HSBC mobile app refused to run on phones with F‑Droid‑installed Bitwarden

TL;DR

A Mastodon user reported that HSBC's mobile app refused to operate on their Android phone because they had Bitwarden installed via the F‑Droid store. HSBC told the user to remove Bitwarden; the user removed the bank app instead and said they would use the website.

What happened

Neil Brown posted on Mastodon that HSBC had blocked its mobile banking app on his phone due to the presence of the Bitwarden password manager, which he had installed from the F‑Droid store. According to the thread, HSBC's suggested remedy was to uninstall Bitwarden; the user rejected that fix, deleted HSBC's app and said he would access his account through the bank's website. Replies to the post included suggestions such as using separate Android profiles as a workaround, and other commenters described similar restrictive behaviours by bank apps — for example, some said HSBC's app can also block certain Android keyboards. An infosec responder framed the broader context as banks attempting to detect sideloaded apps to counter recent scams that trick users into installing malicious software. Neil later added that the bank was sending him a replacement security fob.

Why it matters

• Policies that detect sideloaded apps can block legitimate, privacy‑minded software and affect user choice.
• Bank app behaviours that inspect device state raise device privacy and transparency concerns.
• Fraud prevention measures can produce collateral usability problems for customers with alternative app stores.
• Blocked app access can push customers to use web interfaces or consider switching banks.

Key facts

• Original report came from a Mastodon post by Neil Brown on Dec 30, 2025.
• HSBC's app reportedly refused to run because Bitwarden was installed via F‑Droid.
• HSBC's suggested fix to the user was to remove Bitwarden from the device.
• The user deleted the HSBC app and said they would use the bank's website instead.
• A commenter noted HSBC is sending the original poster a replacement security fob.
• Reply contributors suggested workarounds like using separate Android profiles.
• An infosec commenter said banks may be detecting sideloaded apps to combat scams.
• Some users reported the HSBC app can also reject certain Android keyboards even when those are installed from the Play Store.
• One reply contrasted HSBC's behaviour with First Direct's app, which was described as more permissive.

What to watch next

• Whether HSBC issues a public explanation or changes its app detection policy — not confirmed in the source.
• Reports from other customers about similar blocks or expanded device checks by banks — not confirmed in the source.
• Any official guidance from banks about compatibility with alternative app stores and password managers — not confirmed in the source.

Quick glossary

• F‑Droid: An independent, open source app repository for Android that distributes apps packaged outside the Google Play Store.
• Bitwarden: A password manager that stores and autofills credentials; it can be installed from multiple app stores.
• Sideloading: Installing an app on a device from a source other than the official app store.
• Security fob: A hardware token that generates one‑time codes used as part of two‑factor authentication for online accounts.

Reader FAQ

Why did HSBC block the app on the phone?
According to the Mastodon thread, the bank blocked the app because Bitwarden had been installed via F‑Droid; HSBC advised removing Bitwarden. Further technical details or official justification were not provided in the source.

Did the user comply with HSBC's request?
No. The user removed the HSBC app and said they would use the bank's website instead.

Is this an Android‑only issue?
A commenter in the thread said such behaviour is typical on Android and not on iOS, but broader confirmation was not provided in the source.

Are there known workarounds?
Some replies suggested creating a separate Android profile to isolate the banking app, but the effectiveness of that approach was not verified in the source.

Is HSBC replacing hardware tokens?
The original poster wrote later in the thread that HSBC was sending him a new security fob; wider policy on token replacement was not confirmed in the source.

Posts and replies Neil Brown @neil@mastodon.neilzone.co.uk HSBC has chosen to block its mobile app on my phone because *checks notes* I've got a password manager, Bitwarden, installed via F-Droid. Its…

Sources

• HSBC blocks its app due to F-Droid-installed Bitwarden
• HSBC App now complaining about "Developer Options"
• Troubleshoot Android Autofill

Related posts

• Cruising at 35,000 feet — in-flight entertainment still runs Apache 2.0
• Korean carrier’s femtocell security lapse exposed customers to snooping and fraud
• Reverse-Engineering Washing Machines: Insights from 39c3 Talk (Video)