Now my Pb bank and mae app I see gave such warning.

How can developer mode and USB debugging mode breach bank app security?

Yr like putting yr wallet at places where every one can see and access , when yr wallet kena stolen shock Pikachu pulak

if use Samsung, can use Samsung Knox.

Maybe it is used by scam app to read certain details like key logging to work…

Buy another phone lah...haha

last time bank rakyat apps also refuse to login when detect dev mode. only cimb don't mind, but that shitty app is in a league of it's own.

as the name imply, developer mode is for developer to test and modify the system. for normal mode of operation, any admin right or modification to the system should not be allowed at all. otherwise, rogue app can potentially exploit them. in short, they are a potential security risk.

the most risky element is still the user 🤣 PEBKAC

USB debugging is like leaving your house kitchen door unlock. Don't risk it.

Keyword = USB. Don't plug into unknown charging port, always use your single factory out charger, and don't install app outside of play store. You will be fine. Been using dev mode on android for the past 10 years, still safe

Actually disagree with this example, even usb debugging is enabled, you still need to trust the device first to access, so there is still one more security layer to go through.

developer mode usually not the issue but the usb debugging/wireless debugging, but some developers just simply choose to checking for developer mode instead of specific feature block.
I would say it's for prevention and to cater for "don't know what they are doing" person and this affect legit users. Banks probably use owasp-mastg as guideline.
- to reduce attack vector (to the bank app or the user).
- harmful / unknown sources app can still trick user to make it as trusted device.
- someone has your unlocked device access and install harmful apps.
- if there is a new exploit to bypass trusted access.
- unknown charging/usb port that try to gain trusted access and some people will just simply click trust it because it disturb what they are doing and don't know what is it.
- unauthorized screen mirroring/remote/key-logging (after gained trusted access).
- and probably more

It looks like the myPB bank app also thinks the apps/updates installed by the phone maker via regular OS updates (but not via Playstore) are red flags. Hint...Oppo. Not sure about other phones but should be the same.

This post has been edited by yeeck: Mar 3 2025, 11:04 AM

Same for my POCO phone.

Why do you turn on your developer mode permanently, TS?

Can't you just turn it off under settings, developer options and only enable it when you need to do debugging?

They do that because they want to force install their malicious apps in your phone and don't want you to remove them on purpose.Some of these telemetry apps even steals your surfing habits, data which you use daily and many of your personal inputs reporting them back to the manufacturers servers claimed for improvement purposes.

It actually work both ways.

Those ad blocker apps actually do you good but the content ad-tracking companies such as Google and Meta don't like you blocking their ads for loss of revenues. So they include those apps as illegal/security risks tools in their security patches.

Knowledgeable users of course know what they're doing, those ad-blocking/telemetry apps are not security risk apps but are revenue loss to Google/Meta.

But why do you think these corporations include them as illegal risky security apps under their security patches?

my in law punya phone dev mode is not even on also keep triggering this issue.

the only way for me to bypass this is to turn on and off again the dev mode.

then it will appear again after a week or two on random interval.

Techincally speaking, the developer for bank don't want to risk anything.
Having the app install from Official store (Play Store/ Huawei Store/ Samsung Store), is the only best bet they can trust for security.

Usually those app that content malicious intent / trojan will get flag and not able to publish in official store. Unless it is so new, that is able to goes under radar.. "happen before".

Having developer mode is not an issue, as I'm using it to change some settings on the phone. e.g: Animation / Transition Speed.

USB Debugging Mode is the real backdoor.

In order to use USB Debugging Mode, developer mode need to be turn ON.
So to say, the developer for banking app just playing it safe below limit.

*Some banking app did flag some app installed from Samsung Store / Huawei Store.. the developer need to do better filtering, or there's no API to check that*

This post has been edited by shinichi88: Mar 3 2025, 12:01 PM

I think you misunderstanding this, he mean the bank apps check for apps that not installed from Google Play Store, but some chinese phone manufacturer (xiaomi, poco, oppo, etc) come with preloaded apps that are not downloaded from Play Store.

The android developer usually either, many of them are iphone user or using those samsung, etc, company didn't provide variety of testing phone brand to test or any cloud devices service. The developers will need to whitelist those preloaded apps if they are implementing this mechanism.

Why do you think Chrome intentionally block plugins such as uBlock recently few months back?

Are they actually improving your security by not allowing you to block their ad-trackers? Or they are actually trying to protect their own revenues/interests?

People need to have some common sense.

The devil will not tell you that he's feeding you poison, he will say this is nourishment for you to take regularly and so are their security patches which will block you from taking away their revenues.

Get it?

There was once, when I used ad-blocker on my phone those banking apps wouldn't load.I think it's still happening occasionally..

What does that mean? Our online bank portals have been known to use malicious domains that are being abused by ad trackers?

Do the banks prefer you to receive malicious ads and are encouraging you not to install ad-blockers for "their" security reasons of protecting their ads revenues side businesses?

I think your reply already out of the topic and not relevant, suggest you to reread what he said again.

1. Public bank apps flagged one of his installed apps as red flag (which most likely mean from unknown source or not from Google Play Store)
2. The apps actually pre-installed or downloaded through the OS update from Oppo (can be Oppo Camera/Gallery apps or whatever, I not sure as I not using Oppo), but Public bank app only check for apps that installed/downloaded from Play Store which disqualified these apps.
3. I didn't use public bank so I assume the user blocked from using the public bank app.

i use dev mode to remove the stock system animations, all my android devices load and transition between apps very smoothly without the stock animations

Yes, all my phone turn on developer jist adjust all animation to 0.5,and DPI a bit higher, why app too aggresive with developer turn on
Iirc last time digi app also like that, cannot openif developer turn on

USB debugging will always off

MyPB objects to Samsung Notes Addons on my Galaxy. Don't remember installing it, but I don't use Notes so I uninstalled it.

Haha.. Wait till you try UOB App...
You have to use their own build in keyboard.. Always need to tekan slow slow let everyone see your PW if not, 3 times wrong, very troublesome.

Also, for Samsung even if you have dev mode on but Auto blocker is turned on or your phone is locked you are still unable to access the debugging.

I just don't like these apps looking at what other apps I have.

You got a point with ad blocker.. But even banking app would want your data.. if not why does a simple banking app need access to my microphone, and location and to scan nearby devices?

Tng is another example.. Requesting too much data to a point might as well just take all of it.

If developers mode is active on your phone,

Hackers can easily sideload malware apk into your device using adb commands.

last week after update my RHB app, it cannot launch...

after ask around in reddit, found out it was my 3rd party keyboard. need to disable it only can launch the app. at first thought it was the usb debug enabled.

Ad-blockers actually operate in a very simple concept.

It updates with the latest list of blacklisted domain addresses and force redirect them to a void IP that loads nothing.Preventing your privacy from being leaked back to the hacker's data collection servers.

These domain addresses are supposed to be malicious because hackers and data thefts usually forwards your stolen data back to their own base when they collect them from your device/PC.

The strange thing is why when we enable ad-blockers, the banking apps also seize to load and force close?

Don't you think there's devil in the details?

Malicious domain links that are believed to be data retrieval servers when blocked also prevents your banking apps from loading?

after change dpi, turn off dev mode, the dpi change still remain.

to answer TS question.
with dev mode and usb debugging, people can remote to your phone without you notice it (virtual display, like a 2nd monitor).

Some telco app also need to turn off dev mode.

But it turn off animation to 1.0

its to cover their rear end, incase of any issues that customer were to blame the app.

plain & simple.

about animation, did not change it, so i dont know.
now i only on dev mode for screen mirror or virtual display during office hour.
by end of day, will disable dev mode.

Yes you understood what I wrote. Public bank app didn't block me from using the app yet even though they have flagged those apps installed together as part of OS security patches by the phone manufacturer like Oppo/Pocco/etc....but who knows in the future they might do so?

No idea why android default animation 1.0, and if set all 0.5 phone more smooth

default is 1.0. 0.5 is "dev mode" for testing the smoothness of their app/animation.
now didnt bother with animation. phone/tablet is fast enough.

Since they didn't block then I guess should be no worry much for now, if they doing this they gonna get backfired as this few brand typically are cheap range phone, there are quite a number of people who use them. Generally will only block usb debugging, as this setting doesn't affect regular user.

Just some correction, the blacklisted domains not necessarily are all malicious (depend on which list are using), some list include blocking analytics tools domain like Google Analytics as well, companies use those for data collection and analysis.
Not sure which functionality you looking at, but one of the example that get functionality break I knew is those universal link/deep linking third party services like adjust, branch, appsflyer, etc which usually came with analytics data collection. Their functionality (especially deferred deep link) will get affected as the universal ink (something like a shorten link) need to process through their server to get proper navigation linking in the apps. Companies use them for the universal link + analytics + push notification campaign + more as solution instead of implement their own from scratch.

It's like saying Google Analytics are saints and cyber criminals cannot abuse their solutions for unethical purposes?
Also call centre scammers have been imposing as Microsoft tech support experts for so many years os well known thing.

It's all grey area. They have their own interests which might not be the same as the public due to revenues reasons.

To block them is actually a good way to avoid unwanted issues. Why can't the bank use their own trusted domains for the sole purpose of their services?
That way they can reduce phishing better.

Or they actually have secret collaboration with these ad companies that they are not revealing to their customers?

I never said Google Analytics are saints . Companies usually use those third party services to save the development cost and time, especially when those marketing/business team demand for something to roll out fast. Build from scratch takes a lot of cost, people and time, when there are many complete, featured-rich and ready solution out there.

What data to be submitted to those third party service server also decided by developer, usually not bodoh to feed sensitive data into it and their security team should also review it.

Of course you can block them, and it is the developer responsibility to at least keep the main functionality to work properly.

Information or data leaked can be also from insider/staff though, but this will depend how they manage their security sop within the company.

Google Ads and Meta Ads are not charity companies for sure. They have their own interests and profits to maintain.

Do you think Ad-blockers go against their companies ethics and policies? We all know for well ad-trackers do not function as merely banner displays. It collects a whole lot more information on users through browser fingerprints and javascript system info.

I don't believe casino and porn content ad developers have ethics to begin with. That was how mobile operators could leak out SMS shortcodes and drain subscribers years back when users accidentally click/load those illegal ad banners.

Why would these large corporations including third party telcos even care if there are few people in the market knows what's going on behind those ad trackers? As long as the revenues keeps coming in, no one complains of sharing databases of their clients.Enablers, Providers, Content creators.

They're all suspects playing dumb and pointing fingers in a circle with endless blaming.