Android app includes Google Ads and Google/Facebook tracking libraries

Found a useful service for checking Android app privacy info and was surprised to find the Monzo app has a coupler trackers and even Google Ads included:
https://reports.exodus-privacy.eu.org/en/reports/52829/

Do Google Ads actually show in the app anywhere and if not, why is it included? Also, is it possible to turn off Google and Facebook analytics tracking?

3 Likes

I presume it’s down to the Google map used on transactions.
Ads aren’t utilised and won’t be as far as I’m aware, it’d be distasteful to utilise them amongst privacy of course.

1 Like

The Google ones could be for the maps , but can’t think of what the Facebook ones would be for.

Maybe message support, but expect some copy paste half answer to be honest.

The Facebook ones do seem weird. However, they might not actually be present. From the website:

Here is the list of trackers signatures found by static analysis in this APK. This is not a proof of activity of these trackers. The application could contain tracker(s) we do not know yet.

I’d definitely like to hear an answer from someone at Monzo though.

1 Like

On closer inspection it looks like thee following can be used for app analytics (eg: seeing how many times and how people interact with your app):

  • Google Firebase Analytics
  • Google CrashLytics
  • Facebook Analytics
  • Google DoubleClick

Not sure about the final two:

  • Google Ads
  • Facebook Login

However, they could be written in to the other packages above.

1 Like

Here’s some other bank apps for comparison:
TSB (3): https://reports.exodus-privacy.eu.org/en/reports/20383/
Nationwide (0): https://reports.exodus-privacy.eu.org/en/reports/12179/
Barclays (0): https://reports.exodus-privacy.eu.org/en/reports/10991/
Lloyds (0): https://reports.exodus-privacy.eu.org/en/reports/10990/
HSBC (2): https://reports.exodus-privacy.eu.org/en/reports/34/

4 Likes

A bit worrying. Not sure many would be happy with Facebook having any part of their banking habits.

2 Likes

I think that the Facebook Login is so that you can import a picture from Facebook for your account image. I just checked on iOS and that was an option - not sure on Android

1 Like

These Facebook XML files are present in the app, looks like just app analytics to me, but I’m no expert.

data/data/co.uk.getmondo/shared_prefs/com.facebook.sdk.attributionTracking.xml

/data/data/co.uk.getmondo/shared_prefs/com.facebook.sdk.appEventPreferences.xml

/data/data/co.uk.getmondo/shared_prefs/com.facebook.internal.preferences.APP_SETTINGS.xml

.
.

Also this Twitter one which contains an advertising i.d.

/data/data/co.uk.getmondo/shared_prefs/TwitterAdvertisingInfoPreferences.xml

1 Like

I saw the Exodus Privacy report recently I thought it looked pretty dodgy; Monzo has the most trackers out of any app on my phone!

If our usage is being tracked using the services of Google and Facebook is this not the kind of thing we should be asked to consent to under PECR?

Honestly, I don’t see a problem unless Monzo starts selling data without explicit permission.

By including these frameworks they are already handing over our data to these companies.

I had a look at the Exodus report. They note in the sidebar that:

Here is the list of trackers signatures found by static analysis in this APK. This is not a proof of activity of these trackers.

Is it possible that the libraries are licenced by Monzo, or they’re open source software, and are being used by Monzo for their own analytics rather than handing data over to Facebook and Google?

It’s reasonable to assume, without assurance otherwise, that the presence of these frameworks indicates the use of these frameworms. Otherwise why would they be there.

I’d love some clarification from Monzo on this topic.

Given the recent(ish) revelations about app analytics companies going so far as to record a user’s phone screen without censoring personal data in many popular apps (including banking apps such as Investec), I’d love some piece of mind that Monzo aren’t doing anything similar. The presence of Google & Facebook libraries in the app is already a red flag.

2 Likes

I’m particularly concerned about these frameworks in the Monzo app. None of the other banking apps I use have Facebook embedded.

I can see from firewall logs that the app is contacting Facebook whilst I’m using the app, so it’s not used for just login.

If Monzo aren’t able to explain this, I’m considering moving.

2 Likes

Welcome to the community

That is a big old comment to go with on your first post

Can you provide more details about what your firewall showed in terms of Facebook and otherwise?

1 Like

Hi Michael,
I’ve been very happy with Monzo so haven’t had reason to post, until I looked at what Monzo is connecting to. I used exodus-privacy to inspect the Monzo APK and wanted to ask, when I found this thread.

I don’t have an Android device anymore so don’t have a firewall on my phone, but have used Charles Proxy on iOS - this is with the logs cleared, app running in background and refreshing the transactions page.

Every time I do this, the connection counter to graph.facebook.com is incremented by 1.

I’ve no other apps apart from Apple stock apps and Monzo, as it’s a new phone.

The Monzo T&Cs state the following, but the fact that it is accessing graph.facebook.com a known tracking API when I am looking at my transaction history is concerning.

** Advertising companies like Facebook in order to promote Monzo In these instances only the data needed for them to perform their services are shared.*

6 Likes

Thanks for the additional information

Not sure what to make of that really. Could be as little as a literal counter of visits, but why use FB for that?

It is likely totally innocent, but as said above:

1 Like