Facebook iOS v345.0 - Evidence Summary

Key Findings

Component	Status / Finding
`FBMediaUploadFlowCoordinator`	Upload orchestration
`MBIMediaUploadConfig`	Upload configuration
`FBFacecastThemeOpaqueDarkTheme`	Video calling theme
`FBFeedShimmeringStoryFlexComponentSpec`	Shimmer UI

Technical Diagrams

Classes Involved Line 115

| Class | Role | Suspicious? |
|-------|------|-------------|
| `FBARKAudioSessionController` | ARKit audio control | High polling rate |
| `FBSystemAudioSessionManager` | Audio session management | Tied to UI components |
| `FBMediaUploadFlowCoordinator` | Upload orchestration | Active on background |
| `MBIMediaUploadConfig` | Upload configuration | Constant polling |
| `FBFacecastThemeOpaqueDarkTheme` | Video calling theme | In upload backtraces |
| `FBFeedShimmeringStoryFlexComponentSpec` | Shimmer UI | Triggers audio |

FILES CREATED Line 179

| File | Purpose |
|------|---------|
| `fbark_audio_trace.js` | FBARK method tracing |
| `shimmer_trace_monitor.js` | Shimmer→audio chain |
| `combined_monitor.js` | All-in-one monitoring |
| `audio_unit_monitor.js` | Low-level AudioUnit hooks |
| `ios_daemon_monitor.js` | System daemon monitoring |
| `audio_exfil_monitor.js` | Network audio detection |
| `realtime_audio_monitor.js` | Streaming audio detection |
| `background_media_monitor.js` | Background processing |
| `upload_payload_capture.js` | Payload content capture |

Code Evidence

Plain Text

[SAMPLE #1] didReceiveImageSample called
  args[2] (session): <UITouchesEvent: 0x2829b5e00> timestamp: 267219 touches: {(
    <UITouch: 0x12cd06d40> phase: Began tap count: 1 force: 0.000
    location in window: {102.5, 444} location in view: {102.5, 27}
  )}
  Session class: UITouchesEvent

Plain Text

FBFeedPoolCacheSource  - Feed cache/content data
__NSCFConstantString   - Constant strings
__NSCFString           - Mutable strings
UITouchesEvent         - Touch coordinates
__NSMallocBlock__      - Callback closures
nil                    - Null objects

Plain Text

Touch Event (UIKitCore)
  → FBApplicationSendEventListener_ApplicationWillSendEvent
    → _backgroundAudioEnabledClients
      → propertiesForClients:routeIsExternal:active:...
        → _updateAVAudioSessionProperties

Plain Text

FBFeedShimmeringStoryFlexComponentSpec::__internalFactory
  → FBSystemAudioSessionManager::_updateAVAudioSessionProperties

Plain Text

-[FBMediaUploadFlowCoordinator mediaItemUploadFlowSession:didReceiveImageSample:]
-[FBMediaUploadFlowCoordinator mediaItemUploadFlowSession:didCreateTranscoder:]

Investigation Date: 2025-12-30

CRITICAL FINDING (2025-12-30 12:25 UTC)

didReceiveImageSample Receives Touch Events, Not Images

**Direct observation from Frida:**

Plain Text

[SAMPLE #1] didReceiveImageSample called
  args[2] (session): <UITouchesEvent: 0x2829b5e00> timestamp: 267219 touches: {(
    <UITouch: 0x12cd06d40> phase: Began tap count: 1 force: 0.000
    location in window: {102.5, 444} location in view: {102.5, 27}
  )}
  Session class: UITouchesEvent

**Also observed:**

undefined

**Implication:** A method named "didReceiveImageSample" in the media upload pipeline is receiving:

undefined

This is **behavioral telemetry disguised as media upload infrastructure**.

Additional Data Types Through "ImageSample" Pipeline

Observed flowing through `didReceiveImageSample`:

Plain Text

FBFeedPoolCacheSource  - Feed cache/content data
__NSCFConstantString   - Constant strings
__NSCFString           - Mutable strings
UITouchesEvent         - Touch coordinates
__NSMallocBlock__      - Callback closures
nil                    - Null objects

This is a **general-purpose data collection pipeline** masquerading as media handling.

Anti-Debugging Detected

App terminates within seconds of Frida hook installation. Possible detection mechanisms:

undefined

CONFIRMED BEHAVIORS

1. Audio Infrastructure Constantly Primed

**Evidence from FBARK monitoring (11 min 29 sec session):**

undefined

**Trigger chain confirmed:**

Plain Text

Touch Event (UIKitCore)
  → FBApplicationSendEventListener_ApplicationWillSendEvent
    → _backgroundAudioEnabledClients
      → propertiesForClients:routeIsExternal:active:...
        → _updateAVAudioSessionProperties

2. Shimmer UI Triggers Audio Session

**Smoking gun backtrace:**

Plain Text

FBFeedShimmeringStoryFlexComponentSpec::__internalFactory
  → FBSystemAudioSessionManager::_updateAVAudioSessionProperties

The shimmer loading animation for stories directly invokes audio session management.

3. Upload Infrastructure Constantly Polling

**Polling rate: Every 200ms (5x/second)**

undefined

4. Background Media Processing

**On app background:**

Plain Text

-[FBMediaUploadFlowCoordinator mediaItemUploadFlowSession:didReceiveImageSample:]
-[FBMediaUploadFlowCoordinator mediaItemUploadFlowSession:didCreateTranscoder:]

undefined

5. Telemetry Uploads on Background

**Confirmed endpoints:**

undefined

COMPONENT ANALYSIS

Classes Involved

Class	Role	Suspicious?
`FBARKAudioSessionController`	ARKit audio control	High polling rate
`FBSystemAudioSessionManager`	Audio session management	Tied to UI components
`FBMediaUploadFlowCoordinator`	Upload orchestration	Active on background
`MBIMediaUploadConfig`	Upload configuration	Constant polling
`FBFacecastThemeOpaqueDarkTheme`	Video calling theme	In upload backtraces
`FBFeedShimmeringStoryFlexComponentSpec`	Shimmer UI	Triggers audio

Frameworks

undefined

WHAT WAS NOT DETECTED

undefined

INTERPRETATION

Pattern: "Ready State" Infrastructure

Facebook maintains audio and upload infrastructure in a constant "ready state":

undefined

This could be:

undefined

What Triggers Actual Recording?

Based on analysis, actual recording would require:

undefined

These were NOT observed during passive feed browsing.

RECOMMENDATIONS FOR FURTHER INVESTIGATION

undefined

FILES CREATED

File	Purpose
`fbark_audio_trace.js`	FBARK method tracing
`shimmer_trace_monitor.js`	Shimmer→audio chain
`combined_monitor.js`	All-in-one monitoring
`audio_unit_monitor.js`	Low-level AudioUnit hooks
`ios_daemon_monitor.js`	System daemon monitoring
`audio_exfil_monitor.js`	Network audio detection
`realtime_audio_monitor.js`	Streaming audio detection
`background_media_monitor.js`	Background processing
`upload_payload_capture.js`	Payload content capture

CONCLUSION

Facebook iOS v345.0 maintains an **aggressively-polled audio and upload infrastructure** that:

undefined

**No actual covert audio recording was detected** during passive feed browsing. The infrastructure is "hot" but not actively capturing during normal use.

The constant polling (5x/sec for uploads, 5700x/sec for audio during touch) is unusual and suggests either aggressive optimization or preparation for rapid capture when triggered.

Related Reports

CMSampleBuffer Processing Analysis

Ring Buffer Infrastructure Analysis

Audio Transcoding Infrastructure Analysis

Review: Additional capture logs under `./analysis/facebook/`

Phase 2

Key Findings

Technical Diagrams

Code Evidence

Investigation Date: 2025-12-30

CRITICAL FINDING (2025-12-30 12:25 UTC)

didReceiveImageSample Receives Touch Events, Not Images

Additional Data Types Through "ImageSample" Pipeline

Anti-Debugging Detected

CONFIRMED BEHAVIORS

1. Audio Infrastructure Constantly Primed

2. Shimmer UI Triggers Audio Session

3. Upload Infrastructure Constantly Polling

4. Background Media Processing

5. Telemetry Uploads on Background

COMPONENT ANALYSIS

Classes Involved

Frameworks

WHAT WAS NOT DETECTED

INTERPRETATION

Pattern: "Ready State" Infrastructure

What Triggers Actual Recording?

RECOMMENDATIONS FOR FURTHER INVESTIGATION

FILES CREATED

CONCLUSION

Related Reports

CMSampleBuffer Processing Analysis

Ring Buffer Infrastructure Analysis

Audio Transcoding Infrastructure Analysis

Review: Additional capture logs under `./analysis/facebook/`

Agent Handoff Document