January 8, 2026 HSBC is reportedly locking some UK customers out of its mobile banking app after they installed a password manager outside official app stores. The reports center on Bitwarden, a widely used open-source password manager. Customers who installed it via F-Droid, an open-source app catalog, say HSBC’s app flagged their device as a security risk and blocked access to mobile banking.
Neil Brown, a board member at F-Droid, said he was prevented from using HSBC’s UK banking app after installing Bitwarden through F-Droid rather than Google Play. Bitwarden itself is not inherently risky and is available through official channels including Google Play and Samsung’s Galaxy Store. The problem appears to be how it was installed.
HSBC has not clearly explained why a sideloaded version of Bitwarden cannot coexist with its banking app. A spokesperson only said, “Protecting our customers’ accounts and personal information is our priority. Our app performs checks to identify potential malware risks and can require users to take additional steps to keep their accounts safe.”
Both Bitwarden and F-Droid believe the restriction is coming from HSBC’s app rather than any behavior by Bitwarden itself. Gary Orenstein, Bitwarden’s chief customer officer said, “It seems that HSBC has chosen a level of security and permissions for their mobile app that allows the HSBC app to see if there are other apps on the phone not installed from the Google Play store, and if one is found, to disallow the install of the HSBC app.”
Brown similarly described the block as a unilateral decision by the bank, not an issue with F-Droid itself.
One theory raised by observers is that HSBC may be relying on Google’s Play Integrity checks in a way that penalizes devices with sideloaded apps. That remains unconfirmed, but it would fit a broader pattern of banks increasingly using device-integrity signals to reduce fraud and malware risk, even if the trade-off is false positives that catch legitimate tools.
From a security standpoint, HSBC’s caution is not hard to understand. Sideloading is a common delivery path for serious Android malware because it bypasses much of the automated scanning and reputation systems that come with official app stores. Still, the outcome is messy for customers who intentionally use open-source distribution channels.
Brown suggested possible workarounds, including using banking apps in a separate device profile, moving banking to a dedicated device, or reverting to web banking. For now, Bitwarden and F-Droid say they are open to discussions with HSBC, but no meetings have been scheduled.
