Ally (bank)mobile app fails without connection to graph.facebook.com

Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ by ⁨s38b35M5@lemmy.world⁩ to ⁨technology@lemmy.world⁩

Not sure if this is a good place for this post or not, but here goes.

I reject outbound connections to meta domains at the firewall. I noticed this banking app refuses to prompt for login credentials unless I am on mobile or a public WiFi network. I watched my FW logs and noticed many rejected connections to graph[.]facebook[.]com.

I contacted their support team, but they denied the connection was their app. I shared the screenshot on this post and they closed my case without comment.

I emailed the address on the Google play store and they also denied the connection was their app. I shared the screenshot and they asked if I downloaded the app from the play store, implying the official app doesn’t do this, but of course it does.They closed my case without proper resolution as well.

Just thought I’d share this here so people know that some banks make direct connections to Facebook to share analytics, without your knowledge or informed consent, and they lie about it when called on it.

source

Comments

Sort:hotnew top

ChatGPT@lemmy.world ⁨1⁩ ⁨year⁩ ago
It’s probably NTP a lot of banking apps have extra protections and if it can’t determine the time from its own trusted authority it may not allow the connection.

source
- rcmaehl@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Launchdarkly is likely a culprit as well. Just doing a background search reveals that the service allows dev teams to do A/B testing, enable new features without releasing a new version, and various other “dynamic” functions.
  
  Image
  
  source
  - stardust@lemm.ee ⁨1⁩ ⁨year⁩ ago
    This is definitely it. I can’t believe more things aren’t broken by blocking launchdarkly
    
    source
    -> View More Comments
- 14th_cylon@lemm.ee ⁨1⁩ ⁨year⁩ ago
  how would that explain connection to facebook?
  
  source
  - randomguy2323@lemmy.fmhy.ml ⁨1⁩ ⁨year⁩ ago
    It is not only Facebook that is been block if you take the time to read the log you will see the NTP connection is being block too.
    
    source
    -> View More Comments
  - popekingjoe@lemmy.world ⁨1⁩ ⁨year⁩ ago
    It doesn’t.
    
    OP is claiming that disallowing the connection to Facebook is stopping the log in, but it might be the connection to the ntp server instead.
    
    source
  - EpicFailGuy@kbin.social ⁨1⁩ ⁨year⁩ ago
    @14th_cylon
    
    @s38b35M5 @ChatGPT
    
    It doesn't, the implication is that it's not the connection to FB what's making the app not work, but the lack of NTP sync.
    
    Plenty of apps reach out to FB for widgets, or those stupid "share your experience with your friends" buttons that no one uses ... that's why we block them in the first place.
    
    source
  - rcmaehl@lemmy.world ⁨1⁩ ⁨year⁩ ago
    Ads & Analytics, like most things.
    
    developers.facebook.com/docs/graph-api/overview/
    
    source
  - danc4498@lemmy.world ⁨1⁩ ⁨year⁩ ago
    Is it normal that a bank app tries to connect to meta?
    
    source
    -> View More Comments
  - almar_quigley@lemmy.world ⁨1⁩ ⁨year⁩ ago
    The implication is that OP’s assessment is incorrect and the blocked requests to launchdarkly are what’s preventing them from logging in. The Facebook requests don’t show a source so they could be from another device.
    
    source
- s38b35M5@lemmy.world ⁨1⁩ ⁨year⁩ ago
  When I unblock the Facebook address, the app opens as expected.
  
  I’m not blocking any NTP. My home servers rely on it (just TrueNAS checks time every minutes…), but I do block DNS outbound to force using my own DNS.
  
  source
  - fatalicus@lemmy.world ⁨1⁩ ⁨year⁩ ago
    You are blocking NTP though. Look at your image, all the way at the bottom.
    
    source
db2@lemmy.one ⁨1⁩ ⁨year⁩ ago
Try unblocking the ntp.org connections.

source
Yuper@lemmy.world ⁨1⁩ ⁨year⁩ ago
I know a software developer that worked for Ally when they were adding this. They all said it was a terrible idea, but were ignored. The reason they claim it’s needed is to track app installs that originate from an ad on Facebook. Since the App Store sits in between the ad click and App launch, there isn’t an easy way to track it without that. But, it shouldn’t be blocking you from logging in.

source
- darthfabulous42069@lemm.ee ⁨1⁩ ⁨year⁩ ago
  I’d bet you bottom dollar Ally is selling their customers’ financial information to Meta, and this is a manifestation of that.
  
  source
  - Yuper@lemmy.world ⁨1⁩ ⁨year⁩ ago
    I wouldn’t doubt it.
    
    source
  - nbafantest@lemmy.world ⁨1⁩ ⁨year⁩ ago
    Might not even be selling it, could just be an arrangement to use some sort of “sign in with facebook” service or even advertise on facebook marketplace.
    
    source
    -> View More Comments
- pexavc@lemmy.world ⁨1⁩ ⁨year⁩ ago
  I remember we had to build an obj-c wrapper for FB’s calls like these because of these crashes, that basically ignored the stall and continued the user’s session regardless
  
  source
- static_motion@programming.dev ⁨1⁩ ⁨year⁩ ago
  
  Since the App Store sits in between the ad click and App launch, there isn’t an easy way to track it without that.
  
  How does that work exactly? Does the App Store pass along some information to newly installed apps or something? My company’s app, which I worked on for some time, also uses an external service to track installs (not Facebook or any social media), but I didn’t work on the implementation of it and never really got to grips on how it works.
  
  source
  - WhoRoger@lemmy.world ⁨1⁩ ⁨year⁩ ago
    App store doesn’t, the app itself does, that’s why this thing is included in it.
    
    You click an ad on FB = you’re ID’d by a cookie or login or account on the device or fingerprint or whatever (probably all of the above)
    
    You install the app from app store. Neither the bank or FB knows this.
    
    You launch the app. The integrated FB library reads the cookie or FB account on the device or whatever it can, and pings FB. FB compares this ID to the entries and finds that it was you who clicked the ad.
    
    FB bills bank for an ad click
    
    source
  - Yuper@lemmy.world ⁨1⁩ ⁨year⁩ ago
    That’s a good question and I’m not entirely sure. I am just saying what they told me. Sorry!
    
    source
nbafantest@lemmy.world ⁨1⁩ ⁨year⁩ ago
If they do any sort of Facebook login/auth, frequently facebook will require them to send them data about who is using their site.

source
- wipeitonthedog@lemmy.world ⁨1⁩ ⁨year⁩ ago
  I’ve never seen a bank do any social auth
  
  source
schmensch@discuss.tchncs.de ⁨1⁩ ⁨year⁩ ago
According to Exodus Privacy (they analize mobile apps for trackers), Ally only contains Amazon and Google trackers (Google Firebase Analytics is used by almost all apps): reports.exodus-privacy.eu.org/en/…/latest/

Others also say their Ally app doesn’t connect to Facebook. Maybe you have a Unicorn or a modified app (rather unlikely though)?

source
- ClemaX@lemm.ee ⁨1⁩ ⁨year⁩ ago
  Maybe the app uses a WebView for login which itself includes a webpage with the tracker. It would be possible that the page’s content and trackers change without any change in the app.
  
  source
- Pumpkinbot@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Unicorn?
  
  source
520@kbin.social ⁨1⁩ ⁨year⁩ ago
It might be that they made the app fail if any of their outbound connections fail. This is very reasonable, as ideally the only calls the app should be making are the ones it needs to make to facilitate this functionality.

What's less reasonable is why graphs.facebook is one of them. Why on earth would they be sending the most sensitive data of their clients to the least trustworthy of corporations?

source
stardust@lemm.ee ⁨1⁩ ⁨year⁩ ago
Why do you block LaunchDarkly?

source
ratz@chatsubo.hiteklolife.net ⁨1⁩ ⁨year⁩ ago
Yeah that seems pretty gross.

source
CaptObvious@lemmy.world ⁨1⁩ ⁨year⁩ ago
All the technical discussion is interesting. But perhaps more importantly, is it time to consider a new bank?

source
- wzzzy@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Naw Ally is a good bank.
  
  source
  - grue@lemmy.world ⁨1⁩ ⁨year⁩ ago
    That’s a pretty impressive reputational improvement for something that started out as the finance arm of General Motors.
    
    source
    -> View More Comments
tallwookie@lemmy.world ⁨1⁩ ⁨year⁩ ago
online only banking seems like a scam with extra steps

source