Revolut sending data to facebook?

We are certain because of the data the revolut api requested and sent!

1 Like

On a banking app, this is not adequate. It is not sufficient to only trust the operating system’s root certificates. I’ve mentioned certificate pinning (link to OWASP article - please read it) multiple times - that is what Revolut should be doing to prevent the possibility of MITM.

I am looking at the contents of Revolut API calls that include form boundaries for the Facebook API, and clear references to graph.facebook.com. These content boundaries include various fb_ names, advertiser_id, advertiser_tracking_enabled, application_package_name as com.revolut.revolut etc.

If Revolut had implemented certificate pinning, then sure, that would be necessary and would require modifications to the app. Revolut is not using certificate pinning. If they had, then we would not have been able to inspect the traffic using MITM in this way.

Where else is it going to be originating from? The phone does not have the Facebook app installed. The requests happen exactly when the Revolut app is opened. There is a clear distinctive relationship when you actually inspect the contents of the requests.

2 Likes

That is debatable.

With certificate pinning you would need to modify the application. But even in this case you need to “attack” Revolut’s set of trusted certificates and/or the system’s (if used by Revolut). It is not like this works out of the box.

Timing could be coincidental. Content is more of a proof.

In a world of mass surveillance, rampant privacy violation and financial fraud, please give me your best arguments for not implementing these types of security measures.

MDM management is just one of many ways that a new trusted root certificate could be installed onto the device, i.e. a company or educational establishment installing their own roots/intermediates. A social engineering attack is another. Malicious jailbreak/rooting is another. A malicious app crafted to take advantage of a system vulnerability is another (it does happen!).

In any one of these scenarios, the Revolut app will blindly trust those certificates and that effectively allows those entities to spy on the contents of the connection, in pretty much exactly the same way we did. That’s really bad if you are on a network (trustworthy or otherwise) that performs SSL/TLS inspection, which is very common on corporate and educational networks.

If Revolut used certificate pinning then it adds an extra layer of protection which makes this type of interception largely infeasible unless you have physical access to the device.

Great, I’m glad you agree that content is sufficient proof, even if nothing else.

1 Like

All of this is still external tampering with the system configuration. Out of the box it would not work.

That is why I initially wrote having broken the TLS tunnel would be worse than sending some (potentially anonymous) data to Facebook.

Sufficient is once again debatable ;). But if you catch connections to Facebook which contain Revolut related data, it certainly is a strong indicator that it would actually come from Revolut.

Even if it’s only a minority, that’s still a number of users affected and at risk. For the sake of a couple of lines of code to perform a certificate pinning check, I really don’t understand why you wouldn’t do it. Also not to mention that manufacturers in the past have been known to interfere and install custom roots without user knowledge (see Lenovo).

Sure, we have derailed the thread a bit from the original purpose, but certainly we can return to the point that Revolut is sending information to Facebook when not given consent. In fact, it seems to be happening invisibly, and even when the Facebook app is not installed on the phone.

I did point that out in my initial post, some several replies back.

1 Like