I'm acting as a consultant to a Financial Services startup which has commissioned a white-labelled version of a mobile app from a (well known) Open Banking-enabled app provider. They have recently released the first version of this application for us, which I installed on my own phone and immediately got the "Low Reputation App" alert. Under "details" it cites the following permissions required by the app as being problematic:
However when I raised this with the developer they said these permissions were required and they said this:
"My understanding is that the Sophos reputation is related to the fact that the app is new and has not been downloaded many times as yet. This will improve over time.
We haven’t come across this before with other apps, we suspect because most Android users don’t use anti virus and even fewer use Sophos. One of our developers tells me that he runs BitDefender on his own device and this has never flagged any of our apps.
Our regular pen tests check all the permissions and flag any which are a problem or are not required by the app."
I'm not entirely comfortable with that; the app is intended to help people who are below the typical wealth threshold for receiving personal 1:1 financial advice to better manage their money and finances, and uses Open Banking to connect to users' bank accounts. The reputational risk of anyone getting this warning in that context is too great. Please can someone let me know: