To be clear I love the Revolut app, I use it a lot and intend to continue using it as it provides a service that other banks seem to be miserably failing to even come close to providing.
I heavily monitor my home network as you never know what the devices you attach to it are sending out to the open internet. One thing I monitor is DNS requests, this is when I discovered every time I checked my Revolut account I could see 2 requests to “graph.facebook.com” right next to the DNS request to Revolut. Did this have any relation to Revolut? For the record i do not use Facebook nor have an account nor have a running app.
So I decided to setup an isolated network for my phone and do a little hacking to see whats happening. First I setup a proxy in order to force all HTTP & HTTPS traffic through it. Then i performed a MITM with SSL Stripping. This allowed me to gather un-encrypted data that was coming from the phone and its individual apps to see where these requests to Facebook are coming from, and sure enough it was Revolut.
Also pointed out by a good friend who helped review the data collected, Revolut should Implement Certificate pinning to prevent this kind of attack from happening in the first place.
So whats in the data that was collected?
A form is sent to graph.facebook.com, this form is filled with references to Revolut. Below is 2 excerpts from the actual data and it has been sanitized to protect my personal information and Revolut.
Beginning of the form:
form-data; boundary=data-removed,]31:17:Transfer-Encoding,7:chunked,]29:4:Host,18:graph.facebook.com,]28:10:Connection,10:Keep-Alive,]26:15:Accept-Encoding,4:gzip,]]7:content,1928: — data-removed
Some personal data being added here:
[“??”,”com.revolut.revolut”,?????????,”??????”,”android-version”,”phone-model”,”language”,”time”,”telecom provider”,???,????,”????”,?,??,??,”city”]
— data-removed
Content-Disposition: form-data; name=”application_package_name”
Revolut is referenced a few more times in the form as well as at the the start when the form is requested from api.revolut.com. As you can see from above there is some personal data being relayed to graph.facebook.com:
Phone Model, Location data, Android Version, Telecom Provider, Language and Timezone.
It also appears I have been given a unique 40 char ID in the form which is attached to several parts of the form relating to advertising:
“advertiser_tracking_enabled”
“advertiser_id”
“application_tracking_enabled”
“application_package_name”
No explanation needed for the above.
Also login activity seems to be logged as well, im not sure if this is data from the facebook app or the revolut app:
“fb_mobile_time_between_sessions”
“LoginActivity”
There is more data, some of which im not clear on what its doing yet. I can say for sure I have not seen any of my transaction history or my account balance being sent to facebook, so thats a good thing.
So far this was all the data I could see being passed to Facebook. Maybe with a longer session of collecting data you might see something else.
Facebook is completely blocked now, and as is google(analytics is used in the app as well). Revolut still works without access to these services.
This brings up the question of who is getting this information? Third-party advertisers? Will this still be sent once GDPR is implemented on the 25th of May?
P.S Personal request to Revolut, get a WebUI!!!