Facebook's Messenger App Logs Way More Data Than You Realise

By Ashley Feinberg on at

Ever since Facebook first started pushing users over to its standalone messaging app (whether they liked it or not), there have been cries of outrage over what's seemed like an inordinately large amount of required permissions. And while there's still no proof that Facebook has any sort of nefarious intent, the company is collecting a startling cache of data, according to security researcher Jonathan Zdziarski.

Zdziarkski, who specializes in iOS forensics, revealed his findings to Motherboard after disassembling the app's binary:

In an email, Zdziarski said that Messenger is logging practically everything a user might do within the app, from what and where they tap, to how often a device is held in portrait versus landscape orientation; even time spent in the Messenger app, versus the time it spends running in the background.

..."[Facebook is] using some private APIs I didn't even know were available inside the sandbox to be able to pull out your WiFi SSID (which could be used to snoop on which WiFi networks you're connected to) and are even tapping the process list for various information on the device," he wrote in an email.

And while it's worth noting that plenty of apps track this sort of data for any number of reasons (diagnostics, for instance), even Zdziarski—who's worked for surveillance software companies in the past—was unaware that this sort of data access was even possible.

All of this can sound a bit alarming, but there's still no concrete proof that Facebook is doing anything wrong. Yes, some of the binary apparently has the phrase ["DO_NOT_USE_OR_YOU_WILL_BE_FIRED"] added on, but a Facebook dev assured Zdziarski that this is an inside joke. And we have no reason not to believe him.

While Facebook declined to comment to Motherboard, a Messenger developer did tell Zdziarski that "it's probably no surprise that we use analytics to understand usage and make the app faster [and] more efficient." Until we have actual proof of wrongdoing, it's probably best to keep those tinfoil hats at bay.

Still, it is interesting to see just how deep our individual Facebook rabbit holes go. [Motherboard]