SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
14 Sep 2014

Facebook's Messenger App is tracking users

It should come as no surprise that most mobile apps run some sort of analytics on user behavior.

But in the case of Facebook, the social network’s Messenger app for iOS apparently tracks quite a bit more than most users likely realize.

iOS forensics and security researcher Jonathan Zdziarski spent Tuesday morning disassembling Facebook Messenger’s iOS binary, at one point declaring via Twitter that “Messenger appears to have more spyware type code in it than I've seen in products intended specifically for enterprise surveillance.”

In an email, Zdziarski said that Messenger is logging practically everything a user might do within the app, from what and where they tap, to how often a device is held in portrait versus landscape orientation; even time spent in the Messenger app, versus the time it spends running in the background.

Some of this is expected behaviour for an app developer, of course. But of greater concern are the other things Zdziarski discovered, whose intended purpose is less clear.

“[Facebook is] using some private APIs I didn’t even know were available inside the sandbox to be able to pull out your WiFi SSID (which could be used to snoop on which WiFi networks you’re connected to) and are even tapping the process list for various information on the device,” he wrote in an email.

On Twitter, Zdziarski said he’s worked for companies that write enterprise surveillance software that didn’t know this level of access was possible.

Messenger appears to have more spyware type code in it than I've seen in products intended specifically for enterprise surveillance.

I asked independent security researcher Ashkan Soltani via email whether Facebook’s relationship with Apple—having a user’s Facebook account baked directly into iOS—might give Facebook access to private APIs and capabilities that other developers don't have. Soltani wrote that he believed my hunch was correct.

Multiple strings discovered by Zdziarski within the binary also have an ominous phrase, [“DO_NOT_USE_OR_YOU_WILL_BE_FIRED”], tacked onto the end. iPhone hacker Chpwn (also known as Grant Paul), who now works at Facebook chimed in via Twitter to say he was responsible for naming the strings, writing “the whole thing’s an inside joke.”

However, it’s not clear what some of these functions, which have names such as “globalProviderMapData” and “isHeadPublisher” actually do, and why they would warrant the threat of termination, joking or not, if used.

Zdziarski cautioned that “a couple hours of tinkering around isn’t going to provide any meaningful conclusions… but there is a lot of code that suggests Facebook is running analytics on nearly everything it possibly can monitor on your device.”

Facebook declined to provide any official comment, but a spokesperson pointed me to the responses of Facebook Messenger developer Lucy Zhang, who told Zdziarski via Twitter that it’s “probably no surprise that we use analytics to understand usage and make the app faster [and] more efficient.”

She offered one such example where analytics told the team that users were using Like stickers often, “so we moved that feature so people can send in fewer taps.”

While it’s not out of the ordinary for app developers to run all sorts of analytics on their users to measure how an app is being used, it’s often unclear to users just how much data an app is capable of collecting—assuming they’re told such data is being collected in the first place.

Even in cases where apps are upfront about permissions—as is the case with Facebook’s Android Messenger app—there is still a lack of nuance when explaining what, exactly, granting certain permissions might mean. Facebook faced backlash over its Messenger app for Android in August, when users questioned why the app was requesting access to their device’s camera, microphone, text messages and more, naturally assuming the worst.

The reasons turned out to be relatively benign, but the concern should serve as a reminder that it’s no longer enough for an app to simply request access to sensitive phone functions and sensors without explanation. Maybe it's part of the hangover since the revelations on the NSA courtesy of Edward Snowden, but app developers such as Facebook, as well as app store owners Apple and Google, have to do a better job at explaining why such access is needed, and how it will be used.

“Ultimately it comes down to whether or not you trust Facebook not to take advantage of their position on your device to snoop on you,” wrote Zdziarski. “The technical capabilities to do so are certainly there.”

Tags:
iOS Facebook Apple surveillance
Source:
Motherboard
2002
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015