Facebook: We install a root CA on the device and MitM all SSL traffic

&gt; The communications at issue relate to Facebook’s so-called In-App Action Panel (“IAAP”) program, which existed between June 2016 and approximately May 2019. The IAAP program, launched at the request of Mark Zuckerberg, used a cyberattack method called “SSL man-in-the-middle” to intercept and decrypt Snapchat’s — and later YouTube’s and Amazon’s — SSL-protected analytics traffic to inform Facebook’s competitive decisionmaking. As described below, Facebook’s IAAP program conduct was not merely anticompetitive, but criminal.<p>&gt; ..This code, which included a client-side “kit” that installed a “root” certificate on Snapchat users’ (and later, YouTube and Amazon users’) mobile devices, see PX 414 at 6, PX 26 (PALM-011683732) (“we install a root CA on the device and MITM all SSL traffic”), also included custom server-side code based on “squid” (an open-source web proxy) through which Facebook’s servers created fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook’s strategic analysis.<p>Here&#x27;s a link to the PDF document: <a href="https:&#x2F;&#x2F;s3.documentcloud.org&#x2F;documents&#x2F;24514262&#x2F;discovery-brief-in-facebook-case.pdf" rel="nofollow">https:&#x2F;&#x2F;s3.documentcloud.org&#x2F;documents&#x2F;24514262&#x2F;discovery-br...</a>

Not to defend this practice, but some missing context here (AFAIK, I wasn&#x27;t involved): this isn&#x27;t the FB app, but apparently &quot;Onavo Protect&quot; followed by &quot;Facebook Research&quot; apps, the latter of which reportedly explicitly paid people to install it for the express purpose of collecting this kind of data.

Users voluntarily install an app that spies on them because they want money. How is this news? Maybe it&#x27;s news to the people who never installed the app and maybe the methods that were used were interesting but if it was voluntary even if the users didn&#x27;t understand the technical means but did understand what data was being spied on and collected I don&#x27;t see the harm.<p>These are also the same methods that companies use to spy on their employees. There is a vast number of firewalls that do this automatically. Companies absolutely have the ability to deploy trusted certs on every device that is within their control. This includes when people link their personal device to their company&#x27;s email portal and it requests all those permissions to control your phone.<p>I have no love for Facebook but it seems they were being more upfront about what was going on then your average corporation does with their employees.<p>Google runs their own app check study that you can be a part of. When part of this program you will install an app on your phone that takes screenshots of what you&#x27;re looking at on your phone and send it to Google. You are paid for this. Google even sends you a pixel phone to do this on and request that you use it as your normal phone. And while it does attempt to not take screenshots of some apps that are considered private it absolutely will grab those screenshots on accident at times.

Alternate link to PDF document:<p><a href="https:&#x2F;&#x2F;ia802908.us.archive.org&#x2F;29&#x2F;items&#x2F;gov.uscourts.cand.369872&#x2F;gov.uscourts.cand.369872.735.0.pdf" rel="nofollow">https:&#x2F;&#x2F;ia802908.us.archive.org&#x2F;29&#x2F;items&#x2F;gov.uscourts.cand.3...</a><p>15 years in, Zuckerberg is still a gross liability when asked to give sworn testimony under questioning by a competent professional. It is a disaster for Facebook waiting to happen.<p><a href="https:&#x2F;&#x2F;ia802908.us.archive.org&#x2F;29&#x2F;items&#x2F;gov.uscourts.cand.369872&#x2F;gov.uscourts.cand.369872.736.0.pdf" rel="nofollow">https:&#x2F;&#x2F;ia802908.us.archive.org&#x2F;29&#x2F;items&#x2F;gov.uscourts.cand.3...</a><p>HN comments are ignoring the elements of a wiretapping claim. No injury or damage, no &quot;harm&quot;, is required in order to be convicted.<p><a href="https:&#x2F;&#x2F;www.law.cornell.edu&#x2F;uscode&#x2F;text&#x2F;18&#x2F;2511" rel="nofollow">https:&#x2F;&#x2F;www.law.cornell.edu&#x2F;uscode&#x2F;text&#x2F;18&#x2F;2511</a><p>That someone may have paid to use an app, or otherwise voluntarily used an app, or that other companies may engage in similar practices does not provide an exception to the federal crime of wiretappping; it does not absolve Facebook of culpability. If the target of the wiretap consented to be surveilled, then one would think the plaintiffs attorneys would be aware of this fact. This document alleges there is no exception that Facebook can rely on.<p>When Google has been accused of wiretapping, and this has happened multiple times, it has always settled the claims rather than defend itself against them. It is being sued yet again for wiretaping at this very moment.

This validates my decision never to use Facebook or other social media apps on my phone or desktop. I know that they already know me because I was unable to talk some in my family out of joining and using their &quot;services&quot;.<p>When I was young and almost a teenager we had a different set of social diseases that we worried about. Those were the days, my friend.

Top of page 2. Never install these apps on your phone.

And that, kids, is why you should use certificate pinning when developing mobile apps.

[dupe]<p>More discussion: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39832952">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39832952</a>

What I find really surprising is that Amazon has not sought criminal prosecution of Meta.<p>Even if in all cases a user selected to allow Facebook&#x2F;Meta to see what they were communicating, which from reading all of the attached documents I don&#x27;t believe was the case, I don&#x27;t see how Amazon gave consent.<p>If some individual had done what Facebook&#x2F;Meta did, I can&#x27;t see a situation where Amazon wouldn&#x27;t have asked for criminal prosecution.<p>Mastercard and Visa? It would be surprising to see how they would just shrug this off; maybe this hasn&#x27;t hit their radar yet.

If anyone wonders why Facebook et. al. would like a channel to distribute their own apps without getting blocked...<p>See also: <a href="https:&#x2F;&#x2F;stratechery.com&#x2F;2024&#x2F;apple-and-the-monopoly-question-iphone-market-share-apples-durability&#x2F;" rel="nofollow">https:&#x2F;&#x2F;stratechery.com&#x2F;2024&#x2F;apple-and-the-monopoly-question...</a>

Gotta love the actionable utilization of business synergy here:<p>&gt; asking for “out of the box thinking” on a task that “is really important.”<p>&gt; we are going to figure out a plan for a lockdown effort during June to bring a step change to our Snapchat visibility. This is an opportunity for our team to shine.”

How is this even possible on a mobile device?<p>Edit: they paid people to do it: <a href="https:&#x2F;&#x2F;techcrunch.com&#x2F;2019&#x2F;01&#x2F;29&#x2F;facebook-project-atlas&#x2F;" rel="nofollow">https:&#x2F;&#x2F;techcrunch.com&#x2F;2019&#x2F;01&#x2F;29&#x2F;facebook-project-atlas&#x2F;</a>

The page doesn&#x27;t load for me. Is this true?

And yet those advocating MITM proxies for filtering traffic to block ads and fix other common user-hostility often receive plenty of scorn from the &quot;security community&quot;...

&gt; Facebook: We install a root CA on the device and MitM all SSL traffic<p>Yes, but Facebook is a trusted entity, not like Achmed. &#x2F;s