That’s not sufficient - you also need to intercept traffic somehow which they successfully accomplished by buying this vpn company and using them to proxy victims traffic through their infra
Edit: Not excusing Facebook here, but feel like this whole thing is in a weird grey area. It is like getting paid to have a Nielsen box monitoring your TV and then complaining when you find out it also knew what you watched on your DVD player.
Read the wording on the apk[0] - while it does mention they collect data to improve fb product it sure doesn’t mention the data includes telemetry for competitors’ apps.
I think what is missing is a timeline and clarity about the actual steps users had to take.
1) Onavo was a (free?) VPN app acquired by FB in 2014. Facebook used it to collect “market research data.” People chose to download this, but thought it was a security product.
2) At some point (it looks like 2016?) they launched an iOS app called Research, using the same tech, which required users to install a certificate meant for internal Facebook employees. They paid these users to monitor their traffic.
Are you saying that the MITM was happening for users of (1) or (2) or both?
Edit: Not excusing Facebook here, but feel like this whole thing is in a weird grey area. It is like getting paid to have a Nielsen box monitoring your TV and then complaining when you find out it also knew what you watched on your DVD player.