Not sure if this is a good place for this post or not, but here goes.
I reject outbound connections to meta domains at the firewall. I noticed this banking app refuses to prompt for login credentials unless I am on mobile or a public WiFi network. I watched my FW logs and noticed many rejected connections to graph[.]facebook[.]com.
I contacted their support team, but they denied the connection was their app. I shared the screenshot on this post and they closed my case without comment.
I emailed the address on the Google play store and they also denied the connection was their app. I shared the screenshot and they asked if I downloaded the app from the play store, implying the official app doesn’t do this, but of course it does.They closed my case without proper resolution as well.
Just thought I’d share this here so people know that some banks make direct connections to Facebook to share analytics, without your knowledge or informed consent, and they lie about it when called on it.
According to Exodus Privacy (they analize mobile apps for trackers), Ally only contains Amazon and Google trackers (Google Firebase Analytics is used by almost all apps): https://reports.exodus-privacy.eu.org/en/reports/com.ally.MobileBanking/latest/
Others also say their Ally app doesn’t connect to Facebook. Maybe you have a Unicorn or a modified app (rather unlikely though)?
Maybe the app uses a WebView for login which itself includes a webpage with the tracker. It would be possible that the page’s content and trackers change without any change in the app.
Unicorn?
Somehow they might got a special version of the app. Really really unlikely though, it’s probably just A/B testing or false logs.