We investigate and review important issues around user privacy in mobile apps. Primarily, we investigate what data is collected by these apps. In particular, our focus is on which data that should not be collected, because of legal regulations, settings of the phone, or are simply on the edge of good morals. Our proof of concept analyses the Facebook app (and on smaller scale also Messenger). The reason for this is that it is a good example of an app with vast user-granted permissions
"… one of our colleagues needed a new suitcase.
And few hours later he got adverts concerning suitcases on Facebook. We thought about how that might happen…"
Privacy is something that helps you maintain autonomy, individuality, something you should take care of. Or at least strive to know how much privacy you are giving up in exchange for certain services.
“We wanted to actually see what is being sent, so we decrypted the traffic.”
We try to show and discuss different methods and approaches to figure out what is actually being sent to cloud servers if you use the Facebook app. All of the methods discussed are a Proof of Concept of these techniques. The question that we tried to answer was: “Is Facebook listening to us?”
"While we were analyzing the sniffed traffic we were able to recognize patterns in DNS requests, names of Facebook’s cloud servers, content of decrypted traffic…"
The big question remains unanswered for now since there can always be doubts. We can say that Facebook app is not listening to us… most likely. Each step in the investigation made us more and more inclined to that conclusion.
Petr Kus & Dominik Pokora