Not sure if this is a good place for this post or not, but here goes.

I reject outbound connections to meta domains at the firewall. I noticed this banking app refuses to prompt for login credentials unless I am on mobile or a public WiFi network. I watched my FW logs and noticed many rejected connections to graph[.]facebook[.]com.

I contacted their support team, but they denied the connection was their app. I shared the screenshot on this post and they closed my case without comment.

I emailed the address on the Google play store and they also denied the connection was their app. I shared the screenshot and they asked if I downloaded the app from the play store, implying the official app doesn’t do this, but of course it does.They closed my case without proper resolution as well.

Just thought I’d share this here so people know that some banks make direct connections to Facebook to share analytics, without your knowledge or informed consent, and they lie about it when called on it.

  • @ChatGPT
    link
    English
    1651 year ago

    It’s probably NTP a lot of banking apps have extra protections and if it can’t determine the time from its own trusted authority it may not allow the connection.

    • RCMaehl [Any]
      link
      English
      103
      edit-2
      1 year ago

      Launchdarkly is likely a culprit as well. Just doing a background search reveals that the service allows dev teams to do A/B testing, enable new features without releasing a new version, and various other “dynamic” functions.

      OP is on the wrong side of Occam’s razor

      • @[email protected]
        link
        fedilink
        English
        30
        edit-2
        1 year ago

        This is definitely probably it. I can’t believe more things aren’t broken by blocking launchdarkly

        • @[email protected]
          link
          fedilink
          English
          141 year ago

          If you set it up correctly it defaults to a specific flag state if it can’t connect. I.e. always show the user the old treatment instead of the new if you can request the actual state of their enrollment.

          They get blocked constantly and my old company just routed the requests through our domain so they’d stop getting blocked

          • @minikieff
            link
            English
            41 year ago

            I think you underestimate how shitty software can be.

            • @saltesc
              link
              English
              1
              edit-2
              1 year ago

              When I worked at IBM and was between service delivery contracts to other clients, I had to use Lotus SmartSuite.

        • @ChatGPT
          link
          English
          31 year ago

          I have it blocked in NextDNS haven’t seen any issues in 4 years without it. Blocking ntp.org has definitely caused issues especially with IOT devices.

      • @[email protected]
        link
        fedilink
        English
        491 year ago

        It is not only Facebook that is been block if you take the time to read the log you will see the NTP connection is being block too.

        • XIN
          link
          fedilink
          English
          31 year ago

          The app in the screenshot is just capturing packets. The list shown are connections made during the capture and closed just means the connection is not currently active.

          That said, I downloaded Ally, ran that same packet capture but never saw anything sent to Facebook. I got to the login screen just fine.

      • Pope-King Joe
        link
        English
        49
        edit-2
        1 year ago

        It doesn’t.

        OP is claiming that disallowing the connection to Facebook is stopping the log in, but it might be blocking the connection to the ntp server instead.

      • EpicFailGuy
        link
        fedilink
        231 year ago

        @14th_cylon

        @s38b35M5 @ChatGPT

        It doesn’t, the implication is that it’s not the connection to FB what’s making the app not work, but the lack of NTP sync.

        Plenty of apps reach out to FB for widgets, or those stupid “share your experience with your friends” buttons that no one uses … that’s why we block them in the first place.

      • @danc4498
        link
        English
        61 year ago

        Is it normal that a bank app tries to connect to meta?

        • Action [email protected]
          link
          English
          25
          edit-2
          1 year ago

          Meta provides a lot of other backend B2B services beyond just Facebook, Instagram, and Threads.

          You think that’s the only way they have of scarfing down data? Absolutely not, they make other useful tools as well that businesses can use, because if they can’t get their info directly from you, they can get it from the people you have to regularly interact with instead.

          • @danc4498
            link
            English
            81 year ago

            This is gross… but also not something I’ve really thought about.

            • @graphite
              link
              English
              51 year ago

              You better start thinking about it.

            • Captain_Ender
              link
              fedilink
              41 year ago

              A lot of companies have massive backend services they don’t really advertise. Amazon makes most of its profits from AWS which is pretty much the primary distribution hub of the entire Internet.

            • @grue
              link
              English
              21 year ago

              It’s yet another reason why folks who suggest boycotts instead of legislative solutions to corporate abuse are deluding themselves.

      • @almar_quigley
        link
        English
        41 year ago

        The implication is that OP’s assessment is incorrect and the blocked requests to launchdarkly are what’s preventing them from logging in. The Facebook requests don’t show a source so they could be from another device.

    • @s38b35M5OP
      link
      English
      3
      edit-2
      1 year ago

      When I unblock the Facebook address, the app opens as expected.

      I’m not blocking any NTP. My home servers rely on it (just TrueNAS checks time every 3 minutes…), but I do block DNS outbound to force using my own DNS.

      • fatalicus
        link
        English
        241 year ago

        You are blocking NTP though. Look at your image, all the way at the bottom.

      • @marmo7ade
        link
        English
        15
        edit-2
        1 year ago

        deleted by creator

        • @heyitsmikey128
          link
          English
          21 year ago

          I’m going to assume that hopefully OP knows how DNS works and meant he blocks all outbound DNS requests from his devices and sets a specific DNS for his external queries from his FW/Router. I do the same thing.

          However, he is blocking NTP right there so who knows.

          • XIN
            link
            fedilink
            English
            01 year ago

            PCap is just a packet capture. “Closed” in this context just means the connection is no longer currently active.

  • Doug [he/him]
    link
    fedilink
    English
    1551 year ago

    So I just tested this. I’m not at home so I had to VPN in which is no issue.

    • I opened graph.facebook.com and confirmed it was working
    • I opened and logged in to my Ally app
    • I added graph.facebook.com to my pi-hole’s black list as a regex entry
    • I opened graph.facebook.com in the browser and confirmed it was blocked
    • I force closed and cleared the cache on my Ally app
    • I opened and logged in to my Ally app

    It’s not the Meta connection that’s giving you trouble.

    • @Another_Reddit_Refugee
      link
      English
      381 year ago

      I added graph.facebook.com to my pi-hole’s black list as a regex entry

      Yes, but did you clear the DNS cache on your device after doing this? Once the DNS lookup is done it doesn’t matter what you’ve done on your pihole. The IP is cached and pihole will not even see the query.

      • Doug [he/him]
        link
        fedilink
        English
        261 year ago

        It’s a fair point but I’ve got two counters.

        1. It was blocked in the browser, which implies there’s not a cached record for it on the device

        2. The Pi-hole logs the queries it receives and I do have four separate entries for that URL today, spaced in an amount of time that does not imply automatic requests but does likely match up with my test cases.

        • deweydecibel
          link
          English
          5
          edit-2
          1 year ago

          I’ll just point out that I have tracker blocker running on my rooted Android at all times, graph.facebook.com is blocked across all apps on the device, Ive made sure of this. For maybe the 3 or so years I’ve been running it like that, I’ve very, very seldomly found an app that fails if it can’t reach Facebook, though many try.

  • @[email protected]
    link
    fedilink
    English
    116
    edit-2
    1 year ago

    Something else is going on with your setup, I block graph.facebook.com via DNS too and Ally works fine, both app and browser.

    Your screenshot looks like you’re also blocking ntp.org which could definitely screw with a banking app, and launchdarkly.com may also be the problem if they’re loading assets from that service.

    • @[email protected]
      link
      fedilink
      English
      22
      edit-2
      1 year ago

      LaunchDarkly essentially just serves up true/false values for services to grab. It can be useful to update code functionality without having to rebuild / recompile. However, any service that uses the launch darkly API should have a default state for their values to fall back on, so it shouldn’t cause any major issues if LaunchDarkly can’t be reached.

      • @[email protected]
        link
        fedilink
        English
        31 year ago

        That makes sense, I don’t block that domain on my setup so I’m not sure if it matters or not.

  • @Yuper
    link
    English
    811 year ago

    I know a software developer that worked for Ally when they were adding this. They all said it was a terrible idea, but were ignored. The reason they claim it’s needed is to track app installs that originate from an ad on Facebook. Since the App Store sits in between the ad click and App launch, there isn’t an easy way to track it without that. But, it shouldn’t be blocking you from logging in.

    • @[email protected]
      link
      fedilink
      English
      431 year ago

      I’d bet you bottom dollar Ally is selling their customers’ financial information to Meta, and this is a manifestation of that.

      • @Yuper
        link
        English
        121 year ago

        I wouldn’t doubt it.

      • @nbafantest
        link
        English
        4
        edit-2
        1 year ago

        Might not even be selling it, could just be an arrangement to use some sort of “sign in with facebook” service or even advertise on facebook marketplace/adverts

        • @Risk
          link
          English
          51 year ago

          So you see, Your Honour, we didn’t sell Facebook any data - we just sold Facebook the ability to harvest our users data directly.

    • @pexavc
      link
      English
      51 year ago

      I remember we had to build an obj-c wrapper for FB’s calls like these because of these crashes, that basically ignored the stall and continued the user’s session regardless

    • @[email protected]
      link
      fedilink
      English
      31 year ago

      Since the App Store sits in between the ad click and App launch, there isn’t an easy way to track it without that.

      How does that work exactly? Does the App Store pass along some information to newly installed apps or something? My company’s app, which I worked on for some time, also uses an external service to track installs (not Facebook or any social media), but I didn’t work on the implementation of it and never really got to grips on how it works.

      • @WhoRoger
        link
        English
        13
        edit-2
        1 year ago

        App store doesn’t, the app itself does, that’s why this thing is included in it.

        1. You click an ad on FB = you’re ID’d by a cookie or login or account on the device or fingerprint or whatever (probably all of the above)

        2. You install the app from app store. Neither the bank or FB knows this.

        3. You launch the app. The integrated FB library reads the cookie or FB account on the device or whatever it can, and pings FB. FB compares this ID to the entries and finds that it was you who clicked the ad.

        4. FB bills bank for an ad click

        Another option is there to be a specific FB variant of the app with its own app store entry, but they probably wouldn’t do that for something this trivial.

      • @Yuper
        link
        English
        11 year ago

        That’s a good question and I’m not entirely sure. I am just saying what they told me. Sorry!

  • @popemichael
    link
    English
    791 year ago

    Unless you have a secondary timeserver set up, blocking pool.npt.org is going to mess up a lot of programs that are dependent on time.

    • kamiheku
      link
      fedilink
      English
      171 year ago

      I think the screenshot is just showing connections the app’s made, not necessarily blocked ones. I doubt any blocklist would contain pool.ntp.org

      • XIN
        link
        fedilink
        English
        21 year ago

        Correct. Closed here just means the connection isn’t ongoing.

    • @Magister
      link
      English
      131 year ago

      True, here I redirect every NTP request to my own timeserver

  • @kemsat
    link
    English
    451 year ago

    File a complaint with the government. I’m not sure which agency, but there is definitely one for that.

  • mr47
    link
    fedilink
    401 year ago

    Your screenshot does not really show anything other than the fact that Ally attempts a connection to Facebook (it’s not even clear how it was blocked). You can see the amount of people telling you to unblock NTP, which you stated isn’t blocked - that’s a clear sign that you haven’t presented you data in an easy to review format.

    Why not show what exactly is blocked by the firewall, how the rules are configured, and disabling which rule exactly gets the app to work? E.g., if you block Facebook by redirecting to your own HTTP server that responds, the app may decide to bork because of a failed certificate validation - resolve the Facebook domain as NXDOMAIN in your DNS, and see if that helps.

    The fact that they use Facebook APIs is infuriating, regardless.

    • @[email protected]
      link
      fedilink
      English
      301 year ago

      Maybe the app uses a WebView for login which itself includes a webpage with the tracker. It would be possible that the page’s content and trackers change without any change in the app.

      • @[email protected]
        link
        fedilink
        English
        101 year ago

        Somehow they might got a special version of the app. Really really unlikely though, it’s probably just A/B testing or false logs.

  • @nbafantest
    link
    English
    33
    edit-2
    1 year ago

    If they do any sort of Facebook login/auth, frequently facebook will require them to send them data about ANYONE who is using their site.

    • @wipeitonthedog
      link
      English
      221 year ago

      I’ve never seen a bank do any social auth

  • 520
    link
    fedilink
    17
    edit-2
    1 year ago

    It might be that they made the app fail if any of their outbound connections fail. This is very reasonable, as ideally the only calls the app should be making are the ones it needs to make to facilitate this functionality. So if connections fail, the functionality of the app can massively bork, potentially resulting in poorer customer service than if they simply showed a failure screen.

    What’s less reasonable is why graph.facebook.com is one of them. Why on earth would they be sending the most sensitive data of their clients to the least trustworthy of corporations?

  • @jxrdsn
    link
    English
    10
    edit-2
    10 months ago

    deleted by creator

  • BrainisfineIthink
    link
    fedilink
    English
    41 year ago

    I don’t think it’s that connection causing problems, mainly because my app works fine (mostly) and I don’t have a connection to any meta services. There are none on my phone, and I do not have a Facebook login at all. I will say that of all the apps I use, Ally is the most finicky. It seems to crash itself every 2-3 uses for no apparent reason at all.

    That said, it seems unlikely that the app would fail for you in this case just because you blocked access to a service that I know it does not actually require to operate (because it has to be operating without it on my phone), and another poster tested and could not recreate. Not sure if that helps, but may point you towards diagnosing what is really causing the issue!