Version 345.0.0.38.119 (Build 333768490)
**Analysis Date:** 2025-12-26 **Analyst:** Automated Security Review (Enhanced Deep Analysis) **App Location:** `./analysis/facebook/345.0/Facebook.app/`
Executive Summary
This security analysis of the Facebook iOS application version 345.0 reveals a complex application with extensive permissions, multiple App Transport Security (ATS) exceptions, and deep integration with the Meta ecosystem (Instagram, WhatsApp, Messenger). The app implements certificate pinning for messaging security but allows insecure HTTP connections to specific Facebook infrastructure domains. The application requests comprehensive device permissions including background location access, which raises privacy concerns despite providing user-facing justifications.
Deep analysis of the Hermes bytecode bundle reveals extensive GraphQL API surface with 100+ query/mutation endpoints, clipboard access patterns, device fingerprinting capabilities, and a comprehensive feature flag system with 20,000+ configuration parameters. The app includes 500+ NUX (New User Experience) triggers for user engagement and behavior tracking.
Risk Overview
| Severity | Count | Description |
|---|---|---|
| CRITICAL | 0 | No critical vulnerabilities found |
| HIGH | 4 | ATS exceptions, extensive permissions, cross-app tracking, device fingerprinting |
| MEDIUM | 7 | Background modes, third-party DRM, URL schemes, clipboard access, integrity checks |
| LOW | 5 | Informational findings |
App Metadata
| Field | Value |
|---|---|
| **Bundle ID** | `com.facebook.Facebook` |
| **Version** | 345.0.0.38.119 |
| **Build Number** | 333768490 |
| **Minimum iOS** | 13.0 |
| **Build Date** | 2021-11-19 (Unix: 1637350636) |
| **Xcode Version** | 13.0 (13A233) |
| **SDK** | iphoneos15.0 |
| **App ID** | 6628568379 (iPhone), 173847642670370 (iPad) |
| **Team ID** | T84QZS65DQ |
| **Build Branch** | fbobjc/releases/release-fbios-2021.11.18 |
| **Requires Full Screen** | No |
| **Architectures** | arm64 |
Deep Framework Analysis
Main Binary Analysis
| Component | Details |
|---|---|
| **Main Binary** | 8.6 MB Mach-O 64-bit arm64 executable |
| **Hermes Bundle** | 15.8 MB JavaScript bytecode (version 84) |
| **Total Frameworks** | 63 internal frameworks |
| **App Extensions** | 7 extensions |
Key Framework Deep Dive
FBMessagingFramework (27.2 MB)
The largest framework, handling all messaging functionality:
- undefined
FBSharedFramework
Core shared utilities including:
- undefined
FBReactNativeProductsFramework (2.5 KB)
Bridge between native code and React Native surfaces, exposing:
- undefined
Certificate Pinning Implementation Details
**Location:** `Frameworks/FBMessagingFramework.framework/FBAnchorCerts.crts`
The messaging framework implements comprehensive certificate pinning with 15 trusted root certificates:
Pinned Certificate Authorities
| CA Name | Type | Validity |
|---|---|---|
| UserTrust RSA Certification Authority | RSA | 2010-2038 |
| UserTrust ECC Certification Authority | ECC | 2010-2038 |
| COMODO RSA Certification Authority | RSA | 2010-2038 |
| COMODO ECC Certification Authority | ECC | 2008-2038 |
| DigiCert Assured ID Root | RSA | 2006-2031 |
| DigiCert Assured ID Root G2 | RSA | 2013-2038 |
| DigiCert Assured ID Root G3 | ECC | 2013-2038 |
| DigiCert Global Root | RSA | 2006-2031 |
| DigiCert Global Root G2 | RSA | 2013-2038 |
| DigiCert Global Root G3 | ECC | 2013-2038 |
| DigiCert ECC Secure Server CA | ECC | 2013-2023 |
| DigiCert High Assurance EV Root | RSA | 2006-2031 |
| DigiCert Trusted Root G4 | RSA | 2013-2038 |
| GlobalSign Root CA | RSA | 1998-2028 |
| GlobalSign Root CA R2 | RSA | 2006-2021 |
| GlobalSign Root CA R3 | RSA | 2009-2029 |
Facebook Backup Pin
FacebookBackup
sha1/1ww8E0AYsR2oX5lndk2hwp2Uosk=**Security Assessment:** The certificate pinning implementation provides strong protection against MITM attacks on messaging traffic. The backup pin allows Facebook to maintain connectivity even if primary CAs are compromised.
Device Fingerprinting Analysis
Identified Fingerprinting Capabilities
The Hermes bytecode bundle reveals multiple device identification mechanisms:
| Identifier Type | Purpose | Location |
|---|---|---|
| `device_id` | Unique device identifier | React Native DeviceInfo |
| `advertisingID` | IDFA for ad attribution | Advertising module |
| `getAdvertisingId` | IDFA retrieval function | JS bundle |
| `DeviceInfo` | Device metadata collection | React Native bridge |
| `hardwareAccelerated` | GPU fingerprinting | Rendering engine |
| `renderToHardwareTextureAndroid` | Hardware texture fingerprinting | Graphics subsystem |
Device Information Collected
Based on React Native configuration analysis:
- undefined
Feature Flags Related to Tracking
From `params_map.txt` configuration:
ios_idfa_access_on_new_plaforms - IDFA access control
ios_ad_tracking_prompt_on_new_platforms - ATT prompt configuration
log_tracking_nodes - Tracking node loggingIntegrity/Jailbreak Detection
Detection Mechanisms Identified
The Hermes bundle contains multiple integrity-related strings and systems:
| Detection Type | Evidence |
|---|---|
| **Commerce Integrity** | `commerce_integrity_actor_risk_signals`, `commerce_integrity_buyer_status` |
| **Ad Integrity** | `adIntegrityCertification`, `AdsLWIADIntegrityCertificationAccept` |
| **Business Integrity** | `BIZ_ON_MP_SELLER_STATE_INTEGRITY_INFO`, `BUSINESS_INTEGRITY_PRODUCT_AD_FARM_PENALTY` |
| **Buyer Integrity** | `buyer_integrity_status`, `CART_BUYER_INTEGRITY_CHECKOUT_BLOCKED_MESSAGE` |
| **Content Integrity** | `integrityReviewContent`, `integrity_status_indicator` |
| **Platform Integrity** | `INTEGRITY_DEDUPLICATION_PLATFORM`, `integrity_rejected_request_review` |
Integrity Configuration Flags
From `ReactMobileConfigMetadata.json`:
commerce_integrity_scam_banner:show_banner_on_pdp
fb_jobs_integrity:verified_business_label
pages_integrity:admin_verification_flow_enabled
pages_integrity:id_verification_flow_enabled
pages_integrity:location_verification_flow_enabled
rn_gemstone_integrity_2021_h1:* (12+ flags)Dating Integrity Signals
rn_gemstone_integrity_2021_h1:enable_like_limit_error_state
rn_gemstone_integrity_2021_h1:should_display_7_day_delete_cooldown
rn_gemstone_integrity_2021_h1:should_enable_report_block_education
rn_gemstone_integrity_2021_h1:should_show_coded_errors**Note:** While explicit jailbreak detection strings (Cydia, Substrate, etc.) were not found in the analyzed portions, the extensive integrity checking system suggests runtime environment validation occurs at the native code level.
Complete GraphQL API Surface
Query Types Identified (100+ endpoints)
User & Profile Queries
| Query Name | Purpose |
|---|---|
| `GemstoneProfileAddPhotoCaptionSurfaceQuery` | Profile photo captions |
| `GemstoneProfileFramePickerSurfaceQuery` | Profile frame selection |
| `GemstoneProfileMusicPickerSurfaceQuery` | Profile music selection |
| `GemstoneSelfProfileSurfaceQuery` | Self profile view |
| `GemstoneNonSelfProfileSurfaceQuery` | Other user profiles |
| `ContextualProfileSurfaceQuery` | Contextual profile data |
| `NeoProfileAppQuery` | New profile architecture |
| `CampusProfileMetaDataQueryQuery` | Campus profile metadata |
| `JobCreatorProfileSurfaceQuery` | Job creator profiles |
Messaging & Communication
| Query Name | Purpose |
|---|---|
| `GemstoneSendMessageSurfaceQuery` | Send message interface |
| `GroupChatJoinBottomSheetSurfaceQuery` | Group chat joining |
| `GroupChatSingleGroupInboxSurfaceQuery` | Group inbox |
| `GroupChatSingleGroupManageInboxSurfaceQuery` | Inbox management |
| `GroupChatChatFormSurfaceCategoryQuery` | Chat form categories |
Advertising & Commerce
| Query Name | Purpose |
|---|---|
| `AdsLWIAllAdPreviewsSurfaceQuery` | Ad previews |
| `AdsLWIAutomatedAdsSurfaceQuery` | Automated ads |
| `AdsLWIBoostedMarketplaceListingReviewSurfaceQuery` | Marketplace ad review |
| `AdsLWILeadGenResultsListViewQuery` | Lead generation results |
| `AdsLWICatalogSalesProductSelectorContainerViewQuery` | Catalog sales |
| `AdCenterAllAdsObjectiveFilterQuery` | Ad objectives |
| `AdCenterQueriesAllPageAdsAdsListQuery` | Page ads list |
Payments & Checkout
| Query Name | Purpose |
|---|---|
| `FBPayOfferDetailsSurfaceQuery` | FB Pay offers |
| `FBPayOffsiteContactMerchantSurfaceQuery` | Merchant contact |
| `FBPayOffsiteContactSupportSurfaceQuery` | Payment support |
| `CloAvailablePaymentsPreloadGraphQLQuery` | Available payments |
| `MarketplaceCheckoutOffersBuyerHowItWorksSurfaceQuery` | Checkout flow |
Dating (Gemstone)
| Query Name | Purpose |
|---|---|
| `GemstoneSharedInterestsUnlockViewQuery` | Shared interests unlock |
| `GemstoneSharedInterestsAndCommunitiesUnifiedUnlockSurfaceQuery` | Communities unlock |
| `GemstoneSharedInterestsEditSurface` | Edit shared interests |
| `GemstoneDatingQuestionBrowserSurfaceQuery` | Dating questions |
Groups & Communities
| Query Name | Purpose |
|---|---|
| `FBGroupComposerSurfaceQuery` | Group composer |
| `GroupsInsightsEngagementSurfaceQuery` | Group engagement |
| `GroupsInsightsSeeAllPostsSurfaceQuery` | Group posts insights |
| `JobsGroupsComposerAppSurfaceQuery` | Jobs in groups |
Mutation Types Identified
| Mutation | Purpose |
|---|---|
| `getFriendMutationManualUpdater` | Friend list updates |
| `useMarketplaceActivityHistoryMutation` | Activity history |
| `commitUserHistoryMutation` | User history commits |
| `getLikeLimitReachedMutationCallbacks` | Like limit handling |
| `getDescriptiveMutationErrorMessage` | Error handling |
Feature Flag Analysis
Configuration System Overview
| File | Size | Purpose |
|---|---|---|
| `ReactMobileConfigMetadata.json` | 684 KB | React Native feature flags schema |
| `mobileconfig_res/params_map.txt` | 277 KB | Mobile config parameters |
| `mobileconfig_res/rn_default.txt` | 2.5 KB | Default React Native values |
Feature Flag Categories (from params_map.txt)
Marketplace Features
fb_marketplace:use_preview_payload
fb_marketplace:is_tab_enabled
fb_marketplace:marketplace_ratings_v2
fb_marketplace:marketplace_tab_real_estate_vertical
fb_marketplace_composer:enable_photo_edit
fb_marketplace_composer:enable_rotatable_photo
fb_marketplace_real_estate:map_view_auto_loading_timeoutPrivacy & Security Features
security_rn_redesign_enabled
privacy_redesign_enabled
ios_publishing_default_privacy_config:default_privacy_enabled
privacy_checkup_supports_tips
privacy_settings_screen_variant
show_privacy_compliance_url_viewAdvertising Features
fb_marketplace_ads:use_dash_video_ads_in_ios
fb_marketplace_ads:native_video_ads_viewability_percentage_threshold
fb_marketplace_ads:sponsored_header_tappable
fb_marketplace_ads:show_sponsored_feed_entry_in_category
fb_marketplace_ads:show_instant_intent_ads_photo_viewJobs Features
fb_jobs:enable_in_marketplace
fb_jobs:jobs_profile_custom_photo_enabled
fb_jobs:enable_estimated_salaries
fb_jobs:open_hoisted_detail_view_from_netego
fb_jobs:remote_jobs_seeker
fb_jobs:remote_jobs_creatorEncryption Features
purpose_encryption_with_key_rotation
add_cc_encrypt_in_payment_dev_envKeychain Features
background_keychain_reset_enabledTotal Feature Flags: ~20,000+
Clipboard Access Patterns
Clipboard Usage Identified
From Hermes bytecode analysis:
| Pattern | Context |
|---|---|
| `Clipboard` | React Native Clipboard module |
| `clipboard` | Internal clipboard references |
| `ClipboardCopy` | Copy action handler |
| `copyCommentToClipboard` | Comment copying feature |
| `defaultTransferTypeToCopyPaste` | Default transfer mechanism |
Clipboard Deprecation Notice
The app includes React Native's deprecated Clipboard component with migration notice:
Clipboard has been extracted from react-native core and will be removed in
a future release. It can now be installed and imported from
'@react-native-clipboard/clipboard' instead of 'react-native'.**Privacy Implication:** Clipboard access allows the app to read/write system pasteboard content, which could potentially access sensitive data copied from other apps.
Keychain/Biometric Usage
Biometric Authentication
| Feature | Purpose |
|---|---|
| Face ID | Quick authentication (`NSFaceIDUsageDescription`) |
| Touch ID | Legacy biometric support |
Keychain Configuration
From feature flags:
background_keychain_reset_enabled - Keychain reset capability in backgroundAuthentication Flow
The `FBAccountAuthenticationFramework` handles:
- undefined
NUX (New User Experience) Analysis
NUX System Overview
**Location:** `nuxes.plist` (62 KB binary plist) **Total NUX Entries:** 500+ defined experiences
NUX Categories
Feature Introduction NUXes
| NUX ID | Description |
|---|---|
| 10130 | Watch tab copresence pill introduction |
| 10014 | Comment music picker icon |
| 10117 | Community presence home tab |
| 10002 | "Watch together" feature |
| 9987 | Notifications stories ring tooltip |
Dating (Gemstone) NUXes
| NUX ID | Description |
|---|---|
| 6117 | Dating Matching Card tooltip |
| 6381 | Dating Conversation Starter Respond |
| 6388 | Dating Conversation Starter Interested |
| 6601 | Dating Pass and Second Look education |
| 6665 | Dating entry point on self profile |
| 6790 | Pass button on dating candidates profile |
| 6791 | Interested button on dating candidates |
| 7136 | Icebreaker button in dating messaging |
Live/Broadcast NUXes
| NUX ID | Description |
|---|---|
| 9910 | Facecast Guest-Side Follower Toast |
| 9908 | Facecast Host-Side Follower Toast |
| 9862 | 4-person live with |
| 7875 | Raise Money Live broadcast format |
Stories NUXes
| NUX ID | Description |
|---|---|
| 5015 | Stories Reply |
| 5016 | Stories Tap Navigation |
| 7767 | Stories Ephemerality creation tooltip |
| 7766 | Ephemerality settings selection |
| 9011 | Unified share button in story viewer |
Commerce/Marketplace NUXes
| NUX ID | Description |
|---|---|
| 6362 | Marketplace Shops Nux |
| 5176 | Page action bar orders help |
| 5172 | Thailand Marketplace Tab |
| 4783 | View orders CTA on event permalink |
| 4782 | Buy tickets CTA on event permalink |
Privacy NUXes
| NUX ID | Description |
|---|---|
| 6519 | Story audience privacy check modal |
| 7120 | Privacy icon in self view tooltip |
| 9083 | Audience changes in Share Story to Feed |
| 8010 | Privacy education in public groups |
NUX Trigger Types
- undefined
React Native Routes Configuration
Route System Overview
**File:** `react_native_routes.json` (658 KB) **Total Routes:** 500+ defined routes
Route Categories
Activity & History
/activitylog
/activitylog_edit_privacy
/activitylogfiltered
/activity_log_bulk_control
/activity_log_date_range
/activity_log_error
/activity_log_filter_detail
/activity_log_story_viewerAdvertising Routes
/ad_center
/ad_center_boost_existing_content
/ad_center_objective_selector
/ad_center_post_list
/ad_center_see_all
/ad_center_success_story_item
/ad_center_tool_section
/ad_credit
/ads_lwi/* (50+ routes)
/ads_payments/* (30+ routes)Marketplace Routes
/marketplace_care_center
/marketplace_care_center_all_topics
/marketplace_checkout_offers_made
/marketplace_composer_bottom_sheet_container
/marketplace_c2c_edit_tracking_information
/marketplace_debug_prototype_feeds
/marketplace_editcomposer
/marketplace_hashtag_feed
/marketplace_page_shop
/marketplace_quick_replies/createDating (Gemstone) Routes
/gemstone_passport_privacy_notice
/gemstone_shared_interests_unlock
/gemstone_shared_interests_edit
/gemstone_shared_interests_and_communities_unified_unlock
/profile_gemstone_preference_height
/profile_gemstone_preference_education_level
/profile_gemstone_location_sharingPayment Routes
/billing_asldisplay
/billing_wizard
/billing_transaction_history
/clo_card_enroll
/clo_card_enroll_terms_and_conditions
/payments_care_buyer_view_return_label
/ads_checkout_payment_receiptProfile Routes
/profile_edit_current_city
/profile_groups_suggestion_bottom_sheet
/commerce_profile_buyer_testimonial
/author_publisher_settingsURL Endpoints Extracted
Internal Facebook URLs
| URL | Purpose |
|---|---|
| `https://m.facebook.com` | Mobile web interface |
| `https://m.facebook.com/ad_guidelines` | Ad guidelines |
| `https://m.facebook.com/legal/terms` | Terms of service |
| `https://m.facebook.com/payments_terms` | Payment terms |
| `https://m.facebook.com/certification/nondiscrimination` | Non-discrimination policy |
| `https://graph-video.facebook.com/` | Video graph API |
| `https://lookaside.facebook.com/ras/v2/` | Remote asset service |
| `https://lookaside.facebook.com/redrawable/` | Redrawable assets |
Third-Party Integration URLs
| URL | Purpose |
|---|---|
| `https://www.instagram.com/` | Instagram integration |
| `https://www.whatsapp.com/legal/commerce-policy/` | WhatsApp commerce |
| `https://dashboard.stripe.com/` | Stripe payment dashboard |
| `https://www.paypal.com/` | PayPal integration |
| `https://www.google.com/maps/` | Google Maps |
| `https://www.openstreetmap.org/fixthemap/` | OSM map fixing |
| `https://dolly.com/facebook-marketplace/` | Dolly moving service |
| `https://veiculos.fipe.org.br/` | Brazilian vehicle pricing |
| `https://www.motorcheck.co.uk/` | UK vehicle check |
| `https://www.shipengine.com/facebook-tos/` | Shipping engine |
Help & Support URLs
| URL | Purpose |
|---|---|
| `https://www.facebook.com/help/228307904608701/` | General help |
| `https://www.facebook.com/help/448141485230424/` | Specific help topic |
| `https://www.facebook.com/help/796066857221106/` | Help article |
| `https://www.facebook.com/communitystandards/` | Community standards |
| `https://www.facebook.com/business/help/` | Business help center |
| `https://newsroom.fb.com/news/category/measurement-fyi/` | Measurement info |
| `https://messengerkids.com/parent-resources/` | Messenger Kids resources |
Dating & Legal URLs
| URL | Purpose |
|---|---|
| `https://www.facebook.com/legal/terms/dating` | Dating terms |
| `https://www.facebook.com/legal/terms/dating/datause` | Dating data use |
| `https://www.facebook.com/policies/ads/` | Ad policies |
| `https://www.facebook.com/policies/commerce/prohibited_content/` | Commerce prohibited content |
Security Findings
HIGH Severity
H-01: App Transport Security (ATS) Exceptions Allow Insecure HTTP
**Location:** `Info.plist` - NSAppTransportSecurity
The application has configured multiple ATS exceptions that weaken transport layer security:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>od.fbinfra.net</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
<key>h.facebook.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSAllowsLocalNetworking</key>
<true/>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
</dict>**Risk:**
- undefined
**Recommendation:** Review necessity of HTTP exceptions; consider HTTPS for all domains.
H-02: Extensive Permission Requests
**Location:** `Info.plist`
The application requests access to numerous sensitive device capabilities:
| Permission | Usage Description |
|---|---|
| **NSFaceIDUsageDescription** | Quick and secure authentication |
| **NSMicrophoneUsageDescription** | Record video, identify songs, voice search |
| **NSCameraUsageDescription** | Take photos, record videos, special effects |
| **NSPhotoLibraryUsageDescription** | Share from camera roll |
| **NSPhotoLibraryAddUsageDescription** | Save to camera roll |
| **NSContactsUsageDescription** | Find friends, provide better service |
| **NSCalendarsUsageDescription** | Sync events to calendar |
| **NSLocationWhenInUseUsageDescription** | Check-in, local events, better ads |
| **NSLocationAlwaysUsageDescription** | Nearby Friends, Find Wi-Fi, ads |
| **NSLocationAlwaysAndWhenInUseUsageDescription** | Nearby Friends, Find Wi-Fi, ads |
| **NSMotionUsageDescription** | Personalized experiences |
| **NSBluetoothAlwaysUsageDescription** | Find/connect devices, cast to TV |
| **NSBluetoothPeripheralUsageDescription** | Find/connect devices, cast to TV |
| **NSSiriUsageDescription** | Help find photos |
| **NSAppleMusicUsageDescription** | Save photos to camera roll |
| **NSLocalNetworkUsageDescription** | Find/connect devices, cast to TV |
| **NSUserTrackingUsageDescription** | Better ads experience |
**Risk:** The breadth of permissions provides extensive access to user data and device capabilities. The "Always" location permission is particularly sensitive.
H-03: Cross-App Tracking Capabilities
**Location:** `Info.plist`
<key>NSUserTrackingUsageDescription</key>
<string>This allows Facebook to provide you with a better ads experience.</string>
<key>SKAdNetworkItems</key>
<array>
<dict>
<key>SKAdNetworkIdentifier</key>
<string>v9wttpbfk9.skadnetwork</string>
</dict>
<dict>
<key>SKAdNetworkIdentifier</key>
<string>n38lu8286q.skadnetwork</string>
</dict>
</array>
<key>NSAdvertisingAttributionReportEndpoint</key>
<string>https://facebook.com</string>**Risk:** The app is configured for cross-app tracking with SKAdNetwork integration and custom advertising attribution endpoints.
H-04: Device Fingerprinting Infrastructure
**Location:** Hermes bytecode bundle, React Native modules
The app collects extensive device information through:
- undefined
**Risk:** Comprehensive device fingerprinting enables persistent tracking even if users reset advertising identifiers.
MEDIUM Severity
M-01: Extensive Background Modes
**Location:** `Info.plist` - UIBackgroundModes
<key>UIBackgroundModes</key>
<array>
<string>location</string>
<string>fetch</string>
<string>processing</string>
<string>remote-notification</string>
<string>voip</string>
<string>audio</string>
</array>**Risk:** The app maintains extensive background capabilities:
- undefined
M-02: Third-Party DRM Integration (Widevine)
**Location:** `Frameworks/widevine_cdm_secured_ios.framework/`
The application includes the Widevine Content Decryption Module (CDM) for DRM-protected content playback. This is a Google technology for video content protection.
**Size:** 3.6 MB binary
**Risk:** Third-party DRM SDK with potential for rights management and content tracking.
M-03: Extensive URL Scheme Registration
**Location:** `Info.plist` - CFBundleURLTypes
The app registers 31 URL schemes for deep linking:
fbauth2, fbauth, fb, fblogin, fbapi, fbapi20130214, fbapi20130410,
fbapi20130702, fbapi20131010, fbapi20131219, fbapi20140116, fbapi20140410,
fbapi20150313, fbapi20150629, fbapi20160328, fbshareextension,
fb-creative-platform, fb-creative-platform-20150615, fb-event-create,
fb-profile-media-frame, fb-profile-media-platform,
fb-profile-media-platform-20160202, fb-profile-expression-platform,
fb-profile-expression-platform-20160405, fb-quicksilver-20170322,
fb-broadcastextension, facebook-stories, facebook-stories-list,
fb-messenger-mk-share-20180821, fb-creative-app-platform**Risk:** Large attack surface for URL scheme hijacking if other apps register similar schemes.
M-04: Extensive App Queries (108+ Apps)
**Location:** `Info.plist` - LSApplicationQueriesSchemes
The app queries for the presence of 108+ other applications including:
**Meta Family:**
- undefined
**Third-Party Apps:**
- undefined
**Numerous FB App IDs:** fb124024574287414, fb312563225523989, fb192031582518803, etc. (70+ app-specific IDs)
**Risk:** App presence detection can be used for fingerprinting and competitive analysis.
M-05: Suppressed Photo Library Alert
**Location:** `Info.plist`
<key>PHPhotoLibraryPreventAutomaticLimitedAccessAlert</key>
<true/>**Risk:** Prevents iOS from showing the standard limited photo access reminder, potentially keeping users unaware of their photo access settings.
M-06: Clipboard Access
**Location:** Hermes bytecode bundle
The app includes clipboard access patterns:
- undefined
**Risk:** Clipboard access could potentially expose sensitive data from other apps or system copy operations.
M-07: Integrity/Trust Verification Systems
**Location:** Hermes bytecode bundle, React Native config
Extensive integrity checking infrastructure:
- undefined
**Risk:** While designed for fraud prevention, these systems collect behavioral data that could be used for user profiling.
LOW Severity
L-01: Certificate Pinning Implementation
**Location:** `Frameworks/FBMessagingFramework.framework/FBAnchorCerts.crts`
The messaging framework implements certificate pinning with 15+ trusted root certificates including:
- undefined
**Finding:** Certificate pinning is implemented for the messaging component, which is a positive security measure.
L-02: Google Cast SDK Integration
**Location:** `Frameworks/FBGoogleCastSDKWrapperFramework.framework/`
The app includes Google Cast SDK wrapper (2.5 MB) with Bonjour service discovery:
<key>NSBonjourServices</key>
<array>
<string>_googlecast._tcp</string>
<string>_AAF8F49E._googlecast._tcp</string>
</array>**Finding:** Enables video casting to Chromecast devices.
L-03: Background Task Identifiers
**Location:** `Info.plist` - BGTaskSchedulerPermittedIdentifiers
<key>BGTaskSchedulerPermittedIdentifiers</key>
<array>
<string>com.facebook.bgfetch</string>
<string>com.facebook.papaya.power0-network0</string>
<string>com.facebook.papaya.power0-network1</string>
<string>com.facebook.papaya.power1-network0</string>
<string>com.facebook.papaya.power1-network1</string>
</array>**Finding:** Multiple background task configurations suggesting different power/network state handling.
L-04: React Native and Hermes Bundle
**Location:** `main.hbcbundle` (15.8 MB)
| Property | Value |
|---|---|
| Format | Hermes JavaScript bytecode |
| Version | 84 |
| Size | 15.8 MB |
| Contains | All React Native surfaces, GraphQL queries, business logic |
The application uses React Native with Hermes bytecode bundle for cross-platform JavaScript execution.
L-05: Extensive Feature Flag System
**Location:** `ReactMobileConfigMetadata.json`, `mobileconfig_res/`
| Configuration File | Size | Entries |
|---|---|---|
| ReactMobileConfigMetadata.json | 684 KB | ~5,000+ flags |
| params_map.txt | 277 KB | ~15,000+ parameters |
| rn_default.txt | 2.5 KB | Default values |
**Finding:** Comprehensive A/B testing and feature rollout infrastructure.
Third-Party SDK and Framework Inventory
Facebook Internal Frameworks (63 Total)
| Framework | Purpose |
|---|---|
| FBAccountAuthenticationFramework | Authentication |
| FBAirBenderFramework | Unknown |
| FBARDeliveryFramework | AR content delivery |
| FBAudioFramework | Audio processing |
| FBBizExAccountQualityFramework | Business account quality |
| FBBizExFBShopReferralFramework | Shop referrals |
| FBBookmarksFramework | Bookmarks functionality |
| FBCameraFramework | Camera features |
| FBCommunityViewDeferredFramework | Community features |
| FBComposerDeferredFramework | Post composer |
| FBComposerFramework | Post composer |
| FBComposerPublishingFramework | Publishing |
| FBDataSourcePlatformFramework | Data management |
| FBEventsFramework | Events functionality |
| FBFeedActionHandlersFramework | Feed actions |
| FBFeedAttachmentsFramework | Feed attachments |
| FBFeedCTAsFramework | Feed CTAs |
| FBFriendingCoreFramework | Friend connections |
| FBGamingFramework | Gaming features |
| FBGemstoneFramework | Dating features |
| FBGoogleCastSDKWrapperFramework | Chromecast integration |
| FBGroupsFramework | Groups functionality |
| FBGrowthFramework | Growth/onboarding |
| FBIABFramework | In-app browser |
| FBIABInitialLoadFramework | Browser preloading |
| FBImageInfraFramework | Image infrastructure |
| FBInspirationCoreFramework | Content inspiration |
| FBInspirationOptionalFramework | Content inspiration |
| FBInstantArticleFramework | Instant Articles |
| FBLocalFramework | Local features |
| FBLocalInitialLoadFramework | Local preloading |
| FBLocationComponentsFramework | Location services |
| FBLocoFramework | Localization |
| FBMapsFramework | Maps functionality |
| FBMessagingFramework | Messaging (includes pinning) |
| FBNewsCompassFramework | News features |
| FBNotificationsFramework | Notifications |
| FBPagesFramework | Pages management |
| FBPagesNotOnInitialLoadFramework | Deferred Pages |
| FBPaymentsFramework | Payment processing |
| FBPhotosFramework | Photos functionality |
| FBProfileFramework | Profile features |
| FBProfileOptionalFramework | Optional profile |
| FBRarelyUsedFramework | Rarely used features |
| FBRarelyUsedWithExceptionsFramework | Rarely used features |
| FBReactNativeProductsFramework | React Native products |
| FBSearchFramework | Search functionality |
| FBSharedDynamicFramework | Shared dynamic code |
| FBSharedFramework | Shared components |
| FBSharedWithExceptionsEnabledFramework | Shared components |
| FBShortFormVideoFramework | Short video (Reels) |
| FBShortsCreationSharedFramework | Shorts creation |
| FBSnacksSurfaceDylibFramework | Stories surface |
| FBStoriesStickerStrategiesFramework | Stories stickers |
| FBStoriesViewerOptionalFramework | Stories viewer |
| FBStorySharingFramework | Story sharing |
| FBVideoHomeFramework | Video home |
| FBViolationFrictionFramework | Content moderation |
| FBWidgetFramework | Widget functionality |
| FNFVideoDigitalRightManagerFramework | Video DRM |
| widevine_cdm_secured_ios | Widevine DRM (Google) |
App Extensions (7 Total)
| Extension | Purpose |
|---|---|
| IntentsExtension.appex | Siri Intents |
| NotificationContentExtension.appex | Rich notifications |
| NotificationServiceExtension.appex | Notification processing |
| NotificationsWidgetExtension.appex | Notification widgets |
| ShareExtension.appex | Share sheet integration |
| VideoWidgetExtension.appex | Video widgets |
| WidgetExtension.appex | Home screen widgets |
Network Configuration Analysis
Domains with Insecure HTTP Allowed
| Domain | Subdomains | Risk |
|---|---|---|
| od.fbinfra.net | Yes | Internal infrastructure - plaintext allowed |
| h.facebook.com | No | Plaintext HTTP allowed |
WebView Security
The configuration `NSAllowsArbitraryLoadsInWebContent: true` allows WebViews to load content over HTTP, which could expose users to man-in-the-middle attacks when viewing third-party content.
Certificate Pinning
Certificate pinning is implemented in the FBMessagingFramework for secure messaging communications. Pinned certificates include major CAs (DigiCert, GlobalSign, Comodo) and a Facebook-specific backup pin.
Privacy Concerns Analysis
Data Collection Scope
- undefined
Tracking Infrastructure
- undefined
Recommendations
High Priority
- undefined
Medium Priority
- undefined
Low Priority
- undefined
Appendix A: Full Permission Strings
NSFaceIDUsageDescription: Enable Face ID for quick and secure authentication on Facebook.
NSMicrophoneUsageDescription: This lets you do things like record video, identify songs, search with your voice, and use other special features and effects.
NSCameraUsageDescription: This lets you do things like take and share photos, record videos, and use other special features and effects.
NSPhotoLibraryUsageDescription: This lets you share from your camera roll, and enables other features for photos and videos.
NSPhotoLibraryAddUsageDescription: This lets you save to your camera roll, and enables other features for photos and videos.
NSContactsUsageDescription: Allowing access to your address book helps you and others find friends and helps us provide a better service
NSCalendarsUsageDescription: This will let Facebook sync events you're hosting or attending to your calendar.
NSLocationWhenInUseUsageDescription: Facebook uses this to provide more relevant and personalized experiences, like helping you check-in, find local events and get better ads.
NSLocationAlwaysUsageDescription: Select "Always Allow" to use features like Nearby Friends and Find Wi-Fi. Facebook uses this to provide more relevant and personalized experiences, like helping you to check-in, find local events and get better ads.
NSLocationAlwaysAndWhenInUseUsageDescription: Select "Always Allow" to use features like Nearby Friends and Find Wi-Fi. Facebook uses this to provide more relevant and personalized experiences, like helping you to check-in, find local events and get better ads.
NSMotionUsageDescription: Facebook uses this to provide more relevant and personalized experiences.
NSBluetoothAlwaysUsageDescription: Facebook uses this to make product features work, including to find and connect devices and cast videos to TV.
NSBluetoothPeripheralUsageDescription: Facebook uses this to make product features work, including to find and connect devices and cast videos to TV.
NSSiriUsageDescription: This will let Siri help you look for photos on Facebook
NSAppleMusicUsageDescription: This lets you do stuff like save the photos you take in Facebook to your camera roll, and it enables other features for photo and video.
NSLocalNetworkUsageDescription: Facebook uses this to make product features work, including to find and connect devices and cast videos to TV.
NSUserTrackingUsageDescription: This allows Facebook to provide you with a better ads experience.Appendix B: Configuration Files Analyzed
| File | Size | Purpose |
|---|---|---|
| Info.plist | 14.6 KB | Main app configuration |
| nuxes.plist | 62 KB | New user experience configurations (500+ NUX definitions) |
| ReactMobileConfigMetadata.json | 684 KB | React Native feature flags (~5,000+ schemas) |
| react_native_routes.json | 658 KB | React Native routing (500+ routes) |
| mobileconfig_res/params_map.txt | 277 KB | Feature parameters (~15,000+ parameters) |
| mobileconfig_res/rn_default.txt | 2.5 KB | Default React Native values |
| ota_info.json | 218 B | OTA update information |
| FBAnchorCerts.crts | 22.5 KB | Certificate pinning (15 CAs) |
| Settings.bundle/Root.plist | 658 B | Settings configuration |
| main.hbcbundle | 15.8 MB | Hermes bytecode bundle (version 84) |
Appendix C: Sample GraphQL Queries
GemstoneProfileAddPhotoCaptionSurfaceQuery
GemstoneSelfProfileSurfaceQuery
GemstoneNonSelfProfileSurfaceQuery
ContextualProfileSurfaceQuery
NeoProfileAppQuery
FBPayOfferDetailsSurfaceQuery
CloAvailablePaymentsPreloadGraphQLQuery
MarketplaceCheckoutOffersBuyerHowItWorksSurfaceQuery
AdsLWIAllAdPreviewsSurfaceQuery
AdsLWIAutomatedAdsSurfaceQuery
AdCenterAllAdsObjectiveFilterQuery
GemstoneSharedInterestsUnlockViewQuery
GemstoneDatingQuestionBrowserSurfaceQueryAppendix D: Sample React Native Routes
/activitylog
/ad_center
/ads_lwi_boost_post
/ads_payments_checkout
/billing_transaction_history
/gemstone_shared_interests_unlock
/marketplace_care_center
/profile_edit_current_city
/settings/node*Report generated for security research purposes. This analysis is based on static analysis of the decrypted iOS application bundle. Enhanced with deep analysis of Hermes bytecode, GraphQL API surface, feature flags, NUX triggers, and React Native routes.*
**Analysis Methodology:**
- undefined