[sneak]

I am so tired of these memes. The network traffic out of common social media mobile apps is fully studied and understood. You can even inspect it yourself if you like, using an access point, an http reverse proxy, a self-generated CA (manually installed on device), and some netfilter rules. AFAIK the social media apps aren't doing cert pinning, but even if they are you can find the pins in the apk and patch your own in over top.

It would be obvious if they were exfiltrating audio data. They are not.

[spiderfarmer]

While I agree with you I think it's pretty easy to do the processing on device, encrypt the relevant topics and communicate them in innocent looking calls?

[ajsnigrutin]

And it's pretty simple to see when an app is doing audio recording (there's even an indicator in the corner of the screen on newer androids), what is being processed, what is encrypted and with what keys, and then decrypted, and what is being sent and received.

It's a computer program, it's not magic, you can take it apart down to individual system calls, and with popular apps, people actually do that.

[mu53]

Do you have a link to any of these studies? It sounds interesting, but I couldn't find anything with my searches

[sneak]

No, they're usually not published. I encourage you to do it yourself.

Looks like Instagram at least does do TLS cert pinning, but it looks like there are patched binaries that disable it.

https://github.com/Eltion/Instagram-SSL-Pinning-Bypass