There's an easy way to verify this: run tcpdump and record it happening. The fact that nobody has done this, instead only offering anecdotes, strongly suggests that these are coincidences or from other forms of targeting.
Regardless, it’s easy enough to dump HTTPS traffic (pinned or otherwise) if you have root access to the client, which in the case of Android is not difficult to get.
> Regardless, it’s easy enough to dump HTTPS traffic (pinned or otherwise) if you have root access to the client, which in the case of Android is not difficult to get.
Hm, well okay, would you mind explaining the easy procedure that lets you capture Facebook traffic then? I have tried lots of different methods (Fiddler, Xposed modules, etc.) with root access and have failed. It's no problem in theory, but practice is another matter...
If you have root access to one end of encryption, you necessarily can inspect and save it. The way I would do this is by issuing a certificate for facebook.com that I mark as trusted on the device. This will let you do a man in the middle "attack." But you can probably do this directly on the device: just look for where the encryption is taking place, and intercept it.
> The way I would do this is by issuing a certificate for facebook.com that I mark as trusted on the device.
Half the entire point is "mark it as trusted" doesn't work when the application has already pinned the certificate it's expecting. Have you actually done this yourself at all?
> But you can probably do this directly on the device: just look for where the encryption is taking place, and intercept it.
"Just" intercept it? You mean "just" spend several weeks if not months trying to disassemble/decompile their code, figure out how to inject your own, somehow locate the relevant in-memory data structures for encryption, & reliably patch them at runtime? all while preventing the application from crashing? That's "easy" to you? Have you done any of these things you're suggesting yourself? How often have you done them? and how long have they taken you that you found them "easy"?
I've done all of these things since it's my job. I haven't tried Facebook, because I don't have any confidence in the surveillance hypothesis, but my first guess being inapplicable doesn't change the fact that root access would allow people to prove this is happening, and that hasn't happened.
Furthermore, this could be proven with some fair reliability using correlation only. Is more encrypted data sent when you're speaking? Is more encrypted data sent when the microphone permission is enabled? Does the app access the microphone while sleeping? Nobody has presented anything _close_ to evidence.