And to be clear, the app itself never has access to your credentials. This all happens in an iframe that tokenizes your credentials.
My bank considers transactions done using login credentials to be final. There is no recourse if someone steals your money.
Last year an iOS mail application called "Spark" (otherwise a great app) decided to quietly upload my login and password to their cloud servers so that their servers can access my mail for me. I dropped the app immediately (https://jan.rychter.com/enblog/spark-email-app-why-i-dont-us...).
This should not be considered acceptable. If you want to let users authorize external access to account data, use Oauth2.
Sandboxes are already available under reasonable terms for many banks in for example Ireland.
*edit, first word
(disclaimer: I work here)
An my accounts do that by default (France), except for pre-approved recipients.
I found this unacceptable, so I can't use Spark, which I regret. I also lost trust for Readdle, so now, even though they make great apps, I am extra careful with handing them any sensitive information.
AFAIK Spark’s push notification service relies on checking for mail server-side (so that they don’t drain your battery with constant background refreshes, I suppose?), so I wouldn’t consider it sneaky.
2) The Cash app only has my routing number and account number.
3) PayPal only has my routing number and account number.
4) My credit card only has my bank’s routing and account number.
Despite these restrictions, the world keeps on spinning round and round.
That's way too much enthusiasm for the new and shiny app, way too little awareness that in this world people are out to get what's yours, way too little concern for questionable security at every single layer of computing, way too much trust in the banking system, way too careless about the information about you that you give to strangers.
Not something that people I know who are good with money would do.
I don't know why it isn't well-advertised, I wouldn't use it otherwise.