Meta is currently facing a class action lawsuit for allegedly breaching the Wiretap Act by intercepting user’s encrypted HTTPS traffic using the “ssl bump” technique through the Onavo Protect app on Android. The app prompted users to install a certificate to decrypt TLS traffic, which was required for the interception. Facebook acquired Onavo for $120M in 2013, showing the value of gaining competitor intelligence. However, improvements in Android security controls made this method unusable by 2019, and Facebook considered alternative methods like using the Accessibility API. Despite technical limitations, Facebook was able to intercept traffic from specific competitor domains due to lack of cert pinning. The content raises ethical and legal concerns regarding user privacy and misuse of permissions.
https://doubleagent.net/onavo-facebook-ssl-mitm-technical-analysis/