How Expo Is Fooling Everyone
What data does the Facebook SDK within Expo apps send to Facebook?
that is a question best answered by the Expo team or someone from Facebook.
Knowing their capabilities, the sky is the limit.
Excellent question, and we might be able to figure it out with some digging…I’m no expert, but here are my thoughts:
Now, let’s imagine you have an app that’s using every feature of Expo available. A “kitchen sink demo”, if you will. When you’re using this demo app, you can connect your phone to your computer, and not only can you debug the app, and see what sort of calls are being made – you can essentially “dump” all of the traffic going to and from your phone to a log file. This may be noisy, but with an app like Wireshark, you could filter the data and see exactly which bits and bytes are being sent from Expo itself.
Of course, this doesn’t take encryption into account…if they’ve encrypted the traffic (which I sure as hell hope they do!) then you have a new challenge: decrypting the traffic without the key. As shown by exploits such as those against WEP wifi encryption, this is feasible, but not really within the reach of an average dev just trying to snoop around. (Also this may be illegal, yada yada yada, neither I nor Hacker Noon condones illegal activity.)
So in theory it’s possible, but if they’re encrypting the traffic…well, it all depends. If they’re using AES in ECB or CBC modes, a freshman taking a cryptography course could break it. If they’re using something stronger…again, it all depends. A cryptosystem is only as strong as its weakest link.
Come to think of it, if you could debug the app, and catch the app sending data to Facebook before it’s encrypted…you’ve won. But this assumes a lot, especially assuming that the debug build of the Expo library will be used in development. I’m sure they’ve covered their asses to some extent – the question is, how much?
I could go on, but, just like that, you’ve nerd sniped me. Dammit. Back to the internet!