How did Facebook intercept competitor's encrypted mobile app traffic? (2014)
9 months ago
- #Privacy
- #Cybersecurity
- #Legal
- Facebook intercepted encrypted traffic from competitor apps using a MITM technique called 'ssl bump' via the Onavo Protect app.
- The Onavo Protect app prompted users to install a Facebook Research CA certificate to decrypt TLS traffic, targeting domains like Snapchat, YouTube, and Amazon.
- Android security improvements over time, such as stricter CA certificate trust policies and certificate pinning, reduced the effectiveness of Facebook's interception method.
- Facebook considered using Android's Accessibility API as an alternative method to bypass security controls, raising ethical concerns.
- The practice was part of Facebook's strategy to gain competitive insights, leading to legal scrutiny and a $20M fine in Australia.
- Technical analysis revealed the Onavo app collected extensive user data, including app usage statistics and sensitive information like IMSI numbers.
- The lawsuit and technical findings highlight the lengths companies may go to exploit mobile permissions for competitive advantage.