Meta's Onavo App: A Stealthy HTTPS Traffic Hijack
2025-08-01
A recent class-action lawsuit against Meta reveals evidence suggesting the company may have violated the Wiretap Act. Court documents and reverse engineering of the Onavo Protect app show Meta used a technique called "ssl bump" to intercept encrypted HTTPS traffic, decrypting traffic to specific domains like Snapchat, YouTube, and Amazon. This involved tricking users into installing a CA certificate issued by "Facebook Research." While ineffective on newer Android versions, this method effectively gathered user data from 2016 to 2019. The incident highlights the potential for large tech companies to violate user privacy and abuse mobile security mechanisms.
Read more
Tech
HTTPS interception