already. Any bank application will require you to give them things like your social security number anyway. Besides, banks aren't in the business of selling consumer data they might collect from their apps, they profit off of us in much more blatant and direct ways. Even though our banking industry gets away with any number of bad shenanigans, they're still regulated pretty heavily so smartphone data collection isn't really an issue.

I'd be more worried about what's going on as far the transfer of your data between your phone and the bank's servers. Banks have a history of not being the most vigilant about online security. Back before smartphones and apps when online banking was tied to a computer and a web browser, the required browser was limited to Internet Explorer because the banking sites still relied on ActiveX. So in essence two things with horribly bad security issues were the necessary requirements to do online banking. Thankfully things have progressed beyond that debacle but there are still banking sites that aren't necessarily secure. Taking a look at Chase's site below, the SSL Labs site gives them a B rating, which could be better but in any case if you scroll down and look into whichever version of Android that applies to your phone, there is an issue that we don't know if the Chase app is relying on Android's certificates or if it has its own internal ones.
https://www.ssllabs.com/ssltest/analyze.html?d=www.chase.com

 

[steiny180]

If you don't like their mobile app, don't use it...

 

[Deleted User]

hmmm
Hard to believe that no one bats an eye at this.

I see your post as a rant and little more. If you don't like Chase's mobile app, don't use it...

 

[palmtree5]

My guesses on these permissions as a user of the app

Identity- Uses one or more account on device, profile data.

- Not sure

Contacts-Uses contact info (but that is already in Identity. This says Contacts, more than 1)

- QuickPay allows you to add recipients from your contact list

Location-Devices location

- Branch/ATM locator

Photos/Media/Files-Uses one or more of, also access to External Storage!

- Viewing check images? I feel like those would be temporary though and not be kept

Camera- Devices camera. No prob as you take pix to deposit.

- Mobile deposits like you said

Wifi connect Info-View info about wifi, networking, names of connected devices

- Not sure on this one

 

[syzmic]

Is it possible to open a browser and go to their website to do your banking? Would that avoid all of your security issues?

 

[Crashdamage]

Yes of course it is, but a weii designed app is quicker and easier with no security problems.

 

[Phil Indeblanc]

BillArf....
I don't understand your point, or should I say the basis of your instruction.
Do you have anything to add to this, or are you just here to guess peoples intentions, and talk smack about peoples reasons for posting threads? And since when are you the author on who uses what app?

Are you the "pro banker" and pro information hog that wants to track all user data just in case? What is it that you want? You don't want me stating facts? You don't like the idea of privacy?


PalmTree, Any app can require a per use permission, that way YOU feed what content you want the app to have access to...Not the other way around. The app shouldn't dictate how your phone works, and It shouldn't be you not having the control, simple as that!

These are very basic guidelines personal information and privacy SHOULD be working under, and this CHASE app, much like a HACK app, is telling you...Oh, ya, I need all your contacts when I want them, and your pix, your wifi, you location, your ID, and the camera of course, and YOU HAVE NO SAY I CHASE USES ALL THIS.

But on the iOS, its just Camera and Location. With the option of turning Location off. The app will likely ask as it needs it, but at that point it also maybe asking you for the permission, and then having the unlimited access to what you allowed.

Syzmic, that maybe the best way to go about these apps that require BS access.
Crash, yes a app is quicker, but I rather use the web and do what I need vs supporting an app that supports THEIVING of infor as CHASE wants to be known as.

 

[psionandy]

That said... Surely the solution in a free economy is for anyone who is unhappy with chase, to contact them. If they are still unhappy then change bank.. And let them know why.

Market forces will then solve the issue.. Or if not you are with another organisation that you trust.

 

[zuben el genub]

Chase is just doing CYA. They are betting that more people want convenience rather than total security. Using the web, there should be a symbol like a lock or a notice that you are on HTTPS: There doesn't seem to be anything on Android where you can check.

What does the Chase privacy policy say? Do they claim the right to sell or share certain info with any 3rd party?

I use the web based Pale Moon on Linux. I have an appblocker running along with NoScript. NoScript will pick up the ads that use scripting and ignore just the <img> ones. I don't see too many scripted ads after the main log in screen. Most of the scripting is the banking app itself.

I'd say that if you use Chase, since you can change permissions on the fly with Marshmallow, enable them when you want them and disable them when you don't. I did that with a couple of apps on a rooted phone using Titanium Backup freeze.

 

[Phil Indeblanc]

I think I will change my bank. There are 2 other banks. They are mostly ALL the same garbage, except one might force you to keep a min amount in a checking or saving. I will check their apps out.

Until then, I'm considering having 2 cell phones with me most of the time. In car, at home, at work...Although Chase takes all your wifi info, and who you are connected to.

Its not a hassle to have both, but use the cell with zero info as the app/web cell and have it link off the hotspot. I think we all have at least 1 extra phone we upgraded from.

 

[mikedt]

B
But on the iOS, its just Camera and Location. With the option of turning Location off. The app will likely ask as it needs it, but at that point it also maybe asking you for the permission, and then having the unlimited access to what you allowed.

Sure it's just that, because AFAIK with Apple iOS they don't tell you anything about permissions. It's need to know and Apple thinks you don't need to know, just trust us. Also FWIW I just had a look at the Chase Mobile for iOS app in iTunes on my Mac, can't see anything about permissions in the description of it. But then it gave a message about not being available, probably because I'm not in the US.

There's some of these "free" snake-oil spyware things that I would never install on Android, because I do care about my privacy, and presumably 360 for iOS has free-run of all your personal data and can phone it home to Beijing, without you knowing. See also Cheetah Mobile, who's entire business is monetizing and selling your data, they make apps for iOS as well.

Who would you trust the most or least, JP Morgan Chase & Co. or Cheetah Mobile?

If you ask Cheetah CMO Xinhua Liu what Cheetah is, Liu – who quips that the “M” in his CMO title also stands for “monetization” – will say, “We are a data company.”

 

[Phil Indeblanc]

Interesting, I JUST updated to the new Android version, LATEST, and it now DOES NOT, I repeat DOES NOT tell you what the App is going to be accessing!!!! It will do it as you use that feature.

Say you want to deposit a Check, it will need camera (THIS IS WHERE IT CAN BE FORCING ITS HAND), IF you want to use the camera, it might force you to accept something else? I DON'T KNOW, BUT I wont bother installing it anyway.
If Google security forces for INDIVIDUAL feature access, then WE GOT a decent or at least better chance of limiting these breaches!