Just shy of two and a half years ago, I was dragged kicking and screaming into the awful, awful modern world with the death of my long-loved BlackBerry Classic. Forced to eat slop with the hogfolk, I reasoned (hoped?) that I would one day develop a taste for it. This, however, has proved to be naïve: the slop remains rancid to me, and for that I am ultimately grateful.

One of the great culprits of the widespread development of slop-taste, I believe, is that each user-hostile development has tended to only affect a small subset at a time. Boiling a frog is one thing, but boiling hundreds of frogs in hundreds of pots, each set to a slightly different temperature, is quite another; vide Niemöller and all that. One of the more insidious consequences of this is to impose a burden on those victims (and by extension we chronically-unacclimatised, who form something of a vanguard in this respect) to loudly and consistently expose such practices.

In this vein, here’s the story of how my bank account is being held hostage because Google decided it didn’t like my phone.

Remembering the Good Times ¶

Starling is a UK-based online challenger bank founded in 2014. Such challenger banks are also known as neobanks, which is to say that they do not invest in physical premises and instead rely on mobile applications to allow customers to access their services (with the result that certain traditional banking activities, like depositing cash or cashing cheques, may be impossible or require creative solutions).

I opened an account with Starling shortly before embarking on my year abroad, having researched them and similar neobanks. The offer for each was largely the same—no-fee foreign currency transactions—with Starling having the unique advantage of allowing unlimited foreign cash withdrawals. It was a no-brainer. The sign-up process was quick and easy, my debit card arrived promptly and the app. was a pleasure to use: there was no hint of slop to be found, except that the debit card’s unembossed number quickly wore off and the sort code was missing from the get-go, resulting in me having to Sharpie them on and then tape them over.

The experience was very positive throughout my travels, with the sole exception of some issues with the card not being recognised in Nicaragua (I believe down to its use of Mastercard over Visa, which is apparently more temperamental). Starling did, however, excel during my Mexican border fiasco in an example of good accessible design that I would like to highlight. When I had to show my bank balance to the border guard without an Internet connection, I learnt that the Triodos app. just throws an error when it lacks a connection, and blocks screenshots being taken when the app. is open. Whilst the Starling app. also blocks screenshots it, by contrast, seamlessly displays the last-accessed balance when lacking a connection. Thus, by taking a best-effort approach to providing me with the service I want (i.e., view my balance), in spite of not being able to completely fulfil it (i.e., view my current balance), the app. nonetheless saved my bacon.

My post-trip plans for my Starling account were unclear, but I expected I would keep a small amount in the account and top it up when I went travelling. However, when I returned to the UK and wrapped my lips back around the slop firehose (the highlight of which was a server in a Welsh pub who twice tried to tap my outstretched tenner with a card reader) I found my intended main bank to be clunky and irritating, particularly its debit card which demanded PIN entry for contactless payments far more frequently than the Starling one did. After a particularly infuriating situation in which this neediness served to strand me in London when it refused to work with the Tube gates, I realised that Starling could serve perfectly well as my main account. I set about transferring the balances and direct debits and, once everything was in order, closed my Triodos account at the end of April.

The Poorly-Timed Rupture ¶

Concurrently, I was starting a new job in the south of France, with the expectation that I would apply for a visa and move there. Expecting that I would have to set up a French bank account at some point anyway made sticking with Starling as my sole UK account even more appealing: I could continue to use it to pay for things until then, or in an emergency, whilst also being able to use it when I come back to visit the UK.

After much faff, the visa came through and I put together my relocation plans, heading over for mid-May.

But oh, dear reader, surely by now you know the treatment our society prescribes for the hubris of wanting anything to ever work smoothly? Slop, and buckets of it!¹ And so, a mere few days before I was due to travel abroad, I opened the Starling app. and was confronted with this:

Photo by the author

Actually, this is from later: the initial message gave me 14 days to comply with its absurd demands.

Putain de merde I thought, Frenchly, and most likely shouted (perhaps whilst smacking a piece of furniture for good measure).

I took a look at the linked blog post,² and the first warning flag came right in the second paragraph:

I’m not sure those reasons are quite so obvious, but then what do I know? Further down came the real spit-in-my-mouth kicker:

Now, I went over my efforts to choose a replacement for my BlackBerry in great detail at the time, eventually settling on a Fairphone 3 running /e/OS: a de-Googled variant of Android. And despite that blog post being from 2017, it appeared my inexcusable desire for privacy and autonomy (in this economy‽) has finally caught up with me.

A Promising Start? ¶

I quickly contacted Starling support (via the app., foolishly) to notify them of the issue. They replied that several users of GrapheneOS (a similar custom Android variant, but limited to Google’s Pixel range of devices) had reported similar issues and they were investigating. This was very heartening, both for its suggestion that this was not a desired situation on their part and the suggestion that it affected users of other non-Google Androids. However, in a subsequent response another support agent told me that Starling only support stock Android and iOS, and that custom ROMs were not supported, which left the situation rather unclear.

After a bit of back-and-forth I got fed up with using the app. chat, so I asked for a conversation reference and contacted Starling by email:

Screenshot by the author

Fuck offfffffff

In another example of security theatre from Starling, they automatically reject any emails not sent from an address registered to an account. However, I use email sub-addresses for services I sign up to (i.e., me+<some tag>@bengoldsworthy.net) for several reasons, which means the address that Starling is expecting does not actually belong to any email account that can sent emails. Luckily, my email client (Thunderbird) is a rare example of contemporary software that pre-dates the Great Ensloppening: it allows me to customise my From: address, so I could trivially bypass this supposed security measure.

So I sent a plea:

They replied:

They followed up by asking to confirm if you are using any other custom ROMs or if your device has been rooted at all? Or are you using a non -rooted version of Graphene OS here? I repeated that, yes, I was using /e/OS and therefore a custom ROM. Then:

I replied again that, yes, I was using /e/OS, and they said they would pass the information onto the technical team.

Promise Lost ¶

Then, a couple of days after arriving in France, the slop seeped out of its makeshift container and ruined the carpets like so much bin juice. As I’d feared, the 3.46 version of the app. suddenly refused to open, insisting that I had to update it:

Photo by the author

Very annoying, but I figured at least I could use the up-to-date app. and just reinstall it every 14 days for the time being.³ Alas, the slop had spoiled in the meantime, and so it was back to Starling support:

In response:

I replied:

What Happened? ¶

As expected, the problem seems to boil down to Google being huge pricks. Specifically, they provide a so-called Play Integrity API that allows app. developers to check that interactions and server requests are coming from your genuine app. binary running on a genuine Android device; Play Integrity was previously known as SafetyNet.

‘Safety’ and ‘integrity’ sound great, of course, but this is Google: one of the most disgustingly abusive tech monopolies going and a key exemplar of what Louis Rossman calls a rapist mentality in relation to their users. Genuine Android device, then, means Google Android device. When an app. developer queries the API, they receive back different attestations about the device state depending on how many of Google’s requirements it meets: MEETS_BASIC_INTEGRITY; MEETS_DEVICE_INTEGRITY; and MEETS_STRONG_INTEGRITY.

However, what the developer then does with those attestations is up to them. So, if they so wished, the Starling team could have chosen to write something like this:

result = call_play_integrity_api()

if result == MEETS_BASIC_INTEGRITY {
  tell_user 'We think your phone might be insecure,
      but this could also be nothing to worry about.
      To be safe, we're going to ask you for extra
      verification more frequently than we would
      normally.'
  set request_extra_verification = yes
} else {
  set request_extra_verification = no
}

In fact, to give the Devil his due, in Google’s own Play Integrity docs they even advise that one should use MEETS_STRONG_INTEGRITY (the most restrictive of the three levels of attestation) as part of a tiered enforcement strategy. But instead, Starling have decided to do something more like this:

result = call_play_integrity_api()

if result == MEETS_BASIC_INTEGRITY {
  fuck_my_shit_up_fam()
}

Possible Solutions? ¶

As is always the case with a newly-discovered slop-faucet, there are two types of solution: technical; and regulatory. So what are the options here?

Technical ¶

Interestingly, the GrapheneOS community report that the issue has been fixed for them as of v3.49, and I imagine this is because the project provides documentation on how app. developers can verify device integrity without excluding GrapheneOS users, which they encourage users to Share … and create pressure to support GrapheneOS rather than locking users into the stock OS without a valid security reason, pointing out that GrapheneOS not only upholds the app. security model but substantially reinforces it, so it cannot be justified with reasoning based on security, anti-fraud, etc..⁴

From looking around, there are a lot of guides for supposedly bypassing these security checks that require using a bunch of different apps and modules to hide root. But that seems like a lot of work, and may well only work until the next Play Integrity change, plus I don’t even know that they would work for me because my phone is not rooted! Even though it would be entirely my right to root my own god-damned phone if I so wished, in this instance my sole crime is not paying my protection money, and now Google has decided to break my legs.

Regulatory ¶

Google ¶

Play Integrity is just another form of so-called trusted computing, something we’ve been fighting since the fucking early 2000s! The API was even cited as an inspiration behind Google’s attempt to try the same shit with Web browsers last year; as Ars wrote at the time:

That attempt was defeated, thankfully, but its authors were not subsequently fired into the Sun as they so richly deserved; even if they had been, there are a hundred more Ben Wisers et al. working at slop factories like Google, just waiting for their opportunity to fuck users over for the sake of a promotion.

However, the walls may be closing in on Google at long last: they are under investigation by the UK Competition and Markets Authority (CMA) for their conduct in relation to Google’s distribution of apps on Android devices; they just lost a major lawsuit against Epic Games in the US, where they are also under two separate federal antitrust investigations; and the EU’s recent Digital Markets Act directly threatens the core of their monopolistic business model.

I sincerely hope to see the beast slain in my lifetime.

Starling ¶

But even if Google handed it to them, it was Starling that chose to actually fire the gun right at my stupid face. So what can be done about them?

As a UK bank, they are subject to the Payment Accounts Regulations 2015,⁵ s 18(1) of which states that:

Both of those cases apply to me as someone who a) doesn’t own a Googled phone and b) does so because of a strongly held opinion that Google can eat a boatload of dicks.

On top of this, the Consumer Duty standard introduced by the Financial Conduct Authority (FCA) just last year requires firms to:

Lastly, when everyone was panicking about all banks requiring smartphones to comply with the EU’s Strong Customer Authentication requirements back in 2019, the FCA were clear on their position:⁶

So, I will pursue my complaint with Starling. If they reject my suggestion of breaking the Web site’s dependency on the mobile app., then I will put my case to the Financial Ombudsman Service. Part of me hopes that it does come to this, and that doing so could perhaps set some sort of precedent that could also be used against other banks that a) collude with monopolists to hold their customer’s accounts hostage and b) fail to provide multiple means of accessing an account in the event of phone loss.

If that fails, the last resort is to take them to court. I don’t know quite what taking a bank to court (from abroad!) would entail, but sounds expensive: I probably won’t go that far, although it would be good to take the rare opportunity to try and plug a slop leak in at least this one instance.

Other than that, I will publish and share this article and advise others to avoid Starling; a real shame, after they were doing so much right.

What Now? ¶

I immediately opened an account with Monzo,⁷ and now I just need to figure out how to get the debit card they’ve mailed to my UK home address to my series of temporary addresses here in France. If I’m still not able to access my Starling account by the time it arrives, then the only option I’ll have is to use the Current Account Switch Service to completely transfer my balance and close my Starling account.

Meanwhile, I have an open ticket on the /e/OS bug tracker detailing the issue. I tried eleven other apps and found that none threw the same error (although HSBC did present a warning, so I expect they are using the same API and have just chosen to handle it in a less stupid manner). Hopefully they (or the Starling development team) can come up with a solution similar to the GrapheneOS one.

The last I heard from Starling’s support agents was the following:

On the one hand, the mention that they’re looking into it is promising. On the other, they’re still playing the secret squirrel security theatre game, and they’re making out that adding a QR code for an TOTP would be a huge effort. Regardless, I still have no way of accessing my account, which means I can’t send money to anyone, view my purchases or even check my balance (unless I call their support line and answer a bunch of security questions). Given that I will have rent payments coming out of the account shortly, the margins are starting to get a bit sweaty, but if do end up in an unarranged overdraft rest assured Starling will be getting a loud fuck offfffffffff down the phone.⁸

Also, they could fix the issue today by simply changing how they handle the security check. It was working just fine before v3.47, so it’s not like this would suddenly leave everyone’s accounts vulnerable: it would be the responsible thing to do after realising you’ve just rushed something out without thinking it through and royally fucked over several of your customers. Then you find and fire the project manager responsible and figure out an alternative way of checking device security.

But I’m not sure they care. When I raised the initial issue, and the app. was still offering me 14 days, they could have pushed an update to stop that timer: they did not. When they were deciding several months ago what the app. should do with the security attestations it receives, they could have used a tiered model as recommended in Google’s own docs: they did not. And when they were designing the Web platform way back at the beginning, they could have thought maybe it would be real fucking stupid to only be able to access this via a mobile app: they did not.

Three independent bad decisions, perhaps even made by totally independent parties, that have predictably combined into the slop jockey spectacular we see here.

So props to the Starling support agents, who might not have been much help but who have been very responsive and friendly. But fuck the Starling project managers who decided to implement this. And, most importantly, fuck Google, fuck Play Integrity, and fuck everyone—I’m talking real nine relations shit here—responsible for such schemes, wilfully smearing their shit on the walls of the turd prison we must all now live in, all for the sake of a few pieces of silver.

Addendum 2024-06-24: Complaint Outcome ¶

Starling’s investigator rejected my complaint, writing:

However, just to further the confusion, on the same day they released v3.55 of the app. which no longer displays the security check blockscreen on load. But as I have now closed my account with them, I can’t verify whether other account functionality is also available.