Skip to main content

Technical Reports

Complete technical documentation from the Facebook iOS surveillance investigation. Reports are organized by analysis phase and type.

Complete Data Harvesting Audit

Systematic audit across 61 frameworks, 10 data categories

NEW

The 8 Most Alarming Findings

Decompiled evidence of the most surprising discoveries

NEW

Static Analysis Reports

27 reports

Primary investigation reports from binary reverse engineering of Facebook iOS v345.0. Each report focuses on a specific component or capability.

Phase 1: Initial Analysis

SA-001APhase 1

SA-001 Decompilation Report

`./analysis/facebook/345.0/Facebook.app/Frameworks/FBSharedFramework.framework/FBSharedFramework`

H1H4H6
SA-002APhase 1

SA-002 Symbol Trace Report

`./analysis/facebook/345.0/Facebook.app/Frameworks/FBSharedFramework.framework/FBSharedFramework`

H1H4
SA-003DPhase 1

SA-003 Pattern Hunt Report

Analysis of the FBSharedFramework binary (40.7 MB Mach-O arm64) reveals extensive audio codec infrastructure but **no definitive evidence of steganographic embedding**. The byte patterns found are consistent with legitimate audio/video playback functionality rather than covert data encoding.

H6
SA-004B+Phase 1

SA-004 String Mining Report

This string mining reveals: 1. **Server-Controlled Audio Features** via MobileConfig flags 2. **Background Audio Infrastructure** with extensive controls 3. **Privacy Consent Bypass** mechanism via GateKeeper flags 4. **Kill Switch System** for remotely controlling feature availability

H1H2H4H5
SA-005B+Phase 1

SA-005 Class Map Report

`./analysis/facebook/345.0/Facebook.app/Frameworks/FBSharedFramework.framework/FBSharedFramework`

H1H4H6
SA-035APhase 1

SA-035: SoundToggle Remote Activation Proof

**Investigation Status:** GRADE A - Complete Config to Activation Chain with Timing Evidence This investigation proves that `SoundToggleSettingOnProgrammatically` enables remote-controlled microphone activation through Facebook's MobileConfig system. The evidence establishes a complete chain from server-pushed configuration flags to audio session activation with microphone capability. **Binary Analyzed:** Facebook iOS v345.0 - FBSharedFramework.framework

H1H2H5

Phase 2: Deep Analysis

SA-006B+Phase 2

SA-006 Key Derivation Analysis Report

Find the complete key derivation algorithm for `audioEncryptionKey` to enable H3 steganography decoding.

H2H6
SA-007APhase 2

SA-007 GPU Shader Analysis Report

Analyze FBDynamicImageOverlayFilter and related GPU pixel manipulation for steganographic embedding.

H6
SA-008B+Phase 2

SA-008 XRay ML Model Analysis Report

Analyze the XRay ML model that processes audio embeddings and trace audio→embedding→network flow.

H2H4H6
SA-009APhase 2

SA-009 Bridge Decompiler Analysis Report

Decompile the 5 bridge functions connecting audio pipeline to network upload.

H4
SA-010BPhase 2

SA-010 Buffer Lifecycle Analysis Report

Trace complete audio buffer lifecycle from microphone capture to network transmission.

H1H2H4H6
SA-011APhase 2

SA-011 Category Spoof Analysis Report

Analyze how Facebook spoofs AVAudioSession category to hide microphone access.

H1H2
SA-012APhase 2

SA-012 Flag Tracer Analysis Report

Trace the complete server→client flag activation path for audio control.

H1H2H5

Phase 3: Critical Findings

SA-013Phase 3

SA-013: Upload Dispatcher Decompilation Report

The function at `0x12e5fa4` is a **central Objective-C message dispatch stub** (objc_msgSend trampoline) that serves as the universal message routing mechanism for Facebook's entire upload infrastructure. It has **120,473 cross-references** throughout the binary, making it one of the most frequently called functions in the framework.

H4
SA-014APhase 3

SA-014 Metal Shader Extraction Report

Complete extraction and analysis of the `extractFromSample` steganographic decoder shader embedded in the Facebook iOS binary. This shader performs IEEE 754 floating-point reconstruction from 14 pixel locations using BGR channel encoding, yielding 84 bits per frame (two 32-bit floats plus sign bits).

H6
SA-015APhase 3

SA-015: FBSpeechHelper H2 Server Socket Analysis Report

The FBSpeechHelper infrastructure provides a complete real-time speech-to-text transmission system using WebSocket (WSS) connections to Facebook's "Shortwave" speech recognition service. Audio is captured via iOS microphone, optionally encoded using OPUS codec, and streamed to `wss://shortwave.facebook.com/v2/vp/recognition` for transcription. The system is exposed to React Native via a bridge module, enabling JavaScript-level activation.

H1H2H4
SA-016B+Phase 3

SA-016: Tray Visibility Control and Indicator Suppression Analysis

This analysis documents Facebook's Stories/Snacks tray visibility control system. The investigation reveals a sophisticated system for controlling when the stories tray is visible and how bucket reranking occurs based on visibility state. Key findings include: 1. **Multiple classes control tray visibility** with a coordinated observer/tracker pattern 2. **`_reRankBucketsWhenTrayIsNotVisible`** flag controls whether bucket reranking occurs when tray is hidden 3. **`privacyIndicatorUnit`** is a distinct component tied to feed story actions

H1H2
SA-017B+Phase 3

SA-017 DRM and Encryption Key Provisioning Analysis Report

The Facebook iOS app implements a multi-layer DRM and encryption architecture: 1. **FairPlay DRM**: Apple's FairPlay Streaming (FPS) for video content protection 2. **License Management**: FBDrmLicenseLoader handles license fetching via GraphQL 3. **Key Hierarchy**: Separate key paths for DRM (video) vs E2EE (messaging attachments)

H4
SA-018B+Phase 3

SA-018: FBMediaUploadManager Chunk-Based Upload Mechanism Analysis

This report documents the chunk-based media upload architecture used by Facebook's iOS application. The upload system implements a sophisticated segmented upload mechanism with support for video and audio content, featuring resume capabilities, progress tracking, and integration with the central dispatcher at address `0x12e5fa4`.

H2H4
SA-019A-Phase 3
CRITICAL

SA-019: Overlay Audio Segments and Muted Segment Analysis Report

Analysis of the Facebook binary reveals a sophisticated multi-layer audio architecture with `overlayAudioSegments` for secondary audio tracks, `mutedSegments` for time-based audio muting, and integration with iOS's `SecondaryAudioShouldBeSilentHint` system. **Critical finding: "muted" segments retain full audio data in the file - they are only flagged for playback suppression, creating an ideal covert data channel.**

H2H4H6
SA-020APhase 3

SA-020: Shadow Buffer Mechanism and Duplicate Capture Stream Analysis

Investigation of the FBSharedFramework binary reveals a sophisticated triple-buffer audio capture architecture with an **RTC notification bypass mechanism** that allows audio capture to continue independently of WebRTC client state changes. The `audioCaptureIgnoreRTCClientNotification` flag provides a documented mechanism for maintaining audio capture even when RTC sessions are deactivated, explaining the 9,900+ RTC deactivation events observed alongside continued capture operations.

H1
SA-021APhase 3

SA-021 E2EE/Noise Protocol Key Negotiation Analysis Report

The Facebook iOS app implements a multi-layer encryption architecture for real-time audio/video calls: 1. **E2EE Layer**: End-to-end encryption indicated by model updates, with session-level enforcement 2. **DTLS Layer**: Transport-level encryption for WebRTC signaling 3. **Media Encryption**: Per-attachment encryption keys for audio/video content

H4H5
SA-022APhase 3

SA-022: GraphQL RealtimeConfig and Alternative Config Push Mechanisms

Analysis of FBSharedFramework reveals a multi-layered configuration push architecture that enables Facebook to remotely control audio behavior through multiple pathways. The investigation confirms four distinct config update mechanisms working in coordination, with the sound toggle setting changes broadcast via `NSNotification` to all listening components.

H4H5
SA-023BPhase 3

SA-023 Extended Steganographic Analysis Report

Generated: 2025-12-30T19:20:45.331700

H6
SA-024APhase 3
CRITICAL

SA-024: VoIP/Conferencing Streaming Infrastructure Analysis

Forensic analysis of Facebook iOS v345.0 reveals a sophisticated real-time audio streaming infrastructure that combines VoIP, WebRTC, QUIC transport, and Opus codec technologies. This infrastructure provides the capability for efficient, low-latency audio streaming that could theoretically support always-on audio surveillance with minimal battery and bandwidth impact.

H1H2H4H5
SA-025APhase 3
CRITICAL

SA-025: Dual-Layer Encryption Architecture Analysis

Analysis of Facebook iOS v345.0 reveals a **dual-layer encryption architecture** for real-time audio streaming that makes traffic analysis and interception extremely difficult. The system combines: 1. **Application Layer:** Noise Protocol E2EE (AES-256-GCM) for audio content 2. **Transport Layer:** QUIC with TLS 1.3 (Fizz) for network transport

H1H4
SA-026BPhase 3

SA-026: Live Frame Embedding Path Analysis

Analysis of the live audio-to-video embedding path reveals that **audio embedding into video frames occurs SERVER-SIDE, not during client-side recording**. The client binary contains only the EXTRACTION mechanism (`extractFromSample` shader). The client's role is to: 1. Capture audio via `FNFAudioQueue` and `FBCCAudioCapturer` 2. Process video frames through `FBVideoProcessor` 3. Apply filters and overlays (including audio-related overlays)

H1H2H4H6

Addendum Reports

3 reports

Supplementary analysis addressing specific gaps identified during the main investigation.

addendum-cmsamplebuffer-report

CMSampleBuffer Processing Analysis

`./analysis/facebook/345.0/Facebook.app/Frameworks/FBSharedFramework.framework/FBSharedFramework`

H1H4H6
addendum-ring-buffer-report

Ring Buffer Infrastructure Analysis

H1H2H4
addendum-transcoding-report

Audio Transcoding Infrastructure Analysis

`./analysis/facebook/345.0/Facebook.app/Frameworks/FBSharedFramework.framework/FBSharedFramework`

H1H4H6

Hypothesis-Specific Reports

6 reports

Focused analysis on specific hypotheses with consolidated evidence.

h2-indicator-suppression-reportA

H2 Indicator Suppression Analysis

The investigation reveals a server-controlled flag `should_hide_microtray` that allows Facebook to remotely suppress the microphone indicator tray on iOS. Combined with audio session mode manipulation via `AVAudioSessionModeVoicePrompt`, this provides a mechanism to capture audio while minimizing user awareness.

H1H2
h3-steganography-decoder-report

Steganography Decoding Analysis

After comprehensive analysis of extraction attempts and evidence files, this investigation reveals that **multiple extraction methods have successfully produced valid audio file structures** (54 validated files), but the audio content remains **unintelligible** due to encryption and/or proprietary codec encoding. The primary barrier is the `audioEncryptionKey` mechanism identified in the Facebook binary.

H2H4H6
h5-remote-control-report

H5 Remote Control Analysis

Server-side flags can remotely activate audio capture without user consent

H1H2H5
haiku-agent-audio-gaps

Audio Surveillance Gap Analysis - Facebook iOS v345.0

1. **Microphone Activation** (`startAudioCaptureWithEchoCancellationEnabled`) - 960 calls/session

H1H4
haiku-agent-ghidra-review

Ghidra Analysis Review: Hook Recommendations Report

- **Purpose:** RTC notification handler entry point

H1H2
haiku-agent-upload-gaps

Facebook iOS Upload Evidence Analysis Report

| Class | Fires | Percentage |

H4