How did Facebook intercept their competitor's encrypted mobile app traffic?

So just to be clear on what is being alleged, because the write-ups are omitting this detail: from what I can tell FB paid SC users to participate in “market research” and install the proxy.

The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case. (I’d love to get more detail on exactly what the participants were told they were getting paid for, but I’d be surprised if they did not know their actions were being monitored.)

The accusation that it’s wiretapping if one party in the communication channel is actively breaking the encryption (even with a tool provided by a third party) seems tenuous to me, but IANAL. If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API?

The email snippets are impressive on multiple levels, mainly how fucking stupid/arrogant people at FB must be. Openly talking about MITM, and then getting multiple other companies to include this kit in their products as well is just beyond stupid for putting in writing. "Hey Zuck, I have an idea on your proposal. We should get together to discuss in person" would be suspect, but at least it's not incriminating. It's like these people have never seen a movie, or read a news article on other companies getting caught.

Not to downplay it but at least this requires users to download the Onavo app, which isn’t so common.

The one that I wonder about a lot is this: there are two (non-deprecated) types of webview you can use in iOS: WKWebview and SFSafariViewController. They’re intended for very different uses.

When you tap on a link in the Facebook app they should use SFSafariViewController. It’s private (app code has no visibility into it), it shares cookies with Safari, it’s literally intended for “load some external web content within the context of this app”

Instead, FB still uses WKWebView. With that you can inject arbitrary JS into any page you want. Track navigations, resources loaded, the works. Given the revelations we’ve seen in this article and many others I shudder to imagine what FB is doing with those capabilities. They’re probably tracking user behavior on external sites down to every tap on every pixel. It seems insane to think they might be tracking every username and password entered in their in-app webviews but they have the technical capability to. And do we really trust that they wouldn’t?

I don't know why but Facebook is the one tech company that I just can't have a good opinion about. I like and dislike Google, Microsoft, Apple, NvidiA, AMD, Intel and the rest for different things but I just hate Facebook. I closed my facebook account about 10-11 years back put a filter to keep facebook out of my search results. And I have to say it works I rarely see anything about Facebook on my Google news feeds etc. I still use WhatsApp though as that is the biggest communication app outside China in Asia

"There is a current class action lawsuit against Meta in which court documents include claims that the company had breached the Wiretap Act."

This is not a wiretapping case. The claims are all for violations of the Sherman Act. Plaintiffs' attorneys _incidentally_ found evidence during discovery that Facebook may have breached the Wiretap Act. There are no wiretapping claims. It is an antitrust case.

I think a relative of mine once almost signed up for another market research thing that would have done essentially this, redirecting all their phone's internet traffic through a VPN & proxy controlled by the market research company, including installing their Cert. They would have received some small compensation for it, and of course consented to having it installed. I don't recall the company being misleading about anything, exactly. That being said, while I generally am not in favor of overly paternalistic policies, I wonder how meaningful the consent of someone with relatively little technical knowledge for something like this really is. They were not misleading about things, but also didn't fully spell things in a way that would really drive home what was going on for someone unaware.

Reading this article I'm just thinking that Facebook has wing that's just an NSA front at this point.

Ooooooooh, SSLbump.

There has to be a court precedent that criminalized sniffing network traffic on the customer’s side.

Should be one of those many cases involving wiretapping for banking info.

This is why we should be doing dual-server-client TLS certificate exchange before stuffing damaging info over Internet. But, alas, nooooooooo.

Unfortunately this is unsurprising; with bad actors like Meta there are likely many potential "dark patterns" put in place.

I can imagine e.g. security risks involving sensor data exfiltration where accelerometers and gyroscopes etc are monitored to infer audio information. By covertly relaying and processing the collected data externally it would be possible to reconstruct sensitive information without direct access to the device's microphone.

It's not unlikely that they pull off something like that.

Meta and other pernicious companies and government bodies are probably employing many more, even worse and much simpler eavesdropping techniques in the wild.

"Stay safer when you're using public Wi-Fi. Turn Protection On"

prompt to install a VPN config

Fuck yourself, Facebook.

Why would anyone use a VPN service provided by Facebook?

Isn’t this what the broad CFAA was created for and what Aaron Schwartz was martyred over?

Yes, it can be possible. I stormbound a with a friend who recommend hire a professional team who provide me access her phone through spy app i install on my phone it work like a magic. I advice you use this team know as hireprohackers20@Gmail.com for your won job to be handle

Why didn't a big company like Snapchat not have certificate pinning? Something is amiss here!?

I used to work for a startup that collected data by using MITM attack with a VPN server, and other means. The users got paid a small sum of money to participate.

If you or I did this, we would already be in jail for phishing plus whatever add-on charges the Feds could file.

Meta has Washington in their pocket so this will never leave civil court. The penalty will be less than the money made, meaning somebody gets a bonus for being creative.

This wouldn't have happened if Android used Javascript.

They do this on my work laptop. Zscaler

If there is a god we'll be compensated through a class action settlement for a $5 meta ad voucher.

tl;dr: They acquired an app called Onavo, with 10 million customers, and used it to install a CA certiticate thus allowing them to act as a MITM proxy.

tl;dr: If you install and fully trust a root CA on your client device, of course your TLS traffic can be MITMed.

edit: the problem, obviously, is that this app tricked the non-technical people into installing/trusting the root CA for malicious purposes. Clearly this was malware.