Your Facebook Messenger for iOS might have some built in spy functions you didn't know about.
Image: Flickr/Jeff Wilcox
It should come as no surprise that most mobile apps run some sort of analytics on user behaviour. But in the case of Facebook, the social network's Messenger app for iOS apparently tracks quite a bit more than most users likely realize.
iOS forensics and security researcher Jonathan Zdziarski spent Tuesday morning disassembling Facebook Messenger's iOS binary, at one point declaring via Twitter that "Messenger appears to have more spyware type code in it than I've seen in products intended specifically for enterprise surveillance."
In an email, Zdziarski said that Messenger is logging practically everything a user might do within the app, from what and where they tap, to how often a device is held in portrait versus landscape orientation; even time spent in the Messenger app, versus the time it spends running in the background.
Some of this is expected behaviour for an app developer, of course. But of greater concern are the other things Zdziarski discovered, whose intended purpose is less clear.
"[Facebook is] using some private APIs I didn't even know were available inside the sandbox to be able to pull out your WiFi SSID (which could be used to snoop on which WiFi networks you're connected to) and are even tapping the process list for various information on the device," he wrote in an email.
On Twitter, Zdziarski said he's worked for companies that write enterprise surveillance software that didn't know this level of access was possible.
Messenger appears to have more spyware type code in it than I've seen in products intended specifically for enterprise surveillance
I asked independent security researcher Ashkan Soltani via email whether Facebook's relationship with Apple—having a user's Facebook account baked directly into iOS—might give Facebook access to private APIs and capabilities that other developers don't have. Soltani wrote that he believed my hunch was correct.
Multiple strings discovered by Zdziarski within the binary also have an ominous phrase, ["DO_NOT_USE_OR_YOU_WILL_BE_FIRED"], tacked onto the end. iPhone hacker Chpwn (also known as Grant Paul), who now works at Facebook chimed in via Twitter to say he was responsible for naming the strings, writing "the whole thing's an inside joke."
However, it's not clear what some of these functions, which have names such as "globalProviderMapData" and "isHeadPublisher" actually do, and why they would warrant the threat of termination, joking or not, if used.
Zdziarski cautioned that "a couple hours of tinkering around isn't going to provide any meaningful conclusions… but there is a lot of code that suggests Facebook is running analytics on nearly everything it possibly can monitor on your device."
Facebook declined to provide any official comment, but a spokesperson pointed me to the responses of Facebook Messenger developer Lucy Zhang, who told Zdziarski via Twitter that it's "probably no surprise that we use analytics to understand usage and make the app faster [and] more efficient."
She offered one such example where analytics told the team that users were using Like stickers often, "so we moved that feature so people can send in fewer taps."
While it's not out of the ordinary for app developers to run all sorts of analytics on their users to measure how an app is being used, it's often unclear to users just how much data an app is capable of collecting—assuming they're told such data is being collected in the first place.
Even in cases where apps are upfront about permissions—as is the case with Facebook's Android Messenger app—there is still a lack of nuance when explaining what, exactly, granting certain permissions might mean. Facebook faced backlash over its Messenger app for Android in August, when users questioned why the app was requesting access to their device's camera, microphone, text messages and more, naturally assuming the worst.
The reasons turned out to be relatively benign, but the concern should serve as a reminder that it's no longer enough for an app to simply request access to sensitive phone functions and sensors without explanation. Maybe it's part of the hangover since the revelations on the NSA courtesy of Edward Snowden, but app developers such as Facebook, as well as app store owners Apple and Google, have to do a better job at explaining why such access is needed, and how it will be used.
"Ultimately it comes down to whether or not you trust Facebook not to take advantage of their position on your device to snoop on you," wrote Zdziarski. "The technical capabilities to do so are certainly there."
UPDATE: After this article was published, Facebook, which had previously declined to comment, reached out with the following response:
"These accusations are completely unjustified. Privacy is core to our approach with Messenger, and like any developer, we analyze usage trends to make our apps better, faster, and more efficient. As an example, with regard to what and where people tap - when we noticed that people were using the 'Like' stickers a lot, we modified the app so that people could send them with fewer taps."