DEEP DIVE

The 8 Most Alarming Findings

During the comprehensive audit of Facebook iOS v345.0, these findings stood out as genuinely surprising -- not just invasive, but architecturally deceptive.

Every finding below is backed by decompiled code, cross-referenced symbols, and string constants extracted from the production binary. Binary addresses are provided for independent verification.

Complete Data Harvesting Audit

The full 10-category audit across 61 frameworks -- every data type, collection method, and transport mechanism

#1CRITICAL

The "AART" Shadow Permission System

Apple's App Tracking Transparency (ATT) gives users a simple choice: allow or deny tracking. Facebook doesn't just check this. It maintains an entirely parallel permission system called AART that tracks your consent status independently of Apple's system.

Binary Evidence

getFBAARTPermissionStatus

Facebook's own tracking permission status -- separate from Apple's ATT

hasSeenAARTOn

Permanently records whether AART was ever enabled -- even if later revoked

DeviceInsightsPreviousFBAARTPermissionStatusKey

Tracks changes in permission status -- profiles users who revoke consent

ios_has_seen_aart_on / ios_fb_aart_status / fb_aart_permission_status

Three separate persistence keys for tracking AART state

Decompiled Session Start (0x100083904)

This function runs on every session start and builds a payload combining Apple's permission with Facebook's shadow system:

FBBlockAndFetchDeviceIDFromKeychain()       // Pull persistent device ID
familyDeviceID = [sharedInstance familyDeviceID]  // Cross-app ID

// Check BOTH permission systems:
[FBAdTrackingManager getTrackingAuthorizationStatus]  // Apple's ATT
[FBAdTrackingManager hasSeenAARTOn]                   // Facebook's shadow
[FBAdTrackingManager getFBAARTPermissionStatus]        // Facebook's permission

// Count privacy settings visits:
FBPreferencesGetInteger(kPrivacyFlowSessionCounterKey, 1)

// Bundle into JSON and send:
[NSDictionary dictionaryWithObjects:forKeys:count:]
[result JSONString]

Why This Matters

Even when you tell Apple "Ask App Not to Track," Facebook maintains its own record of your permission decisions, tracks when you changed your mind, and permanently records whether you ever allowed tracking. Your "no" to Apple is just one data point in Facebook's richer model of your consent behavior.

#2CRITICAL

The FamilyDeviceID Cross-App Fingerprint

Meta's most powerful tracking identifier. A persistent device ID stored in the iOS Keychain that survives app deletion and reinstallation. Synced across all Meta apps via a dedicated GraphQL mutation with its own sync module, caching layer, and Bloks UI integration.

Complete Infrastructure

FBAnalyticsFamilyDeviceID

The identifier itself

getSecureFamilyDeviceID:

Keychain-secured retrieval

FBFamilyDeviceIDSyncModule

Dedicated sync module

com.facebook.familydeviceidsync

Sync service identifier

FamilyDeviceIDAppScopedDeviceIDSyncMutation

GraphQL mutation to sync with server

shouldSyncWithFamilyDeviceID:andAppDeviceID:

Cross-app sync decision logic

cachedFamilyDeviceID

In-memory cache layer

bk.fx.action.GetFamilyDeviceId

Bloks UI framework action -- accessible from any screen

Why This Matters

The iOS Keychain persists across app deletions. Uninstall Facebook, reinstall a year later -- this ID links you back. The shouldSyncWithFamilyDeviceID:andAppDeviceID: method links your identity across Facebook, Instagram, WhatsApp, and any future Meta app. Deleting one doesn't break the chain.

#3ALARMING

The DEFCON Silent Push System

Facebook has a military-style "DEFCON level" system that controls app behavior remotely. Level changes arrive via silent push notifications -- invisible messages that wake the app without any user-facing alert.

Binary Evidence

FBMobileDefconLevelController

Central controller for the DEFCON system. 9 symbol references across the binary.

FBPushNotificationSilentDeliveryDefconChangeListener

Listens for DEFCON changes delivered via silent push -- no user notification

defcon_level_updated_silent_push

Event logged when a DEFCON change arrives silently

Why This Matters

The DEFCON metaphor implies escalating threat response levels. Combined with silent push delivery (no user notification), this gives Meta the ability to remotely change your app's behavior -- what it collects, how it behaves, what features are active -- without you ever knowing. The app has a "threat level" that someone at Meta can raise or lower at will, delivered through invisible channels.

#4ALARMING

The "Bot Detection" Signal Harvester

On every cold start (app launch from scratch), a background job runs and collects "signals" from your device. The scope of signals is controlled by a remote Quick Experiment flag -- changeable per user without an app update.

FBBotDetectionModule_app_jobs_rule_qe_fbios_bot_detection_signal_collection_bd_on_cold_start_enabled_is_true_

Full QE rule: bot detection signal collection runs on cold start when experiment flag is enabled

FBAppJobBotDetection

The background app job that performs collection

ios/default/public.botdetection

Dedicated configuration namespace

Why This Matters

"Bot detection" sounds like security. But the QE (Quick Experiment) control means Meta can silently expand what "signals" are collected for specific user segments without shipping a new app version. The infrastructure allows collecting arbitrary device and behavioral signals on every launch under the justification of "security."

#5SURPRISING

Screen Capture & HDMI Detection

Facebook doesn't just know when you take a screenshot. It knows whose profile you screenshotted and your exact scroll position. It also detects screen recording, HDMI connections, and external displays -- and can encode and transmit actual screen capture images.

Profile Screenshot Logging

logTakeScreenshotEventWithProfileID:scrollOffsetY:

Found in FBSharedFramework. Logs:

- profileID -- whose profile you captured
- scrollOffsetY -- exact vertical scroll position (what content was visible)

Subscribes to UIApplicationUserDidTakeScreenshotNotification to detect screenshots system-wide.

Screen Mirroring & HDMI Detection

isScreenCapturedForProtectedContent

Detects active screen recording

isHDMIConnectedForProtectedContent

Detects HDMI cable connection

didConnectWithExternalScreen

External display connected event

change_screen_captured

Capture state change event

Encoded Screen Capture Transmission

encoded_screen_capture_image

An encoded screen capture -- not just detection, but the actual captured content

ads_screen_capture

Screen capture specifically for ads -- likely ad viewability verification

Why This Matters

The encoded_screen_capture_image string suggests the app can encode and transmit actual screen content. Combined with ads_screen_capture, this may prove to advertisers that their ads were visible. The profile screenshot logging creates a map of whose content you save -- and exactly what part interested you most.

#6SURPRISING

Display Luminance Profiling

Facebook measures the statistical distribution of pixel brightness on your screen. Not "is it bright" -- the full photometric profile with average, sample count, and standard deviation.

display_pixel_luminance_average

Mean brightness across sampled pixels

display_pixel_luminance_sample_count

Number of pixels sampled for the measurement

display_pixel_luminance_standard_deviation

Variance in brightness -- reveals content characteristics on screen

Why This Matters

Scientific-grade photometric analysis of your screen. Possible uses:

Ambient light inference -- deduce your environment (dark bedroom, bright office, outdoors)
Ad viewability proof -- prove to advertisers their ad was visible, not a black screen
Device fingerprinting -- display characteristics can identify specific hardware
Attention proxy -- combined with face tracking, infer whether you're looking at the screen

#7DECEPTIVE

The Sessionless Surveillance Layer

Facebook has an entire analytics and configuration system that operates without a user session -- before login, after token expiry, even when authentication fails. Logging out doesn't stop data collection.

FBInitializeSessionlessMobileConfigManagerDuringAppInit

Sessionless config initializes during app init -- before any login

sessionlessContextManager

Referenced by: _handleInvalidAccessToken, _FBFamilyDeviceIDSyncEnabled, _FBWildeAppLocationSetup

FBAnalyticsGetSessionlessSamplingProviderFunctions

Analytics sampling operates without a session

sessionless_storage_infra

Dedicated storage infrastructure for sessionless data

schedule_notifications_sessionless_background_request_observer

Even notification scheduling runs without a session

Why This Matters

The sessionlessContextManager is called by _handleInvalidAccessToken -- when login fails, sessionless activates. Also used by _FBFamilyDeviceIDSyncEnabled and _FBWildeAppLocationSetup, meaning device fingerprinting and location setup continue running even when you're logged out.

#8DECEPTIVE

The Privacy Flow Session Counter

Facebook counts how many times you visit your privacy settings and includes this count in the same data payload as your device ID, AART status, and tracking authorization. Trying to protect your privacy is itself a tracked behavior.

From Decompiled Function 0x100083904

// After collecting device ID, family ID, ATT status, and AART status:

FBPreferencesGetInteger(
    userPreferences,
    &cf_kPrivacyFlowSessionCounterKey,  // counts privacy settings visits
    1                                    // default value
);

// Bundled into the SAME JSON payload as:
//   - familyDeviceID
//   - tracking authorization status
//   - AART permission status
//   - hasSeenAARTOn
// ... and sent to Meta's servers

Privacy Settings A/B Testing

privacy_settings_screen_variant 8 variants

The privacy settings screen is A/B tested with 8 different variants. Different users see different privacy controls. Combined with the counter, Meta correlates which privacy UI you saw with how often you visit it.

Why This Matters

This creates a feedback loop: trying to protect your privacy generates data that profiles you as privacy-conscious. Combined with the 8 privacy settings variants, they can optimize the UI to discourage privacy-protective behavior -- show the variant that results in fewer users changing settings. Your privacy visit count is a signal in their ML pipeline, bundled right alongside your device fingerprint.

These aren't edge cases.

Every system documented here has dedicated classes, GraphQL mutations, persistence layers, and event logging. They're production infrastructure built with the same engineering rigor as the News Feed -- just pointed at you instead of for you.

Full Data Audit Evidence Explorer Take Action