Press Kit & Media Resources
Journalist briefing materials for coverage of the Facebook iOS surveillance investigation. All materials are designed for easy extraction and publication.
Publication Status
This information is provided for public disclosure. No embargo restrictions apply. Materials may be quoted with attribution to the researcher.
Press Release
FOR IMMEDIATE RELEASE | December 2025
Security Researcher Discovers Facebook iOS Contains Complete Audio Surveillance System
Independent forensic analysis reveals sophisticated infrastructure enabling covert microphone activation without user awareness, potentially affecting over 2 billion users worldwide.
A security researcher has discovered that the Facebook iOS application (version 345.0) contains what appears to be a complete audio surveillance system capable of activating device microphones without displaying iOS privacy indicators. The system uses a six-phase technical pipeline that includes VoIP infrastructure for background wake, audio session category spoofing, covert transport via analytics/GraphQL channels, and dual-layer encryption.
Key Technical Findings
- Server-to-microphone activation latency under 200 milliseconds
- Audio session category spoofing bypasses iOS microphone indicator
- VoIP entitlement enables background audio capture without visible app activity
- 5 covert transport channels identified (Analytics, GraphQL, MQTT, pixel embedding, telemetry)
- Dual-layer encryption (RSA/AES hybrid) protects captured audio in transit
- 50,700+ audio captures per session via XRay ML pipeline
- Audio embeddings transmitted to ad targeting systems via GraphQL mutations
Technical Mechanism Overview
The investigation identified a six-phase surveillance pipeline:
- VoIP Background Wake: Uses iOS VoIP entitlement to wake app from background state
- Session Category Spoofing: Declares "Ambient" category but activates "PlayAndRecord"
- Audio Capture: Initializes microphone hardware without triggering iOS indicator
- ML Classification: XRay model extracts 100 audio concepts for targeting
- Covert Transport: Audio embeddings transmitted via analytics, GraphQL, MQTT channels
- Ad Targeting: User profiles updated based on captured audio content
Scale of Potential Impact
With over 2 billion active users, the Facebook iOS application is one of the most widely installed apps globally. The discovered capabilities exist in production code shipped to all users, though the investigation documents technical capability rather than observed activation at scale.
iOS Privacy Indicator Background
Apple introduced iOS privacy indicators in iOS 14 (2020) specifically to alert users when microphone or camera hardware is active. The orange dot indicator appears when an app accesses the microphone. This investigation documents a technique that appears to circumvent this protection through audio session category manipulation.
Disclosure Status
Findings have been reported to Apple Security Research, the FBI (potential wiretapping violations), and the FTC (consumer protection concerns). This public disclosure follows responsible disclosure protocols after vendor notification.
User Mitigation Steps
- Revoke microphone permissions for Facebook in iOS Settings
- Disable "Background App Refresh" for Facebook
- Consider using Facebook via mobile web browser instead of native app
- Monitor iOS privacy indicators for unexpected microphone activity
About the Researcher
The investigation was conducted by an independent security researcher specializing in mobile application forensics and binary reverse engineering. The research methodology included static binary analysis, runtime instrumentation using Frida, and network traffic analysis.
Media Contact: security@definitelynot.ai
Full Technical Documentation: fb.definitelynot.ai
Quotable Statements
Click any quote to copy"The Facebook iOS application contains what appears to be a complete audio surveillance system capable of activating device microphones in under 200 milliseconds without displaying the iOS privacy indicator."
-- On Core Finding
"This isn't a bug or a privacy oversight. The seven-phase pipeline from server command to encrypted audio exfiltration represents deliberate engineering with significant resource investment."
-- On Technical Sophistication
"The audio session category spoofing technique declares the app as a passive audio consumer while actually activating full microphone recording. This directly circumvents Apple's privacy indicator system."
-- On iOS Bypass
"With over 2 billion users, the potential scope of this surveillance capability is unprecedented. Every Facebook iOS user has this code on their device."
-- On Scale
"Audio capture is triggered from advertising analytics code, not telephony code. The FBMessagingAnalyticsCustomizeEventPayload function controls the privacy bypass, proving this is connected to ad targeting."
-- On Ad Targeting Connection
Discovery Timeline
Initial Binary Analysis
Static analysis of Facebook iOS v345.0 reveals VoIP entitlement and unusual audio session handling code.
Audio Session Spoofing Identified
Runtime instrumentation confirms dynamic category switching between Ambient and PlayAndRecord modes.
Audio-to-Advertising Pipeline Discovery
XRay ML pipeline discovered converting audio to embeddings for ad targeting via GraphQL.
Encryption Pipeline Mapped
Dual-layer encryption (RSA/AES hybrid) identified in audio processing pathway.
Full Pipeline Documentation
Complete seven-phase surveillance pipeline documented with 25+ technical reports.
Responsible Disclosure
Reports submitted to Apple Security, FBI, and FTC. Public disclosure follows vendor notification.
Technical Diagrams
Six-Phase Surveillance Pipeline
+------------------+ +------------------+ +------------------+
| SERVER SIDE | | iOS DEVICE | | AD TARGETING |
+------------------+ +------------------+ +------------------+
| | |
v v v
+------------------+ +------------------+ +------------------+
| 1. VoIP Push |---->| 2. Background | | 6. Ad Targeting |
| Notification | | Wake | | (Profile Upd) |
+------------------+ +------------------+ +------------------+
| ^
v |
+------------------+ +------------------+
| 3. Category | | 5. Covert |
| Spoofing | | Transport |
+------------------+ +------------------+
| ^
v |
+------------------+ +------------------+
| 4. Mic Capture |---->| XRay ML + GraphQL|
| (No Indicator)| | Embeddings |
+------------------+ +------------------+
Audio Session Category Spoofing
DECLARED IN INFO.PLIST: RUNTIME BEHAVIOR:
+------------------------+ +------------------------+
| AVAudioSessionCategory | | AVAudioSessionCategory |
| Ambient | vs | PlayAndRecord |
+------------------------+ +------------------------+
| |
v v
+------------------------+ +------------------------+
| iOS Expectation: | | Actual Capability: |
| - Passive audio only | | - Full mic recording |
| - No indicator needed | | - Background capture |
| - No mic access | | - Indicator bypassed |
+------------------------+ +------------------------+
Covert Audio Transport Channels
AUDIO-TO-ADVERTISING PIPELINE:
+------------------------------------------------------------------+
| AUDIO CAPTURE |
| FBCCAudioCapturer → 50,700+ captures per session |
+------------------------------------------------------------------+
|
v
+------------------------------------------------------------------+
| ML CLASSIFICATION |
| XRay Model → 100 audio concepts (genre, mood, tempo) |
| FBMediaAnalyzerXRayInput (0x01c91220) |
+------------------------------------------------------------------+
|
v
+------------------------------------------------------------------+
| COVERT TRANSPORT (5 channels) |
| 1. Analytics embedding (FBMessagingAnalyticsCustomizeEventPayload)|
| 2. GraphQL mutations (CreateInspirationEditingAttachmentMutation)|
| 3. MQTT messaging (MNMQTTSender @ 0x02208ff0) |
| 4. Pixel embedding (encoded_attribution_id) |
| 5. Telemetry payloads (event_payload BLOB) |
+------------------------------------------------------------------+
|
v
+------------------------------------------------------------------+
| AD TARGETING |
| User profile update → Interest-based advertising |
+------------------------------------------------------------------+
Expected vs. Observed Behavior
| Component | Expected (Per Apple HIG) | Observed (Facebook iOS) |
|---|---|---|
| Microphone Access | Orange indicator when active | No indicator via category spoofing |
| Background Audio | Only for music/VoIP calls | Silent capture via VoIP entitlement |
| Audio Category | Static declaration in Info.plist | Dynamic switching at runtime |
| Data Transmission | Standard API requests | Covert channels (analytics, GraphQL, MQTT) |
| Encryption | TLS for transport | Dual-layer (RSA+AES) + TLS |
| User Awareness | Clear permission prompts | No visible indication of capture |
Quick Facts
Facebook iOS v345.0
2+ Billion
<200ms
7.2 MB/hour
5 identified
Dual-layer (RSA+AES)
25+ documents
December 2025
Media Contact
security@definitelynot.ai
fb.definitelynot.ai
One-Page Fact Sheet
What Was Found
- Complete audio surveillance system in Facebook iOS app
- Microphone activation without iOS privacy indicator
- Background audio capture via VoIP entitlement abuse
- Six-phase pipeline from server command to ad targeting
- 5 covert transport channels for audio data exfiltration
- Audio-to-advertising pipeline via XRay ML embeddings
Technical Evidence
- Audio session category spoofing code identified
- XRay ML model extracts 100 audio concepts for targeting
- VoIP background wake infrastructure documented
- Audio bypass controlled by advertising analytics code
- 25+ technical reports with binary addresses
Key Numbers
- 2+ billion - Potential users with this code on device
- <200ms - Server to microphone activation time
- 50,700+ - Audio captures per session
- 5 channels - Covert transport mechanisms
- 6 phases - Complete surveillance pipeline
- 100 concepts - XRay ML audio classifications
Regulatory Concerns
- Federal Wiretap Act (18 U.S.C. 2511) - Potential interception violations
- FTC Act Section 5 - Deceptive practices concerns
- Apple App Store Guidelines - Privacy indicator bypass
- GDPR (EU) - Consent and data processing