Lloyds Bank Mobile Banking

[davearchive]

Is there an existing issue for this?

• I have searched the existing issues

App name

Lloyds Bank Mobile Banking

Link to app

https://play.google.com/store/apps/details?id=com.grppl.android.shell.CMBlloydsTSB73

App version

86.03

Country of the app

United Kingdom

Device

• Pixel 6 Pro
• Pixel 6
• Pixel 5a
• Pixel 5
• Pixel 4a (5G)
• Pixel 4a
• Pixel 4 XL
• Pixel 4
• Pixel 3a XL
• Pixel 3a
• Pixel 3 XL
• Pixel 3

Google Play installed

• Installed
• Not installed

Google Play services Network permission revoked?

• Revoked
• Not revoked
• I did not have Google Play services installed

SafetyNet Enforcement

• Enforced
• Not enforced
• Unsure

Native code debugging

• Enabled
• Disabled

Stock OS compatibility

• Works
• Does not work
• Not tested

Profile app tested in

• Main user profile
• Secondary user profile
• I used a work profile device manager app (Please mention more details about it down below like the app)

Description of the app's functionality

Everything works perfectly

Are there any extra notes you think users should know about?

No response

ADB logcat of the app if necessary

No response

[akc3n]

@davearchive Thank you! Just updated the list. Much appreciated!

[spring-onion]

As mentioned in #330, the app now refuses to work stating that the device has been jailbroken/rooted, probably due to the play integrity api. Please contact them, let them know it has stopped working for you and link them the attestation compatibility guide so they can start supporting GrapheneOS.

[eylenburg]

Can confirm the reports above. Lloyds worked for me yesterday but refuses access as of today complaining about being rooted.

At least you can still use their online banking in the browser without an app (2FA is via SMS), unlike some other banks who have stopped SMS 2FA and require a mobile app.

Bit ironic though that they think running the app on an unrooted GrapheneOS device is "insecure" but logging in with a browser (perhaps an outdated version and running on Windows 7 still?) and secured by an SMS is "secure".

[NarwhalPrince]

Encountered new behavior as compared to the last reports. Installing and opening the app does not result in any security/rooting messages or app crashes on GrapheneOS. I am in the US, if that matters.

Device: Pixel 7 Pro
GrapheneOS version: 2024050300
App version: 137.02

[spring-onion]

I can confirm that nothing is triggered on the welcome page at least.

[edo0]

@NarwhalPrince @spring-onion

It loads the login screen just fine.

However, after filling in the correct account credentials, it will feedback an "Error: you have been logged off" detailing underneath that this is due to the device being "jailbroken/rooted"

[beaneeber]

@edo0 I can confirm the error still occurs as of May 2024 (v138.03).

Here's what the error message looks like:

[spring-onion]

Lloyds enforces play integrity but is seemingly okay with it missing/unreachable.

Please test by revoking the network permission from the google play store app in particular. If that doesn't yield success feel free to block the other google play components (as well), see if that gets you anywhere.

[beaneeber]

Thanks, I've tested by disabling network permissions for the Google Play Store, the Google Services Framework, and both together. Still no luck unfortunately.

I've messaged Lloyds but don't have high hopes. Ultimately it looks like I'll have to find a new bank as they're very unfriendly towards GOS.

[spring-onion]

@eylenburg @NarwhalPrince @edo0 @beaneeber

Please retest with the latest release (2025012700), the new toggle to prevent usage of play integrity may have an impact.

[ghost]

@spring-onion Lloyds doesn't seem to use play integrity. I still receive the "your phone seems to be rooted/jailbroken" prompt and there's no Play Integrity API usage notification. Oddly enough, I tested signing into my account on my old phone which at the time was running Crdroid, no GMS or play store and had an unlocked bootloader and it let me sign in without issue.

I wonder what is tripping the detection?

[jackedproxy]

Can confirm Lloyds is working on GrapheneOS now.
Should a new issue be created?

Storage&Cache must be cleared after having it be flagged, or the app will remember.
No reboot necessary after enabled following options, but can confirm app still signs in post-reboot.
Running on latest GOS.

Profile - Sandboxed profile (non-owner)
Google Services - Installed
Installed through - Aurora Store (Anonymous account)

Exploit protection compatibility mode - Enabled
Hardened memory allocator - Disabled
Native code debugging - Allowed
Webview JWT - Enabled
Dynamic code loading via memory - Allowed
Dynamic code loading via storage - Allowed

Most notably, Exploit protection compatibility mode AND Webview JWT must be enabled.

[spring-onion]

Should a new issue be created?

No, here is fine. Thank you for the detailed report! Unfortunately the user who shared their experience prior deleted their account, so I can't ask them to replicate your environment. But it sounds promising, so I'm marking Lloyds compatible again.

[jackedproxy]

Update

Apologies for the false alarm, but after a random time of usage of the app it locks the user out.
Before it seemed to be right when attempting to login, so I'd never gotten this far.
But it seems after using the app (it can happen an hour after, 15 mins or 2 mins, it's fairly random), the app kicks the user out with the usual warning.
@spring-onion Please mark this as not compatible once again.

[spring-onion]

@jackedproxy No problem, appreciate the quick updates!