[UncleMeat]

Why would it wait two days? Have you never seen an ad for laptop bags before? I see them often.

You can decompile the facebook app. You can install a cert and mitm the network connection. You can do anything to the client. Yet nobody has found any evidence whatsoever of this behavior.

[throwaway613834]

Ugh, I hate this nonsense. You say "you can do X" as if it's so easy. I assume this isn't something you're just pulling out of thin air and that you're at least saying this because you really know how to do it (i.e.: you've done it before). So, please do all of us a huge favor and explain how to do the MITM on Android step-by-step, which you seem to think we're all so lazy & unwilling to do. Not merely "in theory", and not merely on some random app, but in actual freaking practice, on the Facebook app. Because every single person I've caught saying this had evidently not tried it on the Facebook app himself to realize how nontrivial it is. People don't have the time or energy to switch their full-time jobs to being reverse-engineers of the Facebook app, so if you think it's so doable, please do the world a favor and show us how to put this myth to rest. (And to make it even easier, no need to assume zero prior knowledge. You can assume people already know how to do this on a desktop, and just teach them how to do it on the phone. I assure you that the knowledge does not simply transfer over.)

[quesera]

I think it's safe to say that "you can do" here means "it is possible to, and people do".

The risk Facebook would take by pulling a stunt like this is ginormous. See also: Amazon Echo.

The consumer and legal backlash would be swift and stunning, and the secret would be impossible to keep. Mobile app decryption is a well-established process. Reverse engineering a large app is tedious, but fully comprehensible. If you're specifically looking for recording (streaming audio out, or spooling to storage), it's much more manageable.

Of course there's a danger in assuming that someone, somewhere has already done this (or many someones). ~"With enough eyes, all bugs are shallow" ... sure, if the eyes are open. I don't know anyone who has done this work for the Facebook app, or for the Echo. But there are so many little boutique security firms out there today, and the technical prerequisites are so low...I just don't see how it's possible that it hasn't been done a hundred times.

The genuine risk, I think, is that a Corp with all the tooling in place could be compelled by some vaguely legal process in some sketchy jurisdiction, to target an individual of interest with custom code. This isn't hard either. Of course, the "tooling" is minor and any popular app could be subverted usefully in this fashion, so Facebook is not special here.

Still, most of us are laughably uninteresting to LE, but proper opsec still dictates caution.

[hawkilt]

may be the recorded audio is getting uploaded byte by byte, plus this is not the first time, i always keep my location truned off for Facebook, yet it showed me the realeaste ad near to my location where i was, and that was my client location. not even close to my home nor office.