**Purpose:** audit the repo’s claimed “audio exfil endpoints” and classify each as **directly evidenced** vs **inferred/speculative**, based on what is actually present in this repository’s documentation and analysis outputs.
This file is intentionally conservative: it distinguishes **capability** (strings/classes/call graphs exist) from **behavior** (traffic observed during “passive browsing”).
Evidence Levels Used
- undefined
Endpoint Inventory (What the repo claims vs what it currently proves)
1) `wss://shortwave.facebook.com/v2/vp/recognition`
**Claimed role:** real-time speech recognition / audio streaming endpoint.
**Evidence in this repo:**
- undefined
**What’s dubious / missing:**
- undefined
**Current classification:** **Direct (Binary)** for the hostname (`shortwave.facebook.com`) based on decompilation reports, but **NOT Direct (Runtime)** in this repo’s included traffic captures.
2) `https://graph.facebook.com/graphql` (and `graph.facebook.com` generally)
**Claimed role:** GraphQL mutations / media upload pathway (including “audio embeddings” or other audio-derived metadata).
**Evidence in this repo:**
- undefined
**What’s dubious / missing:**
- undefined
**Current classification:** **Indirect (Pipeline)** with strong static support; still needs **Direct (Runtime)** capture to show the specific traffic leaving the device during the relevant period.
3) `https://rupload.facebook.com/%s/%s`
**Claimed role:** CDN upload endpoint for voice/audio.
**Evidence in this repo:**
- undefined
**What’s dubious / missing:**
- undefined
**Current classification:** **Inferred** (not proven by artifacts contained here).
4) `https://fb.audio/live/%@`
**Claimed role:** “live audio streaming”.
**Evidence in this repo:**
- undefined
**What’s dubious / missing:**
- undefined
**Current classification:** **Speculative** (as an exfil endpoint) based on current repo artifacts.
5) `upload.facebook.com` (generic)
**Claimed role:** general uploads.
**Evidence in this repo:**
- undefined
**What’s dubious / missing:**
- undefined
**Current classification:** **Inferred/Generic** (watchlist; not proven here).
What the included PCAPs currently show (important)
The repo’s `packet-capture/*.pcap` files (as present in this workspace) largely show:
- undefined
This means “timeline syncing” on these particular PCAPs can at best show correlation between:
- undefined
Recommended “Timeline Sync” Approach (to make correlation evidence defensible)
To support a claim like “mic capture triggers outbound transmission” you want two synchronized time series:
- undefined
- undefined
- undefined
- undefined
**Correlation rubric (conservative):**
- undefined
Bottom Line
- undefined