Ally (bank)mobile app fails without connection to graph.facebook.com - eviltoast

Not sure if this is a good place for this post or not, but here goes.

I reject outbound connections to meta domains at the firewall. I noticed this banking app refuses to prompt for login credentials unless I am on mobile or a public WiFi network. I watched my FW logs and noticed many rejected connections to graph[.]facebook[.]com.

I contacted their support team, but they denied the connection was their app. I shared the screenshot on this post and they closed my case without comment.

I emailed the address on the Google play store and they also denied the connection was their app. I shared the screenshot and they asked if I downloaded the app from the play store, implying the official app doesn’t do this, but of course it does.They closed my case without proper resolution as well.

Just thought I’d share this here so people know that some banks make direct connections to Facebook to share analytics, without your knowledge or informed consent, and they lie about it when called on it.

    • Pope-King Joe@lemmy.world
      link
      fedilink
      English
      arrow-up
      49
      ·
      edit-2
      1 year ago

      It doesn’t.

      OP is claiming that disallowing the connection to Facebook is stopping the log in, but it might be blocking the connection to the ntp server instead.

    • randomguy2323@lemmy.fmhy.ml
      link
      fedilink
      English
      arrow-up
      50
      arrow-down
      1
      ·
      1 year ago

      It is not only Facebook that is been block if you take the time to read the log you will see the NTP connection is being block too.

      • XIN@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        The app in the screenshot is just capturing packets. The list shown are connections made during the capture and closed just means the connection is not currently active.

        That said, I downloaded Ally, ran that same packet capture but never saw anything sent to Facebook. I got to the login screen just fine.

    • EpicFailGuy@kbin.social
      link
      fedilink
      arrow-up
      23
      ·
      1 year ago

      @14th_cylon

      @s38b35M5 @ChatGPT

      It doesn’t, the implication is that it’s not the connection to FB what’s making the app not work, but the lack of NTP sync.

      Plenty of apps reach out to FB for widgets, or those stupid “share your experience with your friends” buttons that no one uses … that’s why we block them in the first place.

      • Action Bastard@lemmy.world@lemmy.world
        link
        fedilink
        English
        arrow-up
        25
        ·
        edit-2
        1 year ago

        Meta provides a lot of other backend B2B services beyond just Facebook, Instagram, and Threads.

        You think that’s the only way they have of scarfing down data? Absolutely not, they make other useful tools as well that businesses can use, because if they can’t get their info directly from you, they can get it from the people you have to regularly interact with instead.

          • Captain_Ender@kbin.social
            link
            fedilink
            arrow-up
            4
            ·
            1 year ago

            A lot of companies have massive backend services they don’t really advertise. Amazon makes most of its profits from AWS which is pretty much the primary distribution hub of the entire Internet.

          • grue@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            It’s yet another reason why folks who suggest boycotts instead of legislative solutions to corporate abuse are deluding themselves.

    • almar_quigley@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      The implication is that OP’s assessment is incorrect and the blocked requests to launchdarkly are what’s preventing them from logging in. The Facebook requests don’t show a source so they could be from another device.