1160
Ally (bank)mobile app fails without connection to graph.facebook.com (lemmy.world)
submitted 11 months ago by s38b35M5@lemmy.world to c/technology@lemmy.world
94 comments fedilink hide all child comments

Not sure if this is a good place for this post or not, but here goes.

I reject outbound connections to meta domains at the firewall. I noticed this banking app refuses to prompt for login credentials unless I am on mobile or a public WiFi network. I watched my FW logs and noticed many rejected connections to graph[.]facebook[.]com.

I contacted their support team, but they denied the connection was their app. I shared the screenshot on this post and they closed my case without comment.

I emailed the address on the Google play store and they also denied the connection was their app. I shared the screenshot and they asked if I downloaded the app from the play store, implying the official app doesn't do this, but of course it does.They closed my case without proper resolution as well.

Just thought I'd share this here so people know that some banks make direct connections to Facebook to share analytics, without your knowledge or informed consent, and they lie about it when called on it.

top 50 comments
sorted by: hot top controversial new old
[-] ChatGPT@lemmy.world 170 points 11 months ago

It’s probably NTP a lot of banking apps have extra protections and if it can’t determine the time from its own trusted authority it may not allow the connection.

[-] rcmaehl@lemmy.world 104 points 11 months ago* (last edited 11 months ago)

Launchdarkly is likely a culprit as well. Just doing a background search reveals that the service allows dev teams to do A/B testing, enable new features without releasing a new version, and various other "dynamic" functions.

OP is on the wrong side of Occam's razor

[-] stardust@lemm.ee 30 points 11 months ago* (last edited 11 months ago)

This is definitely probably it. I can't believe more things aren't broken by blocking launchdarkly

[-] Radium@sh.itjust.works 14 points 11 months ago

If you set it up correctly it defaults to a specific flag state if it can’t connect. I.e. always show the user the old treatment instead of the new if you can request the actual state of their enrollment.

They get blocked constantly and my old company just routed the requests through our domain so they’d stop getting blocked

load more comments (2 replies)
load more comments (1 replies)
[-] 14th_cylon@lemm.ee 25 points 11 months ago

how would that explain connection to facebook?

[-] randomguy2323@lemmy.fmhy.ml 50 points 11 months ago

It is not only Facebook that is been block if you take the time to read the log you will see the NTP connection is being block too.

load more comments (1 replies)
[-] popekingjoe@lemmy.world 49 points 11 months ago* (last edited 11 months ago)

It doesn't.

OP is claiming that disallowing the connection to Facebook is stopping the log in, but it might be blocking the connection to the ntp server instead.

[-] EpicFailGuy@kbin.social 23 points 11 months ago

@14th_cylon

@s38b35M5 @ChatGPT

It doesn't, the implication is that it's not the connection to FB what's making the app not work, but the lack of NTP sync.

Plenty of apps reach out to FB for widgets, or those stupid "share your experience with your friends" buttons that no one uses ... that's why we block them in the first place.

[-] rcmaehl@lemmy.world 13 points 11 months ago* (last edited 11 months ago)

Ads & Analytics, like most things.

https://developers.facebook.com/docs/graph-api/overview/

Wouldn't surprise me if there's an in-app ad / self promotion / community announcements / et al that is managed via FB's Graph API

[-] danc4498@lemmy.world 8 points 11 months ago

Is it normal that a bank app tries to connect to meta?

[-] Action_Bastid@lemmy.world 25 points 11 months ago* (last edited 11 months ago)

Meta provides a lot of other backend B2B services beyond just Facebook, Instagram, and Threads.

You think that's the only way they have of scarfing down data? Absolutely not, they make other useful tools as well that businesses can use, because if they can't get their info directly from you, they can get it from the people you have to regularly interact with instead.

[-] danc4498@lemmy.world 10 points 11 months ago

This is gross… but also not something I’ve really thought about.

[-] graphite@lemmy.world 6 points 11 months ago

You better start thinking about it.

[-] Captain_Ender@kbin.social 4 points 11 months ago

A lot of companies have massive backend services they don't really advertise. Amazon makes most of its profits from AWS which is pretty much the primary distribution hub of the entire Internet.

load more comments (1 replies)
[-] almar_quigley@lemmy.world 4 points 11 months ago

The implication is that OP’s assessment is incorrect and the blocked requests to launchdarkly are what’s preventing them from logging in. The Facebook requests don’t show a source so they could be from another device.

[-] s38b35M5@lemmy.world 18 points 11 months ago* (last edited 11 months ago)

When I unblock the Facebook address, the app opens as expected.

I'm not blocking any NTP. My home servers rely on it (just TrueNAS checks time every 3 minutes...), but I do block DNS outbound to force using my own DNS.

[-] fatalicus@lemmy.world 27 points 11 months ago

You are blocking NTP though. Look at your image, all the way at the bottom.

[-] Doug@midwest.social 155 points 11 months ago

So I just tested this. I'm not at home so I had to VPN in which is no issue.

  • I opened graph.facebook.com and confirmed it was working
  • I opened and logged in to my Ally app
  • I added graph.facebook.com to my pi-hole's black list as a regex entry
  • I opened graph.facebook.com in the browser and confirmed it was blocked
  • I force closed and cleared the cache on my Ally app
  • I opened and logged in to my Ally app

It's not the Meta connection that's giving you trouble.

[-] Another_Reddit_Refugee@lemmy.world 38 points 11 months ago

I added graph.facebook.com to my pi-hole’s black list as a regex entry

Yes, but did you clear the DNS cache on your device after doing this? Once the DNS lookup is done it doesn’t matter what you’ve done on your pihole. The IP is cached and pihole will not even see the query.

[-] Doug@midwest.social 27 points 11 months ago

It's a fair point but I've got two counters.

  1. It was blocked in the browser, which implies there's not a cached record for it on the device

  2. The Pi-hole logs the queries it receives and I do have four separate entries for that URL today, spaced in an amount of time that does not imply automatic requests but does likely match up with my test cases.

[-] deweydecibel@lemmy.world 5 points 11 months ago* (last edited 11 months ago)

I'll just point out that I have tracker blocker running on my rooted Android at all times, graph.facebook.com is blocked across all apps on the device, Ive made sure of this. For maybe the 3 or so years I've been running it like that, I've very, very seldomly found an app that fails if it can't reach Facebook, though many try.

[-] MangoPenguin@lemmy.blahaj.zone 116 points 11 months ago* (last edited 11 months ago)

Something else is going on with your setup, I block graph.facebook.com via DNS too and Ally works fine, both app and browser.

Your screenshot looks like you're also blocking ntp.org which could definitely screw with a banking app, and launchdarkly.com may also be the problem if they're loading assets from that service.

[-] Morse@spgrn.com 22 points 11 months ago* (last edited 11 months ago)

LaunchDarkly essentially just serves up true/false values for services to grab. It can be useful to update code functionality without having to rebuild / recompile. However, any service that uses the launch darkly API should have a default state for their values to fall back on, so it shouldn't cause any major issues if LaunchDarkly can't be reached.

load more comments (1 replies)
[-] db2@lemmy.one 96 points 11 months ago

Try unblocking the ntp.org connections.

[-] Yuper@lemmy.world 82 points 11 months ago

I know a software developer that worked for Ally when they were adding this. They all said it was a terrible idea, but were ignored. The reason they claim it’s needed is to track app installs that originate from an ad on Facebook. Since the App Store sits in between the ad click and App launch, there isn’t an easy way to track it without that. But, it shouldn’t be blocking you from logging in.

[-] darthfabulous42069@lemm.ee 45 points 11 months ago

I'd bet you bottom dollar Ally is selling their customers' financial information to Meta, and this is a manifestation of that.

[-] Yuper@lemmy.world 12 points 11 months ago

I wouldn’t doubt it.

[-] nbafantest@lemmy.world 4 points 11 months ago* (last edited 11 months ago)

Might not even be selling it, could just be an arrangement to use some sort of "sign in with facebook" service or even advertise on facebook marketplace/adverts

[-] Risk@lemmy.world 5 points 11 months ago

So you see, Your Honour, we didn't sell Facebook any data - we just sold Facebook the ability to harvest our users data directly.

[-] pexavc@lemmy.world 5 points 11 months ago

I remember we had to build an obj-c wrapper for FB's calls like these because of these crashes, that basically ignored the stall and continued the user's session regardless

load more comments (3 replies)
[-] popemichael@lemmy.world 81 points 11 months ago

Unless you have a secondary timeserver set up, blocking pool.npt.org is going to mess up a lot of programs that are dependent on time.

[-] kamiheku@sopuli.xyz 17 points 11 months ago

I think the screenshot is just showing connections the app's made, not necessarily blocked ones. I doubt any blocklist would contain pool.ntp.org

load more comments (1 replies)
[-] Magister@lemmy.world 13 points 11 months ago

True, here I redirect every NTP request to my own timeserver

[-] kemsat@lemmy.world 48 points 11 months ago

File a complaint with the government. I’m not sure which agency, but there is definitely one for that.

load more comments (2 replies)
[-] mr47@kbin.social 41 points 11 months ago

Your screenshot does not really show anything other than the fact that Ally attempts a connection to Facebook (it's not even clear how it was blocked). You can see the amount of people telling you to unblock NTP, which you stated isn't blocked - that's a clear sign that you haven't presented you data in an easy to review format.

Why not show what exactly is blocked by the firewall, how the rules are configured, and disabling which rule exactly gets the app to work? E.g., if you block Facebook by redirecting to your own HTTP server that responds, the app may decide to bork because of a failed certificate validation - resolve the Facebook domain as NXDOMAIN in your DNS, and see if that helps.

The fact that they use Facebook APIs is infuriating, regardless.

[-] schmensch@discuss.tchncs.de 36 points 11 months ago

According to Exodus Privacy (they analize mobile apps for trackers), Ally only contains Amazon and Google trackers (Google Firebase Analytics is used by almost all apps): https://reports.exodus-privacy.eu.org/en/reports/com.ally.MobileBanking/latest/

Others also say their Ally app doesn't connect to Facebook. Maybe you have a Unicorn or a modified app (rather unlikely though)?

[-] ClemaX@lemm.ee 30 points 11 months ago

Maybe the app uses a WebView for login which itself includes a webpage with the tracker. It would be possible that the page's content and trackers change without any change in the app.

load more comments (3 replies)
[-] nbafantest@lemmy.world 34 points 11 months ago* (last edited 11 months ago)

If they do any sort of Facebook login/auth, frequently facebook will require them to send them data about ANYONE who is using their site.

[-] wipeitonthedog@lemmy.world 22 points 11 months ago

I've never seen a bank do any social auth

[-] 520@kbin.social 18 points 11 months ago* (last edited 11 months ago)

It might be that they made the app fail if any of their outbound connections fail. This is very reasonable, as ideally the only calls the app should be making are the ones it needs to make to facilitate this functionality. So if connections fail, the functionality of the app can massively bork, potentially resulting in poorer customer service than if they simply showed a failure screen.

What's less reasonable is why graph.facebook.com is one of them. Why on earth would they be sending the most sensitive data of their clients to the least trustworthy of corporations?

[-] stardust@lemm.ee 14 points 11 months ago

Why do you block LaunchDarkly?

[-] jxrdsn@lemmy.world 10 points 11 months ago

So this post prompted me to check my app connections (on iOS btw) and I realized I didn’t have NextDNS set 😓. It connects to a lot of Google domains and others, but not Facebook on my end.

[-] ratz@chatsubo.hiteklolife.net 10 points 11 months ago

Yeah that seems pretty gross.

[-] CaptObvious@lemmy.world 6 points 11 months ago

All the technical discussion is interesting. But perhaps more importantly, is it time to consider a new bank?

[-] wzzzy@lemmy.world 8 points 11 months ago

Naw Ally is a good bank.

load more comments (8 replies)
load more comments
view more: next ›
this post was submitted on 19 Jul 2023
1160 points (99.9% liked)

Technology

55610 readers
3007 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world