[throwaway613834]

> Regardless, it’s easy enough to dump HTTPS traffic (pinned or otherwise) if you have root access to the client, which in the case of Android is not difficult to get.

Hm, well okay, would you mind explaining the easy procedure that lets you capture Facebook traffic then? I have tried lots of different methods (Fiddler, Xposed modules, etc.) with root access and have failed. It's no problem in theory, but practice is another matter...

[nilved]

If you have root access to one end of encryption, you necessarily can inspect and save it. The way I would do this is by issuing a certificate for facebook.com that I mark as trusted on the device. This will let you do a man in the middle "attack." But you can probably do this directly on the device: just look for where the encryption is taking place, and intercept it.

[throwaway613834]

> The way I would do this is by issuing a certificate for facebook.com that I mark as trusted on the device.

Half the entire point is "mark it as trusted" doesn't work when the application has already pinned the certificate it's expecting. Have you actually done this yourself at all?

> But you can probably do this directly on the device: just look for where the encryption is taking place, and intercept it.

"Just" intercept it? You mean "just" spend several weeks if not months trying to disassemble/decompile their code, figure out how to inject your own, somehow locate the relevant in-memory data structures for encryption, & reliably patch them at runtime? all while preventing the application from crashing? That's "easy" to you? Have you done any of these things you're suggesting yourself? How often have you done them? and how long have they taken you that you found them "easy"?

[nilved]

I've done all of these things since it's my job. I haven't tried Facebook, because I don't have any confidence in the surveillance hypothesis, but my first guess being inapplicable doesn't change the fact that root access would allow people to prove this is happening, and that hasn't happened.

Furthermore, this could be proven with some fair reliability using correlation only. Is more encrypted data sent when you're speaking? Is more encrypted data sent when the microphone permission is enabled? Does the app access the microphone while sleeping? Nobody has presented anything _close_ to evidence.

[throwaway613834]

> I've done all of these things since it's my job.

It's weird that this is your day job and yet you tell me that I should mark a certificate as "trusted" when we both explicitly acknowledged that the problem was with certificate pinning. You didn't answer this part: how long does it take you to manage to intercept Android HTTPS traffic for a brand-new, never-before-seen application that uses certificate pinning on your day job?

> I haven't tried Facebook, because I don't have any confidence in the surveillance hypothesis

Well then try it with Facebook. If this kind of thing is really your day job then it shouldn't take long, and you'd do everyone a favor by (a) showing that nothing is going on, and (b) teaching people how to do it themselves so that the myth doesn't keep spreading. People would appreciate it.

> Furthermore, this could be proven with some fair reliability using correlation only.

No, it can't. They don't need to be sending raw audio. They could just do some rudimentary speech recognition and send it along with some other routine data.

> Does the app access the microphone while sleeping? Nobody has presented anything _close_ to evidence.

I've personally logged it accessing the microphone when I've been scrolling on my news feed. Though I don't see why you'd believe me anyway.