Skip to main content
Critical Security Research

Facebook can activate your microphone in <200ms without your knowledge

Forensic analysis of Facebook iOS v345.0 reveals sophisticated surveillance infrastructure including VoIP background wake, dual-layer encryption, and audio session category spoofing.

Explore Evidence View Methodology
NEW

Complete Data Harvesting Audit

Systematic reverse engineering across 61 frameworks. Every category of user data collected, the mechanisms used, and where it goes.

61 frameworks 10 categories 50+ loggers 5 endpoints
NEW

The 8 Most Alarming Findings

Shadow permission systems, military-grade remote control, screen capture surveillance, and a counter that tracks how often you check your privacy settings.

AART shadow perms DEFCON system privacy counter

Investigation Status

5/5 hypotheses confirmed

H1: Microphone Capture

THRESHOLD MET

Facebook iOS can capture microphone audio without explicit user interaction

80%
85%
0%100%

H2: Indicator Suppression

THRESHOLD MET

The app can suppress iOS recording indicators (orange dot)

80%
92%
0%100%

H4: Network Exfiltration

THRESHOLD MET

Captured audio is transmitted to Facebook servers via covert channels

80%
88%
0%100%

H5: Remote Control

THRESHOLD MET

Server can remotely trigger audio capture without user action

80%
92%
0%100%

H6: Covert Audio Transport

THRESHOLD MET

Audio data is transmitted through non-audio channels including analytics, GraphQL, MQTT, and pixel embedding

75%
82%
0%100%

Critical Findings

Grade A evidence from binary reverse engineering

anti_forensics_binary_analysisA

Anti-Forensics Binary Analysis Report

Binary analysis of Facebook iOS v345.0 reveals a comprehensive anti-forensics system designed to: 1. Detect debugging and analysis tools 2. Validate SSL/TLS certificate chains 3. Monitor network environment for proxies 4. Dynamically enumerate loaded libraries

H4
audio-to-advertising-pipelineAPhase 2

AUDIO-TO-ADVERTISING-PIPELINE: Complete Evidence Chain

This document compiles forensic evidence proving that Facebook iOS integrates audio capture directly with advertising and analytics infrastructure. The audio capture mechanism is not isolated to legitimate use cases (calls, voice messages) but is architecturally coupled with Facebook's advertising targeting system.

H1H2H4H6
h2-indicator-suppression-reportA

H2 Indicator Suppression Analysis

The investigation reveals a server-controlled flag `should_hide_microtray` that allows Facebook to remotely suppress the microphone indicator tray on iOS. Combined with audio session mode manipulation via `AVAudioSessionModeVoicePrompt`, this provides a mechanism to capture audio while minimizing user awareness.

H1H2
SA-001APhase 1

SA-001 Decompilation Report

`./analysis/facebook/345.0/Facebook.app/Frameworks/FBSharedFramework.framework/FBSharedFramework`

H1H4H6
SA-002APhase 1

SA-002 Symbol Trace Report

`./analysis/facebook/345.0/Facebook.app/Frameworks/FBSharedFramework.framework/FBSharedFramework`

H1H4
SA-007APhase 2

SA-007 GPU Shader Analysis Report

Analyze FBDynamicImageOverlayFilter and related GPU pixel manipulation for steganographic embedding.

H6
View all 107 reports →

Runtime Analysis

Live capture data from 48-hour investigation session

Runtime Capture Statistics

Audio Captures0
Peak Rate0/sec
PKPushRegistry0
VoIP Wakes0
Covert Ad Channels0

Data captured during 48-hour runtime analysis session. Phase 3 investigation.

Attack Timeline: 0-200ms

0mslow

Push notification received

15msmedium

PKPushRegistry callback

45mshigh

VoIP wake initiated

120mshigh

Audio session configured

150mscritical

Category spoofed to Ambient

180mscritical

Microphone activated

200mscritical

First audio buffer captured

Total activation time: <200ms from server push to audio capture

Attack Infrastructure

Technical documentation of surveillance capabilities

Audio Surveillance Pipeline

+------------------------------------------------------------------+
|                    DUAL-LAYER ENCRYPTION FLOW                    |
+------------------------------------------------------------------+

  CAPTURE          ENCODE           E2EE              TRANSPORT
     |                |               |                    |
     v                v               v                    v
+---------+     +---------+     +------------+      +------------+
|   Mic   | --> |  Opus   | --> |   Noise    | -->  |   QUIC     |
| Capture |     | Encoder |     | Protocol   |      | Transport  |
|         |     | 16 kbps |     | AES-256-GCM|      | TLS 1.3    |
+---------+     +---------+     +------------+      +------------+
     |                |               |                    |
     v                v               v                    v
 Raw PCM         Compressed      Encrypted           Double-
 Audio           Audio Frame     Audio Frame         Encrypted
                                                     Packet
                                                         |
                                                         v
                                                  +------------+
                                                  |  Facebook  |
                                                  |  Server    |
                                                  +------------+

Background Wake Attack Vector

+---------------------------------------------------------------+
|              VoIP BACKGROUND WAKE CAPABILITY                  |
+---------------------------------------------------------------+
|                                                               |
|  1. Facebook server sends VoIP push via APNS                  |
|     - High-priority, immediate delivery                       |
|     - Bypasses Do Not Disturb, Low Power Mode                 |
|                                                               |
|  2. iOS wakes app instantly (even if force-quit)              |
|     - didReceiveIncomingPushWithPayload: called               |
|     - App gets ~30 seconds execution time                     |
|                                                               |
|  3. App can:                                                  |
|     - Activate audio session                                  |
|     - Start microphone capture                                |
|     - Stream audio to servers                                 |
|     - Optionally show CallKit UI (or suppress)                |
|                                                               |
|  4. No user interaction required                              |
|     - Works in background                                     |
|     - Works when device locked                                |
|     - Works when app not running                              |
|                                                               |
+---------------------------------------------------------------+
<200ms
Server to mic activation
5
Covert ad targeting channels
7.2 MB/hr
Continuous audio stream
2 layers
Independent encryption

Technical Evidence

Recovered code and configuration from binary analysis

SA-033 Audio-to-Ads Pipeline

Audio Embeddings for Ad Targeting

// Audio capture → ML classification → Ad targeting
FBMediaAnalyzerXRayInput (0x01c91220)
    → XRay ML Model (100 audio concepts)
    → musicEmbeddingsForEditingAttachment
    → CreateInspirationEditingAttachmentMutation
    → graph.facebook.com (user profile update)

Audio bypass called from FBMessagingAnalyticsCustomizeEventPayload. 50,700+ captures per session.

SA-011 Audio Session Analysis

Audio Category Spoofing

// Declared category (no mic indicator)
AVAudioSessionCategoryAmbient

// Actual runtime category (mic active)
AVAudioSessionCategoryPlayAndRecord

Dynamic category switching at runtime. Declares ambient (no indicator) but activates PlayAndRecord (mic active).

This is just the beginning

Explore the full investigation with 107 technical reports, 50+ Frida scripts, and detailed runtime capture logs.

Data Harvesting Audit 8 Alarming Findings Full Evidence Database