Facebook iOS v345.0 Privacy Indicator Bypass
**Test Date:** December 29, 2025 **Test Device:** iPhone (iOS) **Facebook Version:** 345.0 (Build 333768490) **Monitoring Tool:** Frida 17.5.2 **Test Duration:** ~15 minutes active monitoring
Executive Summary
Runtime monitoring of the Facebook iOS app captured direct evidence of surveillance infrastructure including continuous polling of privacy indicator bypass state, over 1,000 accesses to telephony audio session without any active call, and aggressive background execution persistence.
1. CallKit Indicator Bypass State Polling
Finding
The method `allowCallKitActiveAdjust` on `FBSystemAudioSessionManager` is called every approximately 3 seconds, continuously, even when the app is backgrounded.
Evidence
[BYPASS] FBSystemAudioSessionManager- allowCallKitActiveAdjust
TIME: 2025-12-29T10:29:30.398Z
[BYPASS] FBSystemAudioSessionManager- allowCallKitActiveAdjust
TIME: 2025-12-29T10:29:33.620Z (+3.2s)
[BYPASS] FBSystemAudioSessionManager- allowCallKitActiveAdjust
TIME: 2025-12-29T10:30:09.054Z
[BYPASS] FBSystemAudioSessionManager- allowCallKitActiveAdjust
TIME: 2025-12-29T10:30:12.267Z (+3.2s)
[BYPASS] FBSystemAudioSessionManager- allowCallKitActiveAdjust
TIME: 2025-12-29T10:30:15.488Z (+3.2s)
[BYPASS] FBSystemAudioSessionManager- allowCallKitActiveAdjust
TIME: 2025-12-29T10:30:18.711Z (+3.2s)Stack Trace
FBSharedFramework!FBMessagingAnalyticsCustomizeEventPayload
FBSharedFramework!FBMessagingAnalyticsCustomizeEventPayload
FBSharedFramework!FNFPlayerStateMake(FNFPlayerInternalState, CMTime, float, id<FNFAVPlayerItem>, NSError*)
FBSharedFramework!FNFPlayerStateMake(FNFPlayerInternalState, CMTime, float, id<FNFAVPlayerItem>, NSError*)
FBSharedFramework!-<DFMapDataObservable initWithObservable:mapBlock:>
FBSharedFramework!-<DFMapDataObservable initWithObservable:mapBlock:>
FBSharedFramework!FBAnalyticsGetDeviceID
FBSharedFramework!+<FBShadowLayer shadowInsets>Significance
- undefined
2. Telephony Audio Session Access Without Active Call
Finding
The system telephony daemon `callservicesd` logged over 1,000 accesses to `TUCallProvider- audioSessionID` during the test period, despite no incoming or outgoing calls.
Evidence
[CALLSERVICESD] TUCallProvider- audioSessionID
[CALLSERVICESD] TUCallProvider- audioSessionID
[CALLSERVICESD] TUCallProvider- audioSessionID
... (repeated)Metrics
- undefined
Additional CallKit Activity
[CALLSERVICESD] CXCallControllerHost- callControllerHostConnection:requestCalls:
[CALLSERVICESD] CXCallControllerHost- _callsForCallControllerHostConnection:
[CALLSERVICESD] CXCallControllerHost- callUUIDToCallMap
[CALLSERVICESD] CXProviderConfiguration- audioSessionIDSignificance
- undefined
3. Audio Session Activation
Finding
Multiple `AVAudioSession setActive:0x1` calls captured while the app was backgrounded with no user-initiated audio features.
Evidence
[VOIP] AVAudioSession setActive:0x1 withOptions:0x1
[VOIP] AVAudioSession setActive:0x1 withOptions:0x1
[VOIP] AVAudioSession setActive:0x1 withOptions:0x1
[VOIP] AVAudioSession setActive:0x1 withOptions:0x1Audio Route Awareness
[ROUTE] Audio route has INPUTS (microphone active)
Inputs: (
"<AVAudioSessionPortDescription: 0x2833a0240,
type = MicrophoneBuiltIn;
name = iPhone Microphone;
UID = Built-In Microphone;
selectedDataSource = Bottom>"
)Significance
- undefined
4. Audio Activation from UI Rendering Code
Finding
Audio session activation traced to `FBFeedShimmeringStoryFlexComponentSpec`, a UI component for rendering loading placeholders.
Evidence
[AUDIO-CAT] ACTIVATE AUDIO - options: 0x1
STACK:
0x10ad142dc FBSharedFramework!FBFeedShimmeringStoryFlexComponentSpec::__internalFactory
0x10ad1380c FBSharedFramework!FBFeedShimmeringStoryFlexComponentSpec::__internalFactory
0x181678914 libdispatch.dylib!_dispatch_call_block_and_release
0x18167a660 libdispatch.dylib!_dispatch_client_calloutSignificance
- undefined
5. Background Execution Persistence
Finding
Continuous requests to maintain background execution privileges through SpringBoard.
Evidence
[SPRINGBOARD] Entitlement check: - backgroundStyleForRequestedBackgroundStyle:
[SPRINGBOARD] Entitlement check: - backgroundStyle
[SPRINGBOARD] Entitlement check: - backgroundStyleForRequestedBackgroundStyle:
[SPRINGBOARD] Entitlement check: - backgroundStyle
... (repeated)Metrics
- undefined
Additional Background Activity
[SPRINGBOARD] com.facebook.Messenger: - setPlayingAudio:Significance
- undefined
6. VoIP Infrastructure Setup
Finding
Multiple `PKPushRegistry` instances allocated, indicating VoIP push infrastructure setup.
Evidence
[PUSHKIT] PKPushRegistry ALLOCATED
[PUSHKIT] PKPushRegistry ALLOCATED
[PUSHKIT] PKPushRegistry ALLOCATED
... (10+ times)VoIP Classes Identified
[VOIP] Found class: FBWebRTCCallModel
[VOIP] Found class: FBWebRTCCallStartDetails
[VOIP] Found class: FBWebRTCCallEndDetails
[VOIP] Found class: RIBRTCCallKitCall
[VOIP] Found class: FBGemstoneCallingViewController
[VOIP] Found class: CXNotificationServiceExtensionVoIPXPCHostSignificance
- undefined
7. Methods Confirmed Present and Hooked
The following privacy-relevant methods were confirmed present in the Facebook binary and successfully hooked:
| Class | Method | Purpose |
|---|---|---|
| FBSystemAudioSessionManager | setCallKitActive: | Force CallKit mode |
| FBSystemAudioSessionManager | setAllowCallKitActiveAdjust: | Indicator suppression control |
| FBSystemAudioSessionManager | allowCallKitActiveAdjust | Indicator state getter |
| FBSystemAudioSessionManager | isCallKitActive | CallKit state check |
| AVAudioEngine | inputNode | Microphone access |
| AVAudioInputNode | installTapOnBus:bufferSize:format:block: | Actual audio recording |
Summary Table
| Finding | Count/Evidence | Implication |
|---|---|---|
| allowCallKitActiveAdjust polling | 18 calls, every 3 seconds | Indicator bypass monitoring |
| TUCallProvider audioSessionID | 1,099 accesses, 0 calls | Telephony audio abuse |
| Background style requests | 454 requests | Aggressive persistence |
| AVAudioSession setActive | Multiple, backgrounded | Unauthorized activation |
| Mic route detection | Captured | Hardware monitoring |
| Audio from UI code | FBFeedShimmeringStoryFlexComponentSpec | Hidden activation |
Test Methodology
Tools Used
- undefined
Test Conditions
- undefined
Hook Scripts
Hooks were placed on:
- undefined
Conclusion
The runtime evidence demonstrates that Facebook iOS:
- undefined
This behavior is consistent with the surveillance infrastructure identified in static binary analysis and provides runtime proof that these code paths are actively executed during normal app use.
Supplemental Evidence Documents
Additional evidence collected on December 29, 2025 is documented in the following supplements:
Runtime Evidence Supplement
**File:** `Runtime-Evidence-Supplement-20251229.md`
Extended runtime monitoring session (Session 2) capturing:
- undefined
Binary Analysis Supplement
**File:** `Binary-Analysis-Supplement-20251229.md`
PyGhidra analysis of FBSharedFramework proving architectural connection:
- undefined
These supplements provide the architectural proof of why scrolling triggers massive audio capture bursts while idle states show minimal activity.
*Evidence collected: December 29, 2025* *Researcher: Research Team*