Not sure if this is a good place for this post or not, but here goes.
I reject outbound connections to meta domains at the firewall. I noticed this banking app refuses to prompt for login credentials unless I am on mobile or a public WiFi network. I watched my FW logs and noticed many rejected connections to graph[.]facebook[.]com.
I contacted their support team, but they denied the connection was their app. I shared the screenshot on this post and they closed my case without comment.
I emailed the address on the Google play store and they also denied the connection was their app. I shared the screenshot and they asked if I downloaded the app from the play store, implying the official app doesn’t do this, but of course it does.They closed my case without proper resolution as well.
Just thought I’d share this here so people know that some banks make direct connections to Facebook to share analytics, without your knowledge or informed consent, and they lie about it when called on it.
It’s probably NTP a lot of banking apps have extra protections and if it can’t determine the time from its own trusted authority it may not allow the connection.
Launchdarkly is likely a culprit as well. Just doing a background search reveals that the service allows dev teams to do A/B testing, enable new features without releasing a new version, and various other “dynamic” functions.
OP is on the wrong side of Occam’s razor
When I unblock the Facebook address, the app opens as expected.
I’m not blocking any NTP. My home servers rely on it (just TrueNAS checks time every 3 minutes…), but I do block DNS outbound to force using my own DNS.
You are blocking NTP though. Look at your image, all the way at the bottom.
deleted by creator
I’m going to assume that hopefully OP knows how DNS works and meant he blocks all outbound DNS requests from his devices and sets a specific DNS for his external queries from his FW/Router. I do the same thing.
However, he is blocking NTP right there so who knows.
Something else is going on with your setup, I block
graph.facebook.comvia DNS too and Ally works fine, both app and browser.Your screenshot looks like you’re also blocking ntp.org which could definitely screw with a banking app, and launchdarkly.com may also be the problem if they’re loading assets from that service.
I know a software developer that worked for Ally when they were adding this. They all said it was a terrible idea, but were ignored. The reason they claim it’s needed is to track app installs that originate from an ad on Facebook. Since the App Store sits in between the ad click and App launch, there isn’t an easy way to track it without that. But, it shouldn’t be blocking you from logging in.
I remember we had to build an obj-c wrapper for FB’s calls like these because of these crashes, that basically ignored the stall and continued the user’s session regardless
Unless you have a secondary timeserver set up, blocking pool.npt.org is going to mess up a lot of programs that are dependent on time.
True, here I redirect every NTP request to my own timeserver
File a complaint with the government. I’m not sure which agency, but there is definitely one for that.
deleted by creator
Your screenshot does not really show anything other than the fact that Ally attempts a connection to Facebook (it’s not even clear how it was blocked). You can see the amount of people telling you to unblock NTP, which you stated isn’t blocked - that’s a clear sign that you haven’t presented you data in an easy to review format.
Why not show what exactly is blocked by the firewall, how the rules are configured, and disabling which rule exactly gets the app to work? E.g., if you block Facebook by redirecting to your own HTTP server that responds, the app may decide to bork because of a failed certificate validation - resolve the Facebook domain as NXDOMAIN in your DNS, and see if that helps.
The fact that they use Facebook APIs is infuriating, regardless.
If they do any sort of Facebook login/auth, frequently facebook will require them to send them data about ANYONE who is using their site.
I’ve never seen a bank do any social auth
It might be that they made the app fail if any of their outbound connections fail. This is very reasonable, as ideally the only calls the app should be making are the ones it needs to make to facilitate this functionality. So if connections fail, the functionality of the app can massively bork, potentially resulting in poorer customer service than if they simply showed a failure screen.
What’s less reasonable is why graph.facebook.com is one of them. Why on earth would they be sending the most sensitive data of their clients to the least trustworthy of corporations?
So this post prompted me to check my app connections (on iOS btw) and I realized I didn’t have NextDNS set 😓. It connects to a lot of Google domains and others, but not Facebook on my end.
All the technical discussion is interesting. But perhaps more importantly, is it time to consider a new bank?
Naw Ally is a good bank.
Requirement to use Facebook argues otherwise.
If that was actually the case then maybe. But I see no proof of that.
That’s a pretty impressive reputational improvement for something that started out as the finance arm of General Motors.
I have had them for well over a decade now after yeeting US Bank to the curb. Their customer service is top notch, there’s never been any fuckery whatsoever with my multiple checking accts, and the $10/month reimbursement of out-of-network ATM fees is solid.
I was even able to get someone on the phone when I was in the middle of a casino at 1AM at a bachelor party, to get them to temporarily raise my ATM daily limit so I could continue the party. They would have to do something terribly egregious to get me to leave.
online only banking seems like a scam with extra steps
deleted by creator
