Intuit’s Mint application on iOS is sending data to graph.facebook.com without explicit permission. Their privacy policy includes a link to a Facebook page to opt-out of targeted ads on Facebook, which requires a Facebook account, and notes that data may be shared with Facebook for “Social Media Features”.

DNS Level Ad Blocking

For the last year or so, I’ve been using an app on my iPhone called AdBlock for iOS. The app creates a local VPN, and when enabled, returns 0.0.0.0 when doing DNS lookups for blacklisted domains.

Despite its name suggesting this is only useful for blocking ads, I use this primarily for blocking tracking or apps sharing data with third parties. The app can optionally log all requests, making it easier to maintain your own blacklist, and to see how absolutely disgusting some applications can be.

For example, I have for years not had a Facebook account. As such, none of my apps are “linked” to a Facebook account, I never “login using Facebook”, and I certainly receive no benefit from any requests sent to Facebook. Yet several apps make many requests to Facebook – mostly POST requests to graph.facebook.com. These requests will always fail on my device because the DNS lookup will always return 0.0.0.0, thanks for AdBlock.

Indentifying Mint as the Culprit

Due to the nature of iOS network requests, it is impossible for AdBlock to know which apps are making these requests. The best you can do is enable low-power mode, force quit an app you’re suspicious about, then launch it and watch the logs.

I eventually became suspicious that Intuit’s Mint app was sending data to Facebook, as I noticed DNS requests in AdBlock every time I launched Mint.

To be sure, I fired up Charles for iOS. Charles is a proxy that runs locally, similar to AdBlock, and logs all network requests. Since almost all requests on iOS use SSL (thanks to iOS’ app transport security), viewing request or response bodies require installing and trusting an intermediate certificate. The app has very easy to understand instructions for doing so.

Data Shared

I should note that the user agent provided is FBiOSSDK.3.21.0, suggesting Mint is simply using a Facebook SDK for other purposes, and that Facebook may be sending this data to themselves without Mint involved.

POST /.../activities?...

This request is made every few minutes, as long as the application is in memory.

Here’s a JSON format of the query parameters included in the request URL:

{
	"bundle_id": "com.mint.internal",
	"event": "CUSTOM_APP_EVENTS",
	"application_tracking_enabled": "1",
	"advertiser_id": "00000000-0000-0000-0000-000000000000",
	"old_anon_id": "XZFFA40E06-2B72-46EE-8D25-REDACTED",
	"bundle_short_version": "6.6.0",
	"sdk": "ios",
	"format": "json",
	"url_schemes": [
		"intu4468714322444XXXXXX",
		"mint",
		"fb501820783XXXXXX"
	],
	"advertiser_tracking_enabled": "0",
	"bundle_version": "97.20234.4012"
}

Note: the advertising ID is all zeros, as I’ve opted for “Limited Ad Tracking” at the iOS level.

I’m not sure what the old_anon_id is, but I imagine it is generated by the app to identify my instance.

GET /.../fields?...

This is a GET request listing several fields, eg supports_attribution, supports_implicit_sdk_logging, and responds with hash indiciating which fields are enabled.

This request appears to be made once per launch.

This response incudes, in addition to the fields enabled, an id, which matches the string begining with fb in the url schemes above. I’m unable to determine if this string is unique to my installation, or is more like a version number for the Facebook SDK. The value did not change between launches.

Conclusion

As you can see, there’s not a lot of data going to Facebook, but frankly I’m not sure why there’s any, especially because there is no way to opt out of this without running third party blocking services.

Mint users trust them with far more important data – namely, banking credentials and purchasing behavior – and do so knowing Mint makes money by serving targeted ads. It’s thus not a tremendous surprise that they send data to one of the biggest ad companies in the world. Nonetheless, they’ve lost my business as a result.