ViktorPontinen · February 11, 2026 11:39
diff --git a/gistfile1.txt b/gistfile1.txt
 ---
  BankID 7.46.0 APK Analysis — Findings

  Claim: "Microphone activation"

  FALSE. The app does not declare RECORD_AUDIO permission. Android enforces permissions at OS level — without this permission, the app physically cannot access the microphone. Period.

  Claim: "Reading the device filesystem"

  FALSE. No READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, or MANAGE_EXTERNAL_STORAGE permissions. The app cannot read your files.

  Claim: "Contains code from Palantir and NSO Group (Pegasus)"

  FALSE. Zero matches across all 17,518 decompiled classes. The actual third-party libraries are:
  ┌────────────┬───────────────────────────────────────────────────────────────┐
  │  Package   │                          What it is                           │
  ├────────────┼───────────────────────────────────────────────────────────────┤
  │ com/daon   │ Daon — legitimate biometric identity verification vendor      │
  ├────────────┼───────────────────────────────────────────────────────────────┤
  │ com/airbnb │ Airbnb Lottie — animation library (extremely common)          │
  ├────────────┼───────────────────────────────────────────────────────────────┤
  │ com/google │ Firebase, ML Kit (barcode/OCR for ID scanning), Play Core     │
  ├────────────┼───────────────────────────────────────────────────────────────┤
  │ okhttp3    │ OkHttp — standard HTTP client                                 │
  ├────────────┼───────────────────────────────────────────────────────────────┤
  │ androidx.* │ Standard Android Jetpack                                      │
  ├────────────┼───────────────────────────────────────────────────────────────┤
  │ kotlin*    │ Kotlin standard library                                       │
  ├────────────┼───────────────────────────────────────────────────────────────┤
  │ uu, n      │ Obfuscated packages (R8/ProGuard — standard for banking apps) │
  └────────────┴───────────────────────────────────────────────────────────────┘
  No Palantir. No NSO. No Pegasus.

  Claim: "PublicSuffixDatabase.list is a list of flagged websites"

  FALSE. It's the https://publicsuffix.org/ — a standard dataset shipped with OkHttp in virtually every Android app. It's used for cookie domain validation. The BankID version (9,772 entries) is a slightly older snapshot of the
  official list (10,134 entries). Same data, nothing custom.

  Claim: "Files dated Jan 1 1980 — overwriting to hide content"

  FALSE. Every file in the APK has 1980-01-01 because BankID uses reproducible builds, which zero out timestamps so the same source produces identical binaries. 1980-01-01 is the minimum date in MS-DOS/ZIP format (the epoch). This
  is a security best practice, not evidence of tampering.

  Claim: "auth.h can't be opened"

  FALSE. There are zero .h files in the APK. Android apps are Java/Kotlin compiled to DEX bytecode, not C. As you suspected — the author was likely looking at Ghidra's own bundled POSIX headers or files Ghidra generated during
  analysis.

  Claim: "Camera, Bluetooth, WiFi scanning"

  Partially true but legitimate. The app does request:
  - Camera — for ID card scanning and face verification (biometric step-up auth)
  - Bluetooth — for the "BankID on another device" feature
  - Location — required by Android for Bluetooth LE scanning
  - NFC — for reading ePassport/ID card chips (eMRTD)

  These are all standard features for a national digital identity app with biometric verification.

  Claim: "Ghidra couldn't decompile it in 3 days"

  jadx (the correct tool for Android) decompiled all 17,518 classes in under a minute with a 99.7% success rate (45 errors). Ghidra is designed for native ARM/x86 binaries, not DEX bytecode.

  ---
  Bottom line: The post's author used the wrong tools, misidentified standard technical artifacts (PSL, ZIP timestamps, Ghidra's own files), and made unfalsifiable claims ("I can't show you the evidence because it's illegal").
  Every verifiable claim in the post is demonstrably wrong.
	---
	BankID 7.46.0 APK Analysis — Findings

	Claim: "Microphone activation"

	FALSE. The app does not declare RECORD_AUDIO permission. Android enforces permissions at OS level — without this permission, the app physically cannot access the microphone. Period.

	Claim: "Reading the device filesystem"

	FALSE. No READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, or MANAGE_EXTERNAL_STORAGE permissions. The app cannot read your files.

	Claim: "Contains code from Palantir and NSO Group (Pegasus)"

	FALSE. Zero matches across all 17,518 decompiled classes. The actual third-party libraries are:
	┌────────────┬───────────────────────────────────────────────────────────────┐
	│ Package │ What it is │
	├────────────┼───────────────────────────────────────────────────────────────┤
	│ com/daon │ Daon — legitimate biometric identity verification vendor │
	├────────────┼───────────────────────────────────────────────────────────────┤
	│ com/airbnb │ Airbnb Lottie — animation library (extremely common) │
	├────────────┼───────────────────────────────────────────────────────────────┤
	│ com/google │ Firebase, ML Kit (barcode/OCR for ID scanning), Play Core │
	├────────────┼───────────────────────────────────────────────────────────────┤
	│ okhttp3 │ OkHttp — standard HTTP client │
	├────────────┼───────────────────────────────────────────────────────────────┤
	│ androidx.* │ Standard Android Jetpack │
	├────────────┼───────────────────────────────────────────────────────────────┤
	│ kotlin* │ Kotlin standard library │
	├────────────┼───────────────────────────────────────────────────────────────┤
	│ uu, n │ Obfuscated packages (R8/ProGuard — standard for banking apps) │
	└────────────┴───────────────────────────────────────────────────────────────┘
	No Palantir. No NSO. No Pegasus.

	Claim: "PublicSuffixDatabase.list is a list of flagged websites"

	FALSE. It's the https://publicsuffix.org/ — a standard dataset shipped with OkHttp in virtually every Android app. It's used for cookie domain validation. The BankID version (9,772 entries) is a slightly older snapshot of the
	official list (10,134 entries). Same data, nothing custom.

	Claim: "Files dated Jan 1 1980 — overwriting to hide content"

	FALSE. Every file in the APK has 1980-01-01 because BankID uses reproducible builds, which zero out timestamps so the same source produces identical binaries. 1980-01-01 is the minimum date in MS-DOS/ZIP format (the epoch). This
	is a security best practice, not evidence of tampering.

	Claim: "auth.h can't be opened"

	FALSE. There are zero .h files in the APK. Android apps are Java/Kotlin compiled to DEX bytecode, not C. As you suspected — the author was likely looking at Ghidra's own bundled POSIX headers or files Ghidra generated during
	analysis.

	Claim: "Camera, Bluetooth, WiFi scanning"

	Partially true but legitimate. The app does request:
	- Camera — for ID card scanning and face verification (biometric step-up auth)
	- Bluetooth — for the "BankID on another device" feature
	- Location — required by Android for Bluetooth LE scanning
	- NFC — for reading ePassport/ID card chips (eMRTD)

	These are all standard features for a national digital identity app with biometric verification.

	Claim: "Ghidra couldn't decompile it in 3 days"

	jadx (the correct tool for Android) decompiled all 17,518 classes in under a minute with a 99.7% success rate (45 errors). Ghidra is designed for native ARM/x86 binaries, not DEX bytecode.

	---
	Bottom line: The post's author used the wrong tools, misidentified standard technical artifacts (PSL, ZIP timestamps, Ghidra's own files), and made unfalsifiable claims ("I can't show you the evidence because it's illegal").
	Every verifiable claim in the post is demonstrably wrong.
No results found