It should come as no surprise that most mobile apps run some sort of analytics on user behaviour. But in the case of Facebook, the social network’s Messenger app for iOS apparently tracks quite a bit more than most users likely realize.
iOS forensics and security researcher Jonathan Zdziarski spent Tuesday morning disassembling Facebook Messenger’s iOS binary, at one point declaring via Twitter
that “Messenger appears to have more spyware type code in it than I’ve seen in products intended specifically for enterprise surveillance.”
In an email, Zdziarski said that Messenger is logging practically everything a user might do within the app, from what and where they tap, to how often a device is held in portrait versus landscape orientation; even time spent in the Messenger app, versus the time it spends running in the background.
Some of this is expected behaviour for an app developer, of course, but of greater concern are the other things Zdziarski found, whose intended purpose is less clear.
“[Facebook is] using some private APIs I didn’t even know were available inside the sandbox to be able to pull out your WiFi SSID (which could be used to snoop on which WiFi networks you’re connected to) and are even tapping the process list for various information on the device,” he wrote in an email.
On Twitter, Zdziarski said he’s worked for companies that write enterprise surveillance software that didn’t know this level of access was possible.
I asked independent security researcher Ashkan Soltani via email whether Facebook’s relationship with Apple—having a user’s Facebook account baked directly into iOS—might give Facebook access to private APIs and capabilities that other developers don’t have. Soltani wrote that he believed my hunch was correct.
Multiple strings discovered by Zdziarski within the binary also have an ominous phrase, [“DO_NOT_USE_OR_YOU_WILL_BE_FIRED”], tacked onto the end. iPhone hacker Chpwn (also known as Grant Paul), who now works at Facebook chimed in via Twitter to say he was responsible for naming the strings, writing “the whole thing’s an inside joke.”
However, it’s not clear what some of these functions, which have names such as “globalProviderMapData” and “isHeadPublisher” actually do, and why they would warrant the threat of termination, joking or not, if used.