Ever since Facebook first started pushing users over to its standalone messaging app (whether they liked it or not), there have been cries of outrage over what’s seemed like an inordinately large amount of required permissions. And while there’s still no indication that Facebook has any sort of bad intent, the company is collecting a startling cache of data, according to security researcher Jonathan Zdziarski.
Not necessarily the best design to keep credit card details in Objective-C objects in resident memory. But meh. pic.twitter.com/aIUpovBkB1
— Jonathan Zdziarski (@JZdziarski) September 9, 2014
Zdziarkski, who specialises in iOS forensics, revealed his findings to Motherboard after disassembling the app’s binary:
In an email, Zdziarski said that Messenger is logging practically everything a user might do within the app, from what and where they tap, to how often a device is held in portrait versus landscape orientation; even time spent in the Messenger app, versus the time it spends running in the background.
…”[Facebook is] using some private APIs I didn’t even know were available inside the sandbox to be able to pull out your WiFi SSID (which could be used to snoop on which WiFi networks you’re connected to) and are even tapping the process list for various information on the device,” he wrote in an email.
And while it’s worth noting that plenty of apps track this sort of data for any number of reasons (diagnostics, for instance), even Zdziarski — who’s worked for surveillance software companies in the past — was unaware that this sort of data access was even possible.
All of this can sound a bit alarming, but there’s still no concrete proof that Facebook is doing anything wrong. Yes, some of the binary apparently has the phrase [“DO_NOT_USE_OR_YOU_WILL_BE_
FIRED”] added on, but a Facebook dev assured Zdziarski that this is an inside joke. And we have no reason not to believe him.
Messenger even gathers data on what orientation you’re holding your phone in most often.
— Jonathan Zdziarski (@JZdziarski) September 9, 2014
While Facebook declined to comment to Motherboard, a Messenger developer did tell Zdziarski that “it’s probably no surprise that we use analytics to understand usage and make the app faster [and] more efficient.” Until we have actual proof of wrongdoing, it’s probably best to keep those tinfoil hats at bay.
https://twitter.com/JZdziarski/status/509368024257015808
Still, it is interesting to see just how deep our individual Facebook rabbit holes go. [Motherboard]
Update: A Facebook spokesperson has provided us with the following statement.
These accusations are completely unjustified. Privacy is core to our approach with Messenger, and like any developer, we analyze usage trends to make our apps better, faster, and more efficient. As an example, with regard to what where people tap — when we noticed that people were using the ‘Like’ stickers a lot, we modified the app so that people could send them with fewer taps.