Skip to main content
microphone_recording_evidence

Facebook iOS App - Microphone Recording Evidence

Code Evidence

Plain Text 
kTCCServiceMicrophone|com.facebook.Facebook|2|1638289611
Plain Text 
AVAudioSessionCategoryPlayAndRecord    <- Allows simultaneous playback AND recording
AVAudioSessionCategoryRecord           <- Record-only mode
FBMicrophonePermissionsManager         <- Custom permission manager class
requestRecordPermission                <- iOS recording permission request
Plain Text 
Event: wakeups
Wakeups: 45001 wakeups over the last 12 seconds
Rate: 3751 wakeups per second average
Limit: 150 wakeups per second over 300 seconds
VIOLATION: 25x over the allowed rate
Plain Text 
File: FBAudioFramework
Type: Mach-O 64-bit arm64 dynamically linked shared library
Size: 301,744 bytes
Plain Text 
audio    <- Background audio playback
voip     <- Voice over IP (allows background microphone)

Investigation Date: 2025-12-30

Facebook Version: 345.0

CRITICAL FINDINGS

1. TCC (Privacy) Permission Granted

Plain Text 
kTCCServiceMicrophone|com.facebook.Facebook|2|1638289611
    undefined

2. Binary Contains Recording Infrastructure

From `audio_strings.txt` (267KB of audio-related strings):

Plain Text 
AVAudioSessionCategoryPlayAndRecord    <- Allows simultaneous playback AND recording
AVAudioSessionCategoryRecord           <- Record-only mode
FBMicrophonePermissionsManager         <- Custom permission manager class
requestRecordPermission                <- iOS recording permission request

3. Background Wakeup Violation (25x Over Limit)

From crash log `Facebook.wakeups_resource-2025-12-30-042445.ips`:

Plain Text 
Event: wakeups
Wakeups: 45001 wakeups over the last 12 seconds
Rate: 3751 wakeups per second average
Limit: 150 wakeups per second over 300 seconds
VIOLATION: 25x over the allowed rate

**Analysis**: This wakeup rate is consistent with continuous audio buffer processing. Normal apps do not wake up 3751 times per second.

4. Echo Cancellation Code Present

From binary strings analysis:

    undefined

5. FBAudioFramework (Dedicated Audio Library)

Plain Text 
File: FBAudioFramework
Type: Mach-O 64-bit arm64 dynamically linked shared library
Size: 301,744 bytes

A dedicated 301KB audio processing framework separate from standard iOS audio APIs.

6. UIBackgroundModes Configuration

From Info.plist:

Plain Text 
audio    <- Background audio playback
voip     <- Voice over IP (allows background microphone)

**Critical**: The `voip` background mode allows microphone access even when app is backgrounded.

7. Data Laundering Through Media Pipeline

Previously documented: `didReceiveImageSample` receives `UITouchesEvent`

    undefined

WHAT WE DID NOT FIND

    undefined

**Interpretation**: Audio is likely:

    undefined

CIRCUMSTANTIAL EVIDENCE CHAIN

    undefined

CONCLUSION

While we cannot produce a raw audio file as "smoking gun" proof (Facebook deletes/encrypts recordings immediately), the preponderance of evidence strongly suggests:

**Facebook iOS app has the capability and infrastructure to record audio from the microphone during passive browsing, and system behavior (25x wakeup rate) is consistent with this actually occurring.**

Files Collected

    undefined

Related Reports

CMSampleBuffer Processing Analysis

Ring Buffer Infrastructure Analysis

Audio Transcoding Infrastructure Analysis

Review: Additional capture logs under `./analysis/facebook/`
Phase 2

Agent Handoff Document