• bunq V3: To which servers is the app talking to? (Hint: No FB servers.)

Following the controversy, which I won't address too much in this post, I analyzed the data packets that are being sent and received by the bunq V3 app when loading pictures in the "Us" tab.
I am using version 14.0.4 on Android 10 using an Xiaomi Mi Mix 3 running on MIUI 12 20.5.28 (xiaomi.eu)

I analyzed the data packets using Wireshark and it's SSH addon.
After deleting the cache, I loaded up some pictures in the "Us" tab.

I was not able to find any servers from Facebook or such.
These are the companies from the servers I could find:
- x.bunq.com
- segment.io (API)
- mixpanel.com (API)

There were a couple of AWS and Google Cloud packets, but these only occurred when logging into the bunq account. When loading pictures, most of the packets originated from x.bunq.com, which makes it seem that bunq changed it.

Segment.io and Mixpanel.com have been in the app for years now.

HOWEVER, I do not know if bunq has changed this in an update. I can only scan the newest bunq version and I was not able to find any FB sources. So there's no need to worry in my honest opinion. It looks like bunq has listened to the feedback.
The only thing I wish is that bunq communicates this clearly, so the discussion will end. If bunq hosts these pictures on their own servers, which it seems like, the whole privacy thing isn't a problem anymore. In the end, you'll only get forwarded to Instagram, when you click on a picture, which is totally fine in my opinion.

Note to moderators: This is positive feedback. Delete it or keep it, it's your decision. You should know that this information could make a lot of customers happy.

    @grossartig#170386 That’s a good thing👍 better then loading directly from instagram.

      @Emmo#170401 Darüber kann man sich streiten. Am Ende ist es nur ein Feed.

      Bedenklich wäre ja, wenn FB Daten übermittelt bekommen würde, was somit theoretisch nicht der Fall wäre.

      Man kann den Feed mögen oder nicht, allerdings ist es dadurch rein datenschutz-technisch kein großes Ding mehr.

        Hi Marius,

        At a time where many other banks (had plans to) sell your personal data to unknown parties, bunq took a stance. We promised to never sell your data to anyone and guard it as if it was our own. In my case that's literally true :).

        Although I don't know the exact details right now (i'm abroad) I do know that your privacy is of utmost concern at bunq.

        Regarding the supposed privacy thing - i think some confusion was created earlier because a few users confused an unfinished beta version with a final version. We deliberately launched a version at an earlier stage in our development cycle to be able to include (at least some) feedback in the final version. In regards to feedback you can rest assured knowing that all feedback that followed our indicated proces has been taken into consideration.

        Cheers,

        Ali

          @Ali#170405 Thank your clearing those things up.

          I'd like to tell you that this should have been communicated more transparently - in my opinion it's somewhat sad that a minor has to scan the packets sent and received by an app to reveal that a feature isn't that bad, privacy-wise.

          I'm sure your development team was well beware of that change, so a Together post would have changed a lot. Please take this as feedback for the future.

            @Ali#170405 Hi Ali,

            thank you for replying.

            A lot (or all) of these issues where caused by missing communication.

            You can debate about the direction bunq wants to go - but that‘s another thing. But a lot of users were just scared of privacy issues. If bunq would‘ve just clarified what Marius found out, I wouldn't have had a problem.

            -Tim

              @grossartig#170407 I think a large part of it also stems from us being very busy doing the right thing with a small team. And whilst doing so often being interrupted by a small, loud, crowd here on together, that doesn't necessarily represent our user-base in any shape or form. I've seen Together evolve from a platform where many different users felt involved and shared thoughts, to a platform that has been hijacked by a group of people not open to any other perspective than their own. That greatly saddens me, because it leaves out the vast majority of our users, not feeling comfortable anymore to post anything. Afraid that the same 10 or so people will always jump on their topic with reactions you can predict.

              Anyways I'm happy it's cleared up now.

                Interesting. Thanks OP for looking into this. And good to hear your take on the recent events, Ali.

                  @grossartig#170386 I tested on iOS and basically found the same connections. (+ app.adjust.com)
                  In an earlier build of the Beta I noticed a direct connection to cdninstagram.com which when blocked would lead to no images being loaded in the feed.
                  This direct connection was most certainly removed since the images load again in the newest build. 👍

                  Some things to note:
                  - V3 is still in Beta and not yet released to the public so there might be a lot of changes.
                  - The tool I used for connection detection and blocking is also still in Beta, so there might be some bugs that led to false conclusions.
                  - The fact that certain connections were found says nothing about the data that was transmitted.

                    @Ali#170405

                    We deliberately launched a version at an earlier stage in our development cycle to be able to include (at least some) feedback in the final version. In regards to feedback you can rest assured knowing that all feedback that followed our indicated proces has been taken into consideration.

                    This is something I have to give bunq kudo's for. I really like the new approach by doing beta tests! I think I can speak for everyone that we want to create the best banking app, which also includes feedback (which sometimes can be negative).

                    Is there some sort of log/bugtracker available where we can check and follow-up created bug reports? For example if they have been assigned to a developer or not. This way you know you won't have to report it again once something has changed 👍🏻
                    With TestFlight you don't get feedback it has been sent so sometimes you're in doubt if your feedback/bugreport has been sent at all (especially when it was a minor bug for which you don't see a fix in subsequent releases).

                      @Delano#170424 I like the idea of a public bug tracker; however we need to balance this with the general thought behind bunq of surprising our users. It’s something that so many have come to love and something that’s definitely bunq :)

                      Let’s see what we can do!

                        @Ali#170429 That's awesome! You can, of course, limit access to the known beta testers. This way secrets stay secret (depending on the tester of course, possibly with an NDA).

                          V3 begint zich echt lekker te ontwikkelen zo, de meeste bugs zijn opgelost en “Us” ziet er goed uit met berichten van bunq. Er wordt goed naar feedback geluisterd, al zijn er zeer waarschijnlijk ook zaken die bunq bewust niet wil veranderen. Er gaat natuurlijk ook een bepaalde filosofie achter V3 verscholen.

                          Persoonlijk hoop ik op een “slimmere” app die verandert op basis van het abonnement van de gebruiker zodat een premium gebruiker andere dingen ziet dan een SuperGreen gebruiker. Zelf zit in ieder geval volledig op V3 en heb geen reden meer om terug te gaan naar V2.

                          Bedankt voor de post OP, goed om te lezen dat de insta feed via bunq verloopt. Ik had al zo’n vermoeden nadat alle random mensen uit de feed waren verdwenen.

                            Dass die meisten Fehler bereits behoben sind kann ich so nicht bestätigen. Alle von mir gemeldeten Bugs sind nach wie vor vorhanden, und da man virtuellen Karten, zumindest wenn man mehrere hat, immer noch nicht einem Konto zuordnen kann, macht die v3 für mich bis jetzt unbrauchbar.
                            Alle Funktion, die das Banking angehen sind umständlicher, versteckter und unlogischer als vorher, und das wird wohl leider auch nicht mehr ändern.
                            Das „Für Uns“ keine Verbindung zu einem Facebook Server aufnimmt ist zwar schön zu hören, macht aber das Ganze leider nicht sinnvoller.

                              @Emmo#170449 Das Risiko besteht hier leider durchaus 🥴

                                C'est plutôt cool et heureusement pour une application bancaire j'ai envie de dire. Dommage que ça ne sert vraiment a rien quoi 😕

                                  @Ali#170405 If it is true that it is of your utmost concern, then can we please please please get a toggle to at the very least opt-out of the in-app trackers but preferably also a toggle to opt-out of the overall profiling and transaction analytics that bunq performs on all of our transactions? :) That’d make me real happy and feel a lot safer! Right now it feels like I’m being spied on by both third-party trackers as well as by bunq. :( Insights feels very creepy to me, I’d prefer my data not being processed that way.

                                    @Ali#170409 I've seen Together evolve from a platform where many different users felt involved and shared thoughts, to a platform that has been hijacked by a group of people not open to any other perspective than their own.

                                    I've seen that happening as well. It's a shame when people who have the best intentions are not heard.