[sine]

It's possible Facebook could be using an exclusive method to access hardware more directly, much like how Uber had access to restricted developer debugging tools which allowed them to record the screen even when the app was closed.

https://thehackernews.com/2017/10/uber-screen-record-iphone....

[gcb0]

If you want to get paranoid... Maybe it can detect jailbreak and do nothing. or even better, detect jail break, use it to detect if there is hooks into the audioRecord interface, if no hooks, record even more with it's new found powers :)

[adtac]

This is straight up malware behaviour.

[Sargos]

Which is why it doesn't do that.

[dest]

It reminds me the amazing Skype protections against reverse engineering

[andai]

Could you remember a little harder?

[zero_iq]

All sorts of anti-debugging tricks, self modifying code, runtime checksums, network traffic obfuscation, etc.

http://www.secdev.org/conf/skype_BHEU06.handout.pdf

http://runtux.com/files/download/skype.4.pdf

[willstrafach]

I have checked. Facebook does not do this.

[pdkl95]

> does not do this

Do you have the hashes to prove that what you tested matches what is actually installed elsewhere?

No, I'm not actually claiming there actually are different versions in the wild. I just find it strange that anybody can make broad claims about what widespread software may or may not be doing. Widespread use of "A/B testing" and forced remote updates should make everyone question the nature of every binary, even when they have the same name (including version number).

[FridgeSeal]

Fb's well known for large scale A/B testing though. Isn't it more than possible that the binaries/versions/etc that you tested simply weren't part of the test?

[madeofpalk]

You can't A/B test iOS app binaries though.

[_0ffh]

You could A/B test different app behaviour with the same binary by branching on some pseudorandom (quasi-) constant like IMEI or phone number.

[madeofpalk]

Sure. But once you know that everyone has the same binary, you can reverse engineer the binary you know everyone has.

[willstrafach]

The nice thing is that you can reverse engineer it and sniff traffic to find out what the A/B tests are and what they do.

[Zhenya]

Couldn't you test 2 different behaviors in the same binary thought?

[logicallee]

how have you checked (what do you have access to). if you work for Googe on Android would be a good answer for example :)

[traek]

From his bio:

> information security research. ceo @ sudo security group (https://verify.ly).

> previously: founder of "Chronic Dev Team" responsible for many years of iOS jailbreaking solutions (24kPwn, absinthe, corona, greenpois0n, etc).

[logicallee]

I still think "how have you checked" is a fair question.

[willstrafach]

My company collects/analyzes apps from the App Store to test their security, so I have pretty easy access to the machine code for apps.

Certainly a fair question.

[maccam94]

On the Android side, it's not terribly difficult to send a copy of the app to a computer and decompile it. Then you can simply search for any code that invokes the Android function for mic access.

[tectonic]

...and I just deleted the Uber app.

[linkregister]

Delete Uber for a good reason, such as the fact that ride sharing makes driving unreliable as a source of income. Professional drivers have seen their incomes decrease and hours increase drastically.

The article in question starts out breathlessly accusing Uber of spying on users, only to completely walk back the claim by the end. Just by reading the article alone we see that the permission was granted to overcome a capability lapse in the Apple Watch.

[hueving]

>such as the fact that ride sharing makes driving unreliable as a source of income.

That's a terrible reason. Taxi drivers also have an unreliable source of income with the burden of medallion rent in some of the larger cities.

Do you also boycott all construction since that is also unreliable for basic laborers?

[macintux]

The parent’s point was that ridesharing makes life worse for other paid drivers.

If Taskrabbit started sabotaging income for highway construction workers I might avoid it (although to be fair I’ve never used it).

[bryondowd]

Seems like an insufficient reason to me. Many software developers automate processes which in turn eliminates jobs entirely. It's a little different, but still a case of one person/group benefitting at the cost of another's livelihood.

[taneq]

Waitstaff also have an unreliable source of income and see their incomes decrease or hours increase drastically. Planning to boycott restaurants?

[macintux]

See my reply to hueving

[brandontreb]

It is, however when building a mobile substrate tweak, you have visibility / access to the headers of every single system class. One could theoretically hook into any number of audio recording mechanisms (assuming they knew where to look ;) )

[bluesign]

yeah but this would be obvious (can be seen easily) as it will require some "entitlements"

[madeofpalk]

But Facebook doesn't have any extra, special entitlements.