> Facebook's IAAP Program used nation-state-level hacking technology developed by the company's Onavo team, in which Facebook paid contractors (including teens) to designate Facebook a trusted "root" Certificate Authority on their mobile devices, then generated fake digital certificates to redirect secure Snapchat analytics traffic (and later, analytics from YouTube and Amazon) from Snapchat's servers to Onavo's; decrypted these analytics and used them for competitive gain, including to inform Facebook's product strategy; reencrypted them; and sent them up to Snapchat's servers as though it came straight from Snapchat's app, with Facebook's Social Advertising competitor none the wiser.
How is that "hacking"? The test subjects willingly modified their CA store, nothing can be made against that, it's users choosing who should receive data sent by their device (I mean certificate pinning could help).
Reminds me of TV users willingly plugging a box into their TV that sends usage data to a statistics institute
> The test subjects willingly modified their CA store, …
I don’t think users knew what they were consenting to. Only a small percentage of the population know what a Certificate Authority is. And also “monitoring traffic” doesn’t carry the weight of “we are going to listen to your private conversations”.
> willingly modified their CA store
In the same way a patient might willingly consent to some highly specific chemical treatment being replaced with another highly specific chemical - they have no idea, they rely on the doctor not to purposefully mislead them. You could put anything in those forms and most people would trust the professional is at least not allowed to defraud them.
“I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works,” Canahuati wrote in an email, included in the court documents.
I'm not saying it's ethical, I'm saying it's not hacking
Or maybe it's a weak, uninteresting form of social engineering, but even that's a stretch IMO
Could Snapchat have detected this? What is the defense against this type of attack?
Certificate pinning would defeat this. Bake it into your app that you only trust a specific certificate regardless of what is in the system trust store.
Interestingly, not always. For example apple computers will intentionally ignore your pinning attempts in some cases: https://daniel.haxx.se/blog/2024/03/08/the-apple-curl-securi...
Yikes, that’s a good reason not to use the system LibreSSL or curl provided with macOS.
Cert Pinning and Certificate Transparency should block the decryption, even on a VPN where the user has installed a custom root certificate.
It wouldn't stop them seeing what domains the user is going to (as it's sent in plaintext because of SNI, and ECH was still a few years away).
The same techniques make it more difficult for a user/developer to figure out what their device is doing.
That's (corporate) espionage.
User behaviour is not company property.
Paying users to install a root certificate on their devices is “nation-state-level hacking technology”? What nonsense.