Zoom iOS App Was Sending Data To Facebook Even If Users Aren’t Members, Reveals Teardown

Zoom, a video-conferencing app that recently shot to fame and garnered massive usage during the ongoing health crises, was secretly sending user data to Facebook. The concerning discovery was made after the Zoom iOS App was analyzed. A redundant SDK was apparently still active inside the app that was sending a large amount of data to Facebook.

Zoom has issued an emergency update for its iOS app after it was discovered that the platform was sending data about users to Facebook. Shockingly, the data was sent irrespective of the users having a Facebook account or not. It is not immediately clear if Zoom had sought and received explicit permissions from its users before sending data to Facebook, but it is apparent that the platform might have secured a broad and comprehensive ‘Terms and Conditions’ agreement that included the provision.

Popular Video-Conferencing Platform Zoom Issues Update To Remove Code Sending Data To Facebook:

Zoom shot to popularity after several countries issued lock-down orders for their citizens mandating work-from-home. Among other remote productivity and collaboration platforms, Zoom, a lesser-known service, rose in popularity as usage increased exponentially. Zoom’s iOS and Android apps have been widely appreciated for their speed, clarity and other features.

Despite the advantages, the app is a concern because it was apparently sending user data and information to Facebook. According to the analysis report, conducted by Motherboard, the Zoom iOS app was sending information such as when a user opened the app, their time-zone, city, and device details, to the social network giant. When the news about the potential user privacy surfaced, Zoom was quick to issue a statement that read:

“Zoom takes its users’ privacy extremely seriously. We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data.”

SDK or Software Development Kit is a collection of precompiled code that developers often use to help implement certain features into their own apps. The use of an SDK can also have the effect of sending certain data off to third-parties. Facebook’s ‘Like’ button and ‘Comments’ section on third-party websites is an excellent example of such code that sends back information to Facebook.

Apparently, Zoom’s privacy policy does not make the data transfer to Facebook clear. In other words, it seems that Zoom initially had implemented the pathway to send data to Facebook. It is concerning to note that the data is sent to Facebook even if the Zoom user is not a member of the social media platform.

What User Data Was Zoom Sending To Facebook?

It is clear that a redundant SDK was sending user data to Facebook. However, the data was being anonymized, noted Zoom in its statement which read,

“The data collected by the Facebook SDK did not include any personal user information, but rather included data about users’ devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.”

After the news about the Facebook data collection spread, Zoom quickly issued an update to the iOS app. Independent analysis of the app has confirmed that there’s no code that triggers data transmission to Facebook upon opening the app. Zoom noted the same in its statement:

“We will be removing the Facebook SDK and reconfiguring the feature so that users will still be able to login with Facebook via their browser. Users will need to update to the latest version of our application once it becomes available in order for these changes to take hold, and we encourage them to do so. We sincerely apologize for this oversight, and remain firmly committed to the protection of our users’ data.”

The statement clearly implies that Zoom isn’t concerned about any legal repercussions, and is confidently terming the incident as an ‘oversight’. However, this incident proves that Facebook’s reach and the ability to sniff out user data, anonymized or not, is quite expansive.

Tags

Alap Naik Desai


A B.Tech Plastics (UDCT) and a Windows enthusiast. Optimizing the OS, exploring software, searching and deploying solutions to strange and weird issues is Alap's main interest.
Close