It should come as no surprise that most mobile apps run some sort of analytics on user behavior.
But in the case of Facebook, the social network’s Messenger app for iOS apparently tracks quite a bit more than most users likely realize.
iOS forensics and security researcher Jonathan Zdziarski spent Tuesday morning disassembling Facebook Messenger’s iOS binary, at one point declaring via Twitter that “Messenger appears to have more spyware type code in it than I've seen in products intended specifically for enterprise surveillance.”
In an email, Zdziarski said that Messenger is logging practically everything a user might do within the app, from what and where they tap, to how often a device is held in portrait versus landscape orientation; even time spent in the Messenger app, versus the time it spends running in the background.
Some of this is expected behaviour for an app developer, of course. But of greater concern are the other things Zdziarski discovered, whose intended purpose is less clear.
On Twitter, Zdziarski said he’s worked for companies that write enterprise surveillance software that didn’t know this level of access was possible.
Messenger appears to have more spyware type code in it than I've seen in products intended specifically for enterprise surveillance.
I asked independent security researcher Ashkan Soltani via email whether Facebook’s relationship with Apple—having a user’s Facebook account baked directly into iOS—might give Facebook access to private APIs and capabilities that other developers don't have. Soltani wrote that he believed my hunch was correct.
Multiple strings discovered by Zdziarski within the binary also have an ominous phrase, [“DO_NOT_USE_OR_YOU_WILL_BE_FIRED”], tacked onto the end. iPhone hacker Chpwn (also known as Grant Paul), who now works at Facebook chimed in via Twitter to say he was responsible for naming the strings, writing “the whole thing’s an inside joke.”
However, it’s not clear what some of these functions, which have names such as “globalProviderMapData” and “isHeadPublisher” actually do, and why they would warrant the threat of termination, joking or not, if used.
Zdziarski cautioned that “a couple hours of tinkering around isn’t going to provide any meaningful conclusions… but there is a lot of code that suggests Facebook is running analytics on nearly everything it possibly can monitor on your device.”
Facebook declined to provide any official comment, but a spokesperson pointed me to the responses of Facebook Messenger developer Lucy Zhang, who told Zdziarski via Twitter that it’s “probably no surprise that we use analytics to understand usage and make the app faster [and] more efficient.”
She offered one such example where analytics told the team that users were using Like stickers often, “so we moved that feature so people can send in fewer taps.”
While it’s not out of the ordinary for app developers to run all sorts of analytics on their users to measure how an app is being used, it’s often unclear to users just how much data an app is capable of collecting—assuming they’re told such data is being collected in the first place.
The reasons turned out to be relatively benign, but the concern should serve as a reminder that it’s no longer enough for an app to simply request access to sensitive phone functions and sensors without explanation. Maybe it's part of the hangover since the revelations on the NSA courtesy of Edward Snowden, but app developers such as Facebook, as well as app store owners Apple and Google, have to do a better job at explaining why such access is needed, and how it will be used.
“Ultimately it comes down to whether or not you trust Facebook not to take advantage of their position on your device to snoop on you,” wrote Zdziarski. “The technical capabilities to do so are certainly there.”