Ally (bank)mobile app fails without connection to graph.facebook.com - eviltoast

Not sure if this is a good place for this post or not, but here goes.

I reject outbound connections to meta domains at the firewall. I noticed this banking app refuses to prompt for login credentials unless I am on mobile or a public WiFi network. I watched my FW logs and noticed many rejected connections to graph[.]facebook[.]com.

I contacted their support team, but they denied the connection was their app. I shared the screenshot on this post and they closed my case without comment.

I emailed the address on the Google play store and they also denied the connection was their app. I shared the screenshot and they asked if I downloaded the app from the play store, implying the official app doesn’t do this, but of course it does.They closed my case without proper resolution as well.

Just thought I’d share this here so people know that some banks make direct connections to Facebook to share analytics, without your knowledge or informed consent, and they lie about it when called on it.

  • WhoRoger@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    ·
    edit-2
    1 year ago

    App store doesn’t, the app itself does, that’s why this thing is included in it.

    1. You click an ad on FB = you’re ID’d by a cookie or login or account on the device or fingerprint or whatever (probably all of the above)

    2. You install the app from app store. Neither the bank or FB knows this.

    3. You launch the app. The integrated FB library reads the cookie or FB account on the device or whatever it can, and pings FB. FB compares this ID to the entries and finds that it was you who clicked the ad.

    4. FB bills bank for an ad click

    Another option is there to be a specific FB variant of the app with its own app store entry, but they probably wouldn’t do that for something this trivial.