TimmyStream!

Blog of Timothy Diokno

The Mi App Scanner And Why “Your Device Does Not Support SMS Messaging”

BPI’s security is elegant but not very efficient. Xiaomi’s security is redundant — and authoritarian.

by

Timothy Diokno
in

This is 2/2 of an unofficial tech support series wherein I document self-discovered workarounds to very specific banking app issues that are not yet officially documented.

It’s a pain going through forums, FAQs, and hotlines just to get nowhere near a solution to a specific issue. I’m hoping that someone out there will not experience the same thing by stumbling upon this article.

The Problem

On a fresh install of the BPI Mobile app, you’d log-in and be asked to choose between two device verification methods: “Secure SMS”, and “Mobile Key”.

In this case, you wouldn’t choose “Mobile Key” because you’re probably on the same device on which it’s supposed to be activated. You’re locked-out and you’re left with the “Secure SMS” option.

For some reason, instead of just having BPI’s system send your registered mobile number an OTP SMS that you can key-in — it goes the other way around. The BPI app will attempt to send an automatic verification SMS to their system through your device using your registered mobile number. (You need enough load credits for this.)

On a Redmi Note 7 however, using the “Secure SMS” option — even after granting SMS, phone, and storage permissions to the app — will still cause the BPI app to tell you that “your device does not support SMS messaging”.

The app would not detect your phone’s SMS feature despite being explicitly granted to use it.

The Solution — At Least For Xiaomi Phones With Default Settings Intact

I discovered that MIUI has the Mi App Scanner activated by default. It scans newly installed apps regardless of whether they come from the Play Store or directly installed as an APK.

And I’m guessing that this blocks certain app operations that it sees as suspicious.

Unfortunately, it thinks that the active SMS verification operation of the BPI app is suspicious. It blocks that specific operation — and it doesn’t seem to care if you’ve explicitly granted the app the relevant permissions.

To fix that: deactivate the Mi App Scanner. Reinstall the BPI app. And note that the Mi App Scanner is bypassed.

Go through the verification process one more time. If you’re on Dual SIM, it should proceed with a pop-up allowing you to choose through what SIM should it send the verification SMS. Choose the SIM with your registered mobile number on. And if you have enough load credits, the app should automatically send the SMS to their system, and you should receive some sort of a confirmation shortly after.

Dear BPI

I think the active SMS verification approach is technically elegant. But I don’t think it should go in the way of a more efficient approach. And this issue is a bit disappointing since I generally think BPI has the best digital UX in the consumer banking industry.

Having users go through the extra step of topping-up in case they don’t have enough load balance could be avoided if the app just opted for the passive (and very common) approach of just sending an OTP to the registered number.

I’m not sure why it was somehow necessary to reinvent the wheel in this case.

Dear Xiaomi

I think scanning apps downloaded from the Play Store is redundant. I’m not sure if the extra step has necessarily been for the better in this case.

I also think explicitly-defined user preferences should be prioritized throughout the system. There is no use in letting people grant device feature permissions to an app just to have the system’s security features override it.

Photo by Firmbee.com on Unsplash.