How did Facebook intercept their competitor's encrypted mobile app traffic?

Original Article ↗ Hacker News Discussion ↗

Technical mechanism & mitigations

  • Core mechanism: Onavo installed a VPN profile and its own root CA, enabling classic SSL/TLS MITM (“SSL bump”) on mobile traffic.
  • Works by proxying all device traffic through Facebook’s infrastructure and re‑issuing certificates signed by the installed CA.
  • Commenters note this is technically unsurprising: if you fully trust a root CA on your device, it can intercept any non‑pinned TLS.
  • Mitigations discussed:
    • Certificate pinning in apps (some say Snapchat started pinning soon after).
    • Android making CA installation harder (manual import since Android 7).
    • Certificate Transparency and browser enforcement as deterrents against rogue public CAs.
    • Clarification that HSTS enforces HTTPS, but does not pin specific certs.
    • Mutual TLS would not help if the proxy terminates TLS and re‑establishes it.

Scope, consent, and comparisons

  • Confusion between:
    • Onavo as a “free VPN + data manager” for the general public.
    • Separate, later “research” programs where participants were explicitly paid.
  • This thread concerns Onavo; it’s unclear whether all users were MITM’d or only a subset / “research” cohort.
  • Some argue participants chose to install a VPN and thus “consented”; others counter that:
    • Marketing framed it as protection, not wiretapping or competitor telemetry.
    • Non‑technical users can’t meaningfully grasp the implications of installing a root CA.
  • Analogies are drawn to Nielsen TV boxes (paid monitoring) vs. misleading consumer “security” apps.

Legality, regulation, and corporate parallels

  • Debate over whether this is wiretapping, CFAA, or DMCA circumvention; legal status seen as murky.
  • Point that current big case is antitrust; potential Wiretap Act breaches surfaced in discovery, not as primary claims.
  • Skepticism that Meta will face criminal charges; expectation of civil penalties smaller than profits.
  • Many note that SSL interception with custom root CAs is common on corporate networks to monitor employee traffic; key distinction raised:
    • Employer‑owned devices with explicit monitoring notices vs. users’ personal phones.

Ethics, culture, and engineer responsibility

  • Strong consensus that the behavior is ethically wrong and effectively malware‑like.
  • Discussion of why engineers work on such projects:
    • High pay, stock, immigration/visa pressure, or financial desperation vs. lack of ethical culture.
    • Some insist circumstances don’t excuse harmful work; others emphasize power imbalances and top‑down incentives.
  • Broader criticism of Meta’s “success at all costs” culture and comparison to government surveillance and adtech more generally.

Broader tracking concerns & user behavior

  • Separate worry: Meta’s use of in‑app browsers (WKWebView) that can inject JavaScript and observe everything on external sites.
  • Widespread distrust of Meta; some users fully avoid Facebook but still rely on WhatsApp due to network effects.
  • Ongoing tension between personal ethics (boycotting services) and practical needs (staying in social groups).