pfBlockerNG blocking access to android bank app



  • Good day everybody,

    Since a few days now I am testing pfBlockerNG 2.2.5_27. So far everything is working like a charm. There are a lot of tutorials which helped me in the right direction.

    There is still a problem which I do not get figured out. Since using pfBlockerNG my bank app called “Rabo App” on my Samsung Galaxy S9 android phone isn’t fully loading anymore. After authenticating with my fingerprint it stops logging in to the actual application. The loading wheel keeps spinning. I tried playing around with some whitelisting etc. but it just won’t work. Accessing the website of Rabobank is working ok on the other hand. Also turning of the Wi-Fi and start the app on the 4G network, is working just fine. So it must be pfSense related I’m guessing.

    Maybe you guys can help me trouble shoot this issue and solve it. Checking the logs doesn’t make any sense to me. As a beginner I just don’t know what to look for. Google isn’t a great help either. So any help is mostly appreciated.

    Look forward to some replies. If more info is needed then please ask me.

    Kind regards,
    Herman F.



  • Go to the Reports/Alerts Tab, access the site, refresh the tab and it will tell you what is blocked.

    You can also hit F12 in a browser to inspect the Network activity.



  • Hello @RonpfS ,

    Thank you for the fast reply. I’ve bin there. There is nothing to see in the Reports/Alerts Tab that makes any sense to me regarding the app. The F12 option is only for Windows platforms. The website of the bank is working properly. The problem is the android app. Looked all day for a proper solution, but still no luck. Drives me crazy!



  • Hi,

    The app is hitting an IP or using a domain that is listed DNSBL.

    Goto

    9374cc7d-212c-4ce9-86f0-70e5a189127a-image.png

    and check :

    56843fea-4d4d-42e8-851b-8ab4f5e36b08-image.png

    as you can see, my iPhone (IP 192.168.2.5) tried to load some stuff from domains that are blocked.
    That is, an ap I was using tried to load some adds or comparable.

    Shut down the app on your phone.
    Open this log.
    Open the app on your phone.
    Refresh the log.
    The latest new entries are probably your phone - check with host name and/or the local LAN IP.

    The domains listed could be the ones listed that the app tries to open - and it was blocked.
    Whitelist them by clicking on black + sign.
    Make it a wildcard whitelist.
    Add a note for yourself.

    Retest.

    Btw : a bank app is using and loading publicity from known publicity servers ?? Strange.



  • Hi @Gertjan,

    Thanks for the help. Did exactly what you described. But nothing does the trick.

    In my DNS cache I found the following CNames. Tried to exclude them in de DNSBL list. Unfortunately no result.

    bankieren.rabobank.nl.edgekey.net.
    log.rabobank.nl.edgekey.net.
    www.rabobank.nl.edgekey.net.

    Any idea's?



  • When you use the Report tab to Whitelist domains, pfblockerNG will gather the CNAMEs and whitelist them.

    Maybe it is the IPs that get blocked and not the Domain name.



  • @RonpfS I am starting also to believe that it is IP related. But still I do not see anything that is blocked regarding the banking app.



  • I found that there are various tracking services used by the rabobank app.
    After allowing the below services everything started working...

    But no way i keep these allow rules for just 1 app. I will send feedback to the rabobank regarding their app. No way a banking app should be so intrusive and at least this tracking should never block functionality.
    Its a bug imo.

    tags.tiqcdn.com # rabo
    www.tags.tiqcdn.com # rabo
    tags.tiqcdn.com.edgekey.net # CNAME for (tags.tiqcdn.com)
    e8091.a.akamaiedge.net # CNAME for (tags.tiqcdn.com)
    sdk.split.io # rabo
    www.sdk.split.io # rabo
    f2.shared.global.fastly.net # CNAME for (sdk.split.io)
    events.split.io # rabo
    www.events.split.io # rabo
    events-aws-prod-elb.split.io # CNAME for (events.split.io)
    events-prod-1-1033355748.us-east-1.elb.amazonaws.com # CNAME for (events.split.io)
    w.usabilla.com # rabo
    www.w.usabilla.com # rabo
    app-measurement.com # rabo
    www.app-measurement.com # rabo
    google-analytics.com # rabo
    www.google-analytics.com # rabo
    www-google-analytics.l.google.com # CNAME for (google-analytics.com)
    


  • In fact, i found that the only truly blocking are the ones from google....
    Thats the last one i want in my allow list .....

    google-analytics.com # rabo
    www.google-analytics.com # rabo
    www-google-analytics.l.google.com # CNAME for (google-analytics.com)
    


  • Last reply from my side.
    I fixed it by changing the DNS Virtual IP to 127.0.0.1.
    Whitelist is empty again, ads are still blocked.

    This obviously breaks the functionality where a user is informed that something was blocked by the network administrator , but for home usage this is fine and this is how most home adblockers work anyway.

    Probably its an implementation issue in the rabobank bankieren app. But this solution is fine for me.
    In fact , routing dns requests to localhosts instead of a 'remote' service is faster at the end (probably unnoticeable , but anyway ;) )

    f8814460-2abe-46df-9067-b045c4bf988c-image.png



  • Hi @tabnul,

    You are my HERO! Also want to thank you for replying to my post. Many many thanks.

    Any explanation why routing DNS to 127.0.0.1 instead of 10.10.10.1? Look also forward to how you figured this out…

    Again, you are the King 😊

    Regards,
    Herman



  • @Herman
    I dont know why this fix solves it but apparently the app expects a valid api response from google analytics whenever it gets a non 4** response code. When routing to 127.0.0.1 it receives a 404 , apparently thats fine.

    Probably it will break again when you run a webserver on your local machine listening on port 80 this way.
    It was just a wild guess from my side.

    IMO this still is a bug in the App, and/or the google SDK they used for setting up the logic.



  • @tabnul

    Thanks a lot for your explanation. Anyway it works.

    Is there a possibility that no blocking results are shown at the alerts after the change to 127.0.0.1? It keeps showing 0. Even after updating and reloading. Any Thoughts?

    Herman



  • @Herman

    You are right, this seems to mess up the stats... thats a shame.
    Apparently stats are collected by http requests on the virtual ip.



  • what might be the case here is that the issue is caused by an invalid SSL certificate on the virtual IP adress. In fact i would expect that.
    (i mean the original issue)



  • probably it is the issue.
    you can fix it by handling the google ad services differently. they wont get logged then, but everything else will.
    See;
    https://forum.netgate.com/topic/111095/dnsbl-certificate-errors/46
    and
    https://forum.netgate.com/topic/133055/dnsbl-modify-default-bloked-webpage/30



  • @tabnul
    Again many thanks for your input.

    I have read the articles. When I am right I have to null route the google domains? Right? I must admit that I am not a deep dive nerd when it comes to routing.

    Would you like to explain how I have to configure this regarding the banking app?

    Thanks in advance,
    Herman



  • @tabnul

    Tried to figure it out by myself with the websites you provided. Unfortunately I do not get it working. So if someone would like to help I appreciate this…

    Regards Herman


Log in to reply