Skip to main content
Research Documentation

Investigation Methodology

A comprehensive overview of the research framework, tools, and verification standards used in the Facebook iOS surveillance investigation.

01 Investigation Overview

Research Parameters

Research Duration
December 26-30, 2025
Target Application
Facebook iOS v345.0
Build Number
333768490
Target Platform
iOS 15.1

Research Scope

  • - Binary reverse engineering of core frameworks
  • - Runtime behavior analysis via dynamic instrumentation
  • - Audio capture and processing pipeline analysis
  • - Network exfiltration pattern identification
  • - Audio-to-advertising pipeline analysis

02 Tools Used

Frida 17.5.2

Dynamic instrumentation toolkit for runtime method hooking, memory inspection, and behavior monitoring.

PyGhidra

Python interface to Ghidra for automated binary analysis, decompilation, and cross-reference mapping.

radare2

Advanced command-line reverse engineering framework for disassembly and binary manipulation.

objdump / strings

Standard UNIX utilities for symbol extraction, string mining, and section analysis.

Custom Monitoring Scripts

Purpose-built Frida scripts for audio buffer interception, encryption key extraction, network traffic correlation, and indicator suppression detection.

03 Analysis Phases

Phase 1

Initial Discovery

SA-001 to SA-005
  • 1.1 Binary extraction from decrypted IPA and framework enumeration
  • 1.2 Symbol tracing for audio and recording-related classes
  • 1.3 Pattern hunting for suspicious method signatures
  • 1.4 String mining for encryption keys and debug artifacts
  • 1.5 Class mapping for FBMediaAudioRecorder hierarchy
Phase 2

Deep Analysis

SA-006 to SA-012
  • 2.1 Key derivation analysis for encryption infrastructure
  • 2.2 GPU shader inspection for frame manipulation
  • 2.3 XRay model investigation for ML-based audio analysis
  • 2.4 Buffer lifecycle tracking through ring buffer infrastructure
  • 2.5 Audio category spoofing mechanism identification
  • 2.6 Feature flag tracing for server-controlled capabilities
Phase 3

Critical Findings

SA-013 to SA-026
  • 3.1 Audio-to-advertising pipeline discovery and XRay ML analysis
  • 3.2 E2EE Noise Protocol implementation bypass investigation
  • 3.3 Upload chunking analysis for data exfiltration paths
  • 3.4 Speech recognition pipeline and Wit.ai integration
  • 3.5 Dual-layer encryption (MNPLMessageCrypto + LightSpeed)
  • 3.6 Covert audio transport channel identification (5 channels)

04 Evidence Classification

A Definitive Proof

Direct code evidence, runtime captures, or cryptographic proof that leaves no reasonable alternative explanation. Requires multiple independent confirmations.

B Strong Evidence

Compelling evidence from static or runtime analysis that strongly supports the hypothesis with limited alternative explanations.

C Corroborating Evidence

Supporting evidence that aligns with the hypothesis but could have alternative legitimate explanations when viewed in isolation.

D Supporting Context

Circumstantial evidence that provides context but does not directly prove the hypothesis. Useful for establishing patterns and intent.

05 Hypothesis Testing Framework

The Five Hypotheses

H1

Microphone Capture

Facebook iOS can capture microphone audio without explicit user interaction.

Threshold: 80% | Status: BELOW (78%)

H2

Indicator Suppression

The app can suppress iOS recording indicators (orange dot).

Threshold: 80% | Status: MET (92%)

H4

Network Exfiltration

Captured audio is transmitted to Facebook servers via covert channels.

Threshold: 80% | Status: MET (88%)

H5

Remote Control

Server can remotely trigger audio capture without user action.

Threshold: 80% | Status: MET (92%)

H6

Covert Audio Transport

Audio data is transmitted through non-audio channels including analytics, GraphQL, MQTT, and pixel embedding.

Threshold: 75% | Status: BELOW (72%)

Confidence Thresholds

Each hypothesis has a specific confidence threshold based on the nature of the claim:

  • - 80% threshold: Core surveillance claims (H1, H2, H4, H5) - requires strong cumulative evidence
  • - 75% threshold: Capability claims (H6) - lower bar as this represents transport mechanism capability

Confidence is calculated based on cumulative weighted evidence from all related reports, with Grade A evidence contributing more than Grade D.

06 Verification Standards

1. Multiple Independent Confirmations

All critical findings require verification through at least two independent analysis methods (e.g., static analysis confirmed by runtime observation, or string analysis confirmed by binary decompilation).

2. Runtime/Static Correlation

Runtime evidence must match predictions from static analysis. If static analysis suggests a method encrypts audio data, runtime instrumentation must capture that exact behavior with matching parameters.

3. Cross-Reference Between Reports

Findings in one report must be consistent with and reinforced by findings in related reports. Contradictions trigger re-analysis and confidence adjustments.

4. Alternative Explanation Testing

Each finding is evaluated against legitimate alternative explanations. A finding only receives Grade A classification when all reasonable alternatives have been ruled out.

07 Reproducibility

All findings in this investigation are designed to be independently reproducible by qualified security researchers. The following resources are provided:

Frida Scripts -> Runtime Logs -> Technical Reports -> Evidence Explorer ->

Requirements for Reproduction

  • - Jailbroken iOS device (iOS 15.x recommended)
  • - Facebook iOS v345.0 (Build 333768490) or compatible version
  • - Frida 17.5.2 with frida-tools
  • - Python 3.9+ with pyghidra
  • - Ghidra 11.x with analysis plugins

This methodology documentation follows established security research practices. All findings document technical capabilities, not necessarily active exploitation or intent.
View responsible disclosure timeline ->